samba-4.18.6-101.el9.ML.1
エラータID: AXSA:2023-6897:12
Release date:
Tuesday, December 12, 2023 - 09:54
Subject:
samba-4.18.6-101.el9.ML.1
Affected Channels:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.
Security Fix(es):
* samba: smbd allows client access to unix domain sockets on the file system as root (CVE-2023-3961)
* samba: SMB clients can truncate files with read-only permissions (CVE-2023-4091)
* samba: "rpcecho" development server allows denial of service via sleep() call on AD DC (CVE-2023-42669)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2023-3961
A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, which Samba initiates on demand. However, due to inadequate sanitization of incoming client pipe names, allowing a client to send a pipe name containing Unix directory traversal characters (../). This could result in SMB clients connecting as root to Unix domain sockets outside the private directory. If an attacker or client managed to send a pipe name resolving to an external service using an existing Unix domain socket, it could potentially lead to unauthorized access to the service and consequential adverse events, including compromise or service crashes.
CVE-2023-4091
A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.
CVE-2023-42669
A vulnerability was found in Samba's "rpcecho" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the "rpcecho" service operates with only one worker in the main RPC task, allowing calls to the "rpcecho" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a "sleep()" call in the "dcesrv_echo_TestSleep()" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the "rpcecho" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as "rpcecho" runs in the main RPC task.
Solution:
Update packages.
CVEs:
CVE-2023-3961
A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, which Samba initiates on demand. However, due to inadequate sanitization of incoming client pipe names, allowing a client to send a pipe name containing Unix directory traversal characters (../). This could result in SMB clients connecting as root to Unix domain sockets outside the private directory. If an attacker or client managed to send a pipe name resolving to an external service using an existing Unix domain socket, it could potentially lead to unauthorized access to the service and consequential adverse events, including compromise or service crashes.
A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, which Samba initiates on demand. However, due to inadequate sanitization of incoming client pipe names, allowing a client to send a pipe name containing Unix directory traversal characters (../). This could result in SMB clients connecting as root to Unix domain sockets outside the private directory. If an attacker or client managed to send a pipe name resolving to an external service using an existing Unix domain socket, it could potentially lead to unauthorized access to the service and consequential adverse events, including compromise or service crashes.
CVE-2023-4091
A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.
A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.
CVE-2023-42669
A vulnerability was found in Samba's "rpcecho" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the "rpcecho" service operates with only one worker in the main RPC task, allowing calls to the "rpcecho" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a "sleep()" call in the "dcesrv_echo_TestSleep()" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the "rpcecho" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as "rpcecho" runs in the main RPC task.
A vulnerability was found in Samba's "rpcecho" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the "rpcecho" service operates with only one worker in the main RPC task, allowing calls to the "rpcecho" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a "sleep()" call in the "dcesrv_echo_TestSleep()" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the "rpcecho" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as "rpcecho" runs in the main RPC task.
CVE-2022-2127
An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash.
An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash.
CVE-2023-34966
An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.
An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.
CVE-2023-34967
A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.
A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.
CVE-2023-34968
A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path.
A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path.
