Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1403115 - (CVE-2016-2126) CVE-2016-2126 samba: Flaws in Kerberos PAC validation can trigger privilege elevation
CVE-2016-2126 samba: Flaws in Kerberos PAC validation can trigger privilege e...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20161219,repor...
: Security
Depends On: 1405356 1405358 1405399 1405984 1435079 1437741
Blocks: 1386080 1392703 1415638
  Show dependency treegraph
 
Reported: 2016-12-09 00:43 EST by Huzaifa S. Sidhpurwala
Modified: 2017-07-31 05:11 EDT (History)
13 users (show)

See Also:
Fixed In Version: samba 4.5.3, samba 4.4.8, samba 4.3.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way Samba handled PAC (Privilege Attribute Certificate) checksums. A remote, authenticated attacker could use this flaw to crash the winbindd process.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0494 normal SHIPPED_LIVE Moderate: Red Hat Gluster Storage 3.2.0 samba security, bug fixes and enhancement update 2017-03-23 05:06:59 EDT
Red Hat Product Errata RHSA-2017:0495 normal SHIPPED_LIVE Moderate: Red Hat Gluster Storage 3.2.0 samba security, bug fixes and enhancement update 2017-03-23 05:18:26 EDT
Red Hat Product Errata RHSA-2017:0662 normal SHIPPED_LIVE Moderate: samba security and bug fix update 2017-03-21 08:34:11 EDT
Red Hat Product Errata RHSA-2017:0744 normal SHIPPED_LIVE Moderate: samba4 security and bug fix update 2017-03-21 08:44:53 EDT
Red Hat Product Errata RHSA-2017:1265 normal SHIPPED_LIVE Moderate: samba security and bug fix update 2017-05-22 10:25:41 EDT

  None (edit)
Description Huzaifa S. Sidhpurwala 2016-12-09 00:43:37 EST 
As per upstream:

A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.

For the remote attack, the memory overwrite kills the main winbindd process and an authenticated attacker can construct this situation by watching for password changes in Samba.

One specific trigger occurs when winbindd changes its machine account password and the client has still a valid Kerberos ticket (that was encrypted with the old password).
Comment 4 Siddharth Sharma 2016-12-19 07:36:13 EST 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1405984]
Comment 5 Huzaifa S. Sidhpurwala 2016-12-19 22:21:26 EST 
External Reference:

https://www.samba.org/samba/security/CVE-2016-2126.html
Comment 6 Huzaifa S. Sidhpurwala 2017-01-05 04:35:26 EST 
No mitigation exists for this issue. However, using "machine password timeout = 0" will prevent the bug from being triggered accidentally when the machine password is changed.
Comment 7 Dan 2017-03-01 11:56:56 EST 
I am unable to access any of the related bugs for this to see what is going on. Can someone working this issue post a status update as to having an errata opened for RHEL here?
Thanks
Comment 8 errata-xmlrpc 2017-03-21 06:15:26 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0662 https://rhn.redhat.com/errata/RHSA-2017-0662.html
Comment 9 errata-xmlrpc 2017-03-21 07:25:33 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0744 https://rhn.redhat.com/errata/RHSA-2017-0744.html
Comment 10 errata-xmlrpc 2017-03-23 01:12:48 EDT 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.2 for RHEL 6

Via RHSA-2017:0494 https://rhn.redhat.com/errata/RHSA-2017-0494.html
Comment 12 errata-xmlrpc 2017-03-23 01:20:37 EDT 
This issue has been addressed in the following products:

   	Red Hat Gluster Storage 3.2 for RHEL 7

Via RHSA-2017:0495 https://rhn.redhat.com/errata/RHSA-2017-0495.html
Comment 15 errata-xmlrpc 2017-05-22 06:26:09 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1265 https://access.redhat.com/errata/RHSA-2017:1265
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.