Bug 813569 - (CVE-2012-2111) CVE-2012-2111 samba: Incorrect permission checks when granting/removing privileges
CVE-2012-2111 samba: Incorrect permission checks when granting/removing privi...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20120430,repo...
: Security
Depends On: 815686 815687 815688 815689 817551
Blocks: 813570
  Show dependency treegraph
 
Reported: 2012-04-17 18:03 EDT by Vincent Danen
Modified: 2016-11-08 11:07 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-26 17:30:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-04-17 18:03:16 EDT
A vulnerability was found in Samba 3.4.x through to and including 3.6.4 that could allow arbitrary users to modify privileges on a Samba file server.  This is due to security checks being incorrectly applied to the Local Security Authority (LSA) remote procedure calls (RPC): CreateAccount, OpenAccount, AddAccountRights, and RemoveAccountRights.

This could allow any authenticated user to modify the privileges database.  As a result, this could allow an attacker to grant themselves the "take ownership" privilege, which would allow the attacker to take ownership of files or directories that they do not own.

To work-around this flaw, set the "enable privileges = no" parameter in the "[global]" section of smb.conf.  In the event that unauthorized changes have already been made, remove the account_policy.tdb file, and when the patch/update is applied, re-grant the specific privileges using the "net rpc rights" command.

Acknowledgements:

Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Ivano Cristofolini as the original reporter of this issue.
Comment 13 Jan Lieskovsky 2012-04-30 09:27:51 EDT
Public now via:
[1] http://www.samba.org/samba/security/CVE-2012-2111
Comment 14 Jan Lieskovsky 2012-04-30 09:29:28 EDT
Created samba tracking bugs for this issue

Affects: fedora-all [bug 817551]
Comment 15 errata-xmlrpc 2012-04-30 13:40:52 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0533 https://rhn.redhat.com/errata/RHSA-2012-0533.html
Comment 16 Jonathan Peatfield 2012-05-01 12:14:46 EDT
I know that the report says it affects samba 3.4.x - 3.6.x but it would be nice to have an explicit confirmation that this does not affect the el5 samba 3.0.x ...

 -- Jon

Note You need to log in before you can comment on or make changes to this bug.