Additional Info:
N/A
Download:
SRPMS
- samba-4.18.6-101.el9.ML.1.src.rpm
MD5: 803059b062ad2c1ce14c6d2e7ea671ca
SHA-256: 6fb3d0cc11e244ef4ab6f1f4d4b9c328a2d269edc4bca6c7b989e7a0e843bffb
Size: 25.12 MB
Asianux Server 9 for x86_64
- ctdb-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 88c049a75b589f2b399bab527816cecf
SHA-256: bd21d8728f131c8cc045a91142af20a8f2f1d58bae7afe67d8d4b32c61326f22
Size: 766.17 kB - libnetapi-4.18.6-101.el9.ML.1.i686.rpm
MD5: 914681477af1f67d9134b02403faac81
SHA-256: d955ba58b2885ecb7d8b1f08ff58a8e092b3bc9aab132509c3d4a498e03c3bf5
Size: 154.17 kB - libnetapi-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 1b1ad3ced2ad95978ef4905e91e681ea
SHA-256: be916c20df7c7a89e97a2c579ff1da38a3c4b9cf9f82e4a9a5482a1e2e61c197
Size: 140.65 kB - libnetapi-devel-4.18.6-101.el9.ML.1.i686.rpm
MD5: 95b26553868580803c91a84c86f223eb
SHA-256: a1b77e2df5fd6b8d45ad479e23c85c77ab354c2f576f2d7725b5bda26ef9d9cf
Size: 24.23 kB - libnetapi-devel-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 0a22782a58edde943c846afd72480fa8
SHA-256: 2614ca4fcd3da458a3a6f9a389a213d08636f7864ffdb8635e77633c710fd1f7
Size: 24.22 kB - libsmbclient-4.18.6-101.el9.ML.1.i686.rpm
MD5: 97313e70f75653e076a9dca8de6dbb7e
SHA-256: a3fc4bdd5e47303206ee14a1b59d2bb874d13ab1784bb1bcdc3c970281fa18a6
Size: 79.22 kB - libsmbclient-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 5dbaddd66cfeb967f305bd7cf06b195c
SHA-256: f6d1b9d1ee0767442c227c804714b6d63a0975b392b2c42565ff20662f0df169
Size: 73.72 kB - libsmbclient-devel-4.18.6-101.el9.ML.1.i686.rpm
MD5: 867e89337afb8b0626e4e2a28a0f6be7
SHA-256: a820b7e06ccace7f324349f037905fdbafde7d0a50777cd8667abd3f3f95edb8
Size: 34.83 kB - libsmbclient-devel-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 287eb7b3e387fac357177dc3c36ef1eb
SHA-256: 7d22a0588b1eaa9501cc6205508b1ce69f88765454a21e4a72ae5ff6953dea1d
Size: 34.84 kB - libwbclient-4.18.6-101.el9.ML.1.i686.rpm
MD5: 9d2ed7c08230925a756ce147f2af64d6
SHA-256: 48f2abaeb0818a0a4c2a2f200ddc8091911834116b6439935e0e9653a46cdd8a
Size: 45.44 kB - libwbclient-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 031026a83423447040264eef80f96752
SHA-256: a792f8b2aab399b3e9d42050bc8c19d64c8a651712b51c72240635d5c29e07d3
Size: 42.15 kB - libwbclient-devel-4.18.6-101.el9.ML.1.i686.rpm
MD5: ba876b335c19ef0d1edc732d71096663
SHA-256: b9173ce460233897b2a022e9cf5ac1ed2b918d29e6da1a8c18c436af6c110003
Size: 23.23 kB - libwbclient-devel-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: a23d528c5f7aff492ea2ea1d1588a1a9
SHA-256: ee9ec05da773540b2560e16a72212c2dcfda7fd99c12dbfab72115135eaa2535
Size: 23.22 kB - python3-samba-4.18.6-101.el9.ML.1.i686.rpm
MD5: 387dd5a8e76dd0e66cc4ec25ad1bf69e
SHA-256: 70faace9779ff052fd3d245c94d88bb24ae349346c826061fe7ad5c18e3448b2
Size: 3.19 MB - python3-samba-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 10f75c8c27c07876d92dfff4c7e1652a
SHA-256: 2cd6e19f117b225ba88f7788a4924e7ad85cb664185e2c931f44ee98ee40278c
Size: 3.32 MB - python3-samba-dc-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 15cdba632f48f1bee94392cb8f40569c
