samba: Multiple vulnerabilities (CVE-2019-10218, CVE-2019-14833, CVE-2019-14847)
CVE-2019-10218: Client code can return filenames containing path separators
Samba client code (libsmbclient) returns server-supplied filenames to calling code without checking for pathname separators (such as "/" or "../") in the server returned names.
A malicious server can craft a pathname containing separators and return this to client code, causing the client to use this access local pathnames for reading or writing instead of SMB network pathnames.
This access is done using the local privileges of the client.
This attack can be achieved using any of SMB1/2/3 as it is not reliant on any specific SMB protocol version.
Fixed In Versions:
Samba 4.11.2, 4.10.10 and 4.9.15
References:
https://www.samba.org/samba/security/CVE-2019-10218.html
CVE-2019-14833: Samba AD DC check password script does not receive the full password.
Since Samba Version 4.5.0 a Samba AD DC can use a custom command to verify the password complexity. The command can be specified with the "check password script" smb.conf parameter. This command is called when Samba handles a user password change or a new user password is set. The script receives the new cleartext password string in order to run custom password complexity checks like dictionary checks to avoid weak user passwords.
When the password contains multi-byte (non-ASCII) characters, the check password script does not receive the full password string.
Fixed In Versions:
Samba 4.11.2, 4.10.10 and 4.9.15
References:
https://www.samba.org/samba/security/CVE-2019-14833.html
CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync
Since Samba 4.0.0 Samba has implemented, in the AD DC, the "dirsync" LDAP control specified in MS-ADTS "3.1.1.3.4.1.3 LDAP_SERVER_DIRSYNC_OID".
However, when combined with the ranged results feature specified in MS-ADTS "3.1.1.3.1.3.3 Range Retrieval of Attribute Values" a NULL pointer is can be de-referenced.
This is a Denial of Service only, no further escalation of privilege is associated with this issue.
Samba 4.11 is not affected as the issue was fixed as a result of Coverity static analysis, before the potential for denial of service became apparent.
Fixed In Version:
Samba 4.9.15 and 4.10.10
References:
https://www.samba.org/samba/security/CVE-2019-14847.html