[3.8] samba: Multiple vulnerabilities (CVE-2018-14629, CVE-2018-16841, CVE-2018-16851)
CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server
All versions of Samba from 4.0.0 onwards are vulnerable to infinite
query recursion caused by CNAME loops. Any dns record can be added via
ldap by an unprivileged user using the ldbadd tool, so this is a
security issue.
Fixed In Version:
Samba 4.7.12, 4.8.7, and 4.9.3
References:
https://www.samba.org/samba/security/CVE-2018-14629.html
https://www.samba.org/samba/history/security.html
CVE-2018-16841 : Double-free in Samba AD DC KDC with PKINIT
A flaw was found in Samba from 4.3.0 versions. When configured to accept
smart-card authentication, Samba’s KDC
will call talloc_free() twice on the same memory if the principal in a
validly signed certificate does not match the principal in the AS-REQ.
This is only possible after authentication with a trusted certificate.
This could result in a Denial of Service attack.
Fixed In Version:
Samba 4.7.12, 4.8.7 and 4.9.3
References:
https://www.samba.org/samba/security/CVE-2018-16841.html
https://www.samba.org/samba/history/security.html
CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server
A flaw was found in Samba versions from 4.0.0. During the processing of
an LDAP search before Samba’s AD DC returns the LDAP
entries to the client, the entries are cached in a single memory object
with a maximum size of 256MB. When this size is reached, the
Samba process providing the LDAP service will follow the NULL pointer,
terminating the process. This can lead to a denial of service attack.
Fixed In Version:
Samba 4.7.12, 4.8.7 and 4.9.3
References:
https://www.samba.org/samba/security/CVE-2018-16851.html
https://www.samba.org/samba/history/security.html
(from redmine: issue id 9707, created on 2018-11-28, closed on 2019-02-19)
- Relations:
- parent #9705 (closed)