[Secure-testing-team] CAN-2006-1059 [jerry@samba.org: [SECURITY]
Samba 3.0.21-3.0.21c: Exposure of machine account credentials
in winbindd log files]
Steve Langasek
vorlon at debian.org
Fri Mar 31 04:39:38 UTC 2006
Hey folks,
samba 3.0.22 has been released to fix a security hole in samba versions
3.0.21-3.0.21c, CAN-2006-1059, which on Debian systems allows members of the
adm group to read the domain member server's password from
/var/log/samba/log.winbindd, a privilege escalation with limited scope. I'm
preparing an upload of samba 3.0.22 to unstable, which will be uploaded just
as soon as the build finishes here. :) I've confirmed that this patch is
not applicable to samba 3.0.14a, so sarge is not vulnerable.
The original upstream announcement is included below.
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon at debian.org http://www.debian.org/
----- Forwarded message from "Gerald (Jerry) Carter" <jerry at samba.org> -----
X-Spam-Level:
X-Spam-Status: No, score=-1.4 required=3.0 tests=BAYES_00,DATE_IN_PAST_06_12
autolearn=no version=3.1.0
From: "Gerald (Jerry) Carter" <jerry at samba.org>
To: samba-technical at samba.org
Subject: [SECURITY] Samba 3.0.21-3.0.21c: Exposure of machine account
credentials in winbindd log files
Date: Wed, 29 Mar 2006 23:21:06 -0600
X-Original-To: vorlon at dodds.net
X-Original-To: samba-technical at samba.org
X-Enigmail-Version: 0.94.0.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==========================================================
==
== Subject: Exposed clear text of domain machine
== account password in debug logs (log
== level >= 5)
== CVE ID#: CAN_2006-1059
==
== Versions: Samba Samba 3.0.21 - 3.0.21c (inclusive)
==
== Summary: The winbindd daemon writes the clear text
== of the machine trust account password to
== log files. These log files are world
== readable by default.
==
==========================================================
===========
Description
===========
The machine trust account password is the secret shared
between a domain controller and a specific member server.
Access to the member server machine credentials allows
an attacker to impersonate the server in the domain and
gain access to additional information regarding domain
users and groups.
The winbindd daemon included in Samba 3.0.21 and subsequent
patch releases (3.0.21a-c) writes the clear text of server's
machine credentials to its log file at level 5. The winbindd
log files are world readable by default and often log files
are requested on open mailing lists as tools used to debug
server misconfigurations.
This affects servers configured to use domain or ads security
and possibly Samba domain controllers as well (if configured
to use winbindd).
==================
Patch Availability
==================
Samba 3.0.22 has been released to address this one security
defect. A patch for Samba 3.0.21[a-c] has been posted at
http://www.samba.org/samba/security/
An unpatched server may be protected by ensuring that
non-administrative users are unable to read any winbindd
log files generated at level 5 or greater.
=======
Credits
=======
This security issue discovered during an internal security
audit of the Samba source code by the Samba Team.
==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEK2rCIR7qMdg1EfYRAlW9AKCkacH0u7BrHCihzczj05MpUVCrewCfeYzv
UrUwLoJGcsm6DvBlaaJdato=
=XmXK
-----END PGP SIGNATURE-----
----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060330/2e48e12b/attachment.pgp
More information about the Secure-testing-team
mailing list