As per upstream: A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions. For the remote attack, the memory overwrite kills the main winbindd process and an authenticated attacker can construct this situation by watching for password changes in Samba. One specific trigger occurs when winbindd changes its machine account password and the client has still a valid Kerberos ticket (that was encrypted with the old password).
Created samba tracking bugs for this issue: Affects: fedora-all [bug 1405984]
External Reference: https://www.samba.org/samba/security/CVE-2016-2126.html
No mitigation exists for this issue. However, using "machine password timeout = 0" will prevent the bug from being triggered accidentally when the machine password is changed.
I am unable to access any of the related bugs for this to see what is going on. Can someone working this issue post a status update as to having an errata opened for RHEL here? Thanks
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0662 https://rhn.redhat.com/errata/RHSA-2017-0662.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0744 https://rhn.redhat.com/errata/RHSA-2017-0744.html
This issue has been addressed in the following products: Red Hat Gluster Storage 3.2 for RHEL 6 Via RHSA-2017:0494 https://rhn.redhat.com/errata/RHSA-2017-0494.html
This issue has been addressed in the following products: Red Hat Gluster Storage 3.2 for RHEL 7 Via RHSA-2017:0495 https://rhn.redhat.com/errata/RHSA-2017-0495.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1265 https://access.redhat.com/errata/RHSA-2017:1265