SHA-256: 80fea8e34255045517a199c9a0ce89c5e773ff7dc93fab9ae0de75c024e1ced2
Size: 328.44 kB - python3-samba-devel-4.18.6-101.el9.ML.1.i686.rpm
MD5: b802c1aabf6ce2430bc866ca65044c59
SHA-256: 0c5d2895efc346aa21896d0727e18782641ed64bab00f2ceb8e7e57a7c00c84d
Size: 14.40 kB - python3-samba-devel-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: ab9de0c620b4dac51fab5a9ad04c79b2
SHA-256: 0cfe87bd3e97433372b3d9e76e79d64a592789f31a111b4107ad59d60389d656
Size: 14.40 kB - python3-samba-test-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 376b6517ddbff7ee2351e8d2e64e8675
SHA-256: a471874d40f0de8f9aa1393915a62e74669b30d77a75abe7515bd24fa6298e1c
Size: 1.00 MB - samba-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 2b2b7079c03c9b1182c8218a3175f780
SHA-256: 785fdc05f756f8a96e34942874910f7474185d4bd736ee03402480209bf27a52
Size: 931.13 kB - samba-client-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 3a179c9be312371888e9c40a1e31ab47
SHA-256: a7e43a09aba85a7b20836734ec968c3ff27c10003c672a89ddd9a43837febf9d
Size: 659.35 kB - samba-client-libs-4.18.6-101.el9.ML.1.i686.rpm
MD5: 335db3d0f354897c59aed2c0bb0a5866
SHA-256: e9c0b2c846d8902d9048c71cb0dc371a9c9cf3d8d0df16798d4c3e631b2eaced
Size: 5.36 MB - samba-client-libs-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 789084db50a1c1d6e79209deb65d42eb
SHA-256: f21054ad09b87c4600d887ce3fa9d66a171d3438e6de7d1c0c9f49c7edf5fca1
Size: 5.02 MB - samba-common-4.18.6-101.el9.ML.1.noarch.rpm
MD5: ba89f38ff587ae0dc258164382d14672
SHA-256: 6ae8d269c2387fc0349130d1dca3ca87c5faa0422a6738ed0503f89e185964ff
Size: 147.78 kB - samba-common-libs-4.18.6-101.el9.ML.1.i686.rpm
MD5: 2df56c1c553209066c45ab0c75d47524
SHA-256: 0804ee4a38577a23f09127347b14848c70122ea1808c017bc549b08872c4e557
Size: 110.12 kB - samba-common-libs-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: db87ce87e7a64a9cc900e9f71d3ca6ea
SHA-256: cbdb53f1f8a56a749222d1d65474910807184f7819d2d652b61a46d68f00faf4
Size: 99.62 kB - samba-common-tools-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 2cd50ca7d967403031bd285afd99769a
SHA-256: 2de84322f7d6a8496732cb857033b497f7efa36a56a583cef3880964f29527a1
Size: 455.74 kB - samba-dcerpc-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 222e364526d93c930b5aee706badd91d
SHA-256: 2fa1272b8c43909d50441b7e0f91f8f14b2f69f0b2a7c26d6f84e4653e9b557b
Size: 688.72 kB - samba-dc-libs-4.18.6-101.el9.ML.1.i686.rpm
MD5: 204d348ad0654ca0928e326ab49f5344
SHA-256: 4a4771006d75b5e2da57be64b6fb77cb2395f72c394fae4aaf3351a1d3b1a262
Size: 31.08 kB - samba-dc-libs-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 72b011e86f8a65025fb4b4e8a4b39646
SHA-256: 5958886bd00f328db29e325e2ff46fd61803b84ea641ad89201cf34044159032
Size: 29.75 kB - samba-devel-4.18.6-101.el9.ML.1.i686.rpm
MD5: 439de690cf21c6499f98c47bc9cabda7
SHA-256: b63b736f378644dbc12f430d750b29f84e70e45b5a0540c12a0d82106a371369
Size: 214.36 kB - samba-devel-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: e4897f569d1e02a8f3444c0fb6e35e9d
SHA-256: 99b322162e5a6c02d3554af72fa193e629ca5fcd949f306495e9cd45675379ee
