Bug 813569 (CVE-2012-2111)

Summary: CVE-2012-2111 samba: Incorrect permission checks when granting/removing privileges
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abokovoy, asn, azelinka, gdeschner, jlieskov, j.s.peatfield, prc, sbose, security-response-team, ssorce, steved
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-26 22:30:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 815686, 815687, 815688, 815689, 817551    
Bug Blocks: 813570    

Description Vincent Danen 2012-04-17 22:03:16 UTC 
A vulnerability was found in Samba 3.4.x through to and including 3.6.4 that could allow arbitrary users to modify privileges on a Samba file server.  This is due to security checks being incorrectly applied to the Local Security Authority (LSA) remote procedure calls (RPC): CreateAccount, OpenAccount, AddAccountRights, and RemoveAccountRights.

This could allow any authenticated user to modify the privileges database.  As a result, this could allow an attacker to grant themselves the "take ownership" privilege, which would allow the attacker to take ownership of files or directories that they do not own.

To work-around this flaw, set the "enable privileges = no" parameter in the "[global]" section of smb.conf.  In the event that unauthorized changes have already been made, remove the account_policy.tdb file, and when the patch/update is applied, re-grant the specific privileges using the "net rpc rights" command.

Acknowledgements:

Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Ivano Cristofolini as the original reporter of this issue.
Comment 13 Jan Lieskovsky 2012-04-30 13:27:51 UTC 
Public now via:
[1] http://www.samba.org/samba/security/CVE-2012-2111
Comment 14 Jan Lieskovsky 2012-04-30 13:29:28 UTC 
Created samba tracking bugs for this issue

Affects: fedora-all [bug 817551]
Comment 15 errata-xmlrpc 2012-04-30 17:40:52 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0533 https://rhn.redhat.com/errata/RHSA-2012-0533.html
Comment 16 Jonathan Peatfield 2012-05-01 16:14:46 UTC 
I know that the report says it affects samba 3.4.x - 3.6.x but it would be nice to have an explicit confirmation that this does not affect the el5 samba 3.0.x ...

 -- Jon