Size: 214.42 kB - samba-krb5-printing-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: b2e32e54bcc216e63e86309198b01c63
SHA-256: 9629217795dfdf109c2fb9550d430757c4605dcbacb8b37ffc30074c3f276a2c
Size: 21.46 kB - samba-ldb-ldap-modules-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: cbcab40319d8e1894730c24f68cd9b44
SHA-256: 9bb0690d7ac34d0aa4b7bee0e2ef54a106c27c4d6b76c9193cacd79541bcdf9b
Size: 27.67 kB - samba-libs-4.18.6-101.el9.ML.1.i686.rpm
MD5: 2c19e10354982d379c6a95613c1d7293
SHA-256: 8487355b8ae864e805c06842a7c0d5261419633a55d43d99a9df53169e75d1cb
Size: 126.92 kB - samba-libs-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: ea4f106691e708731e8f8b066eb53f4b
SHA-256: 27bcb8e959f03bc16a9a683af2142f1701097878067ace3bbef3e3629b4062fd
Size: 120.02 kB - samba-pidl-4.18.6-101.el9.ML.1.noarch.rpm
MD5: e71142fe2555b298b06b1d64d2f90f99
SHA-256: 3b3012a27dd143888bab0aea57fdfede41addc36066ee356752c1a1e1a778654
Size: 112.92 kB - samba-test-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 05b0baad8d66744f0dbbca7e23fa0c6a
SHA-256: 01b935f0a9cb83db9e68a94beda322867a835d5bc80fc1e0d19efd67a6b1d371
Size: 2.23 MB - samba-test-libs-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 1bf6d3a9af4586e39af169c479670ef2
SHA-256: 5f52660ae6c74409b89d0939b114a4d3f19546b1ea2c9f93701e2b63b06db1ee
Size: 43.59 kB - samba-tools-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 527619971630301f7c4ed0efe30f2d4a
SHA-256: 922deee3f3954b70c17aff2cfeebbf64ff3f35254f5d765010014516588e6a7e
Size: 23.79 kB - samba-usershares-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 7b028d0ac44a85bfe6c51d3a08848f64
SHA-256: 653f440b9a8a3d59c439b0f889ce44f19e6116906f03300521021ca03312dc93
Size: 14.37 kB - samba-vfs-iouring-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 0c197e9acb8d5d3bf403c00f8d6ddea0
SHA-256: 34b2d66ece018a5631c05606cef51de4f33b87b1ad3c31ffb7e1302c351fb561
Size: 24.67 kB - samba-winbind-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: b2607d42308e6cab163eafb5c4c64410
SHA-256: 12a57aa9ff53642430a2a0080f62444f7d252ac35e291aa92ef6d78ca174b0e7
Size: 408.18 kB - samba-winbind-clients-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 053efeb4c45165cb0770190196604a7f
SHA-256: a7521d24dad907e6f6b9c17b89ce25ad2e8459eca03c2169bd7a6e7bd8a1f34d
Size: 79.63 kB - samba-winbind-krb5-locator-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: de95cd77f5b390f2407ffa8a31233cf5
SHA-256: 51ef1d0d5d25964ed7068a5be597c2f0152219b9c9e7c4034a3a8c229d40d669
Size: 27.98 kB - samba-winbind-modules-4.18.6-101.el9.ML.1.i686.rpm
MD5: 7fc9b5672e231a76932e00a99b59b411
SHA-256: 85090031ea78e6ce1d78e6752bbfccc4d40df1b5fa261aa85c457960d996c02c
Size: 64.92 kB - samba-winbind-modules-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: d82ce65f2779f11179a98250b0ec3348
SHA-256: a4270d38917b561d5654fabd284969488e9853e6f7ab95a91a78aca1bff6a432
Size: 62.30 kB - samba-winexe-4.18.6-101.el9.ML.1.x86_64.rpm
MD5: 8357ebad624ab0a712db5962112936d6
SHA-256: 6c2447460b1f5e79e8a90ff8a997b096c52e0efed979ecfa5114a0ab448ae955
Size: 81.14 kB
日本語