Bug 813569 (CVE-2012-2111) - CVE-2012-2111 samba: Incorrect permission checks when granting/removing privileges
Summary: CVE-2012-2111 samba: Incorrect permission checks when granting/removing privi...
Alias: CVE-2012-2111
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 815686 815687 815688 815689 817551
Blocks: 813570
TreeView+ depends on / blocked
Reported: 2012-04-17 22:03 UTC by Vincent Danen
Modified: 2019-09-29 12:52 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-01-26 22:30:34 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0533 normal SHIPPED_LIVE Important: samba and samba3x security update 2012-04-30 21:36:00 UTC

Description Vincent Danen 2012-04-17 22:03:16 UTC
A vulnerability was found in Samba 3.4.x through to and including 3.6.4 that could allow arbitrary users to modify privileges on a Samba file server.  This is due to security checks being incorrectly applied to the Local Security Authority (LSA) remote procedure calls (RPC): CreateAccount, OpenAccount, AddAccountRights, and RemoveAccountRights.

This could allow any authenticated user to modify the privileges database.  As a result, this could allow an attacker to grant themselves the "take ownership" privilege, which would allow the attacker to take ownership of files or directories that they do not own.

To work-around this flaw, set the "enable privileges = no" parameter in the "[global]" section of smb.conf.  In the event that unauthorized changes have already been made, remove the account_policy.tdb file, and when the patch/update is applied, re-grant the specific privileges using the "net rpc rights" command.


Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Ivano Cristofolini as the original reporter of this issue.

Comment 13 Jan Lieskovsky 2012-04-30 13:27:51 UTC
Public now via:
[1] http://www.samba.org/samba/security/CVE-2012-2111

Comment 14 Jan Lieskovsky 2012-04-30 13:29:28 UTC
Created samba tracking bugs for this issue

Affects: fedora-all [bug 817551]

Comment 15 errata-xmlrpc 2012-04-30 17:40:52 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0533 https://rhn.redhat.com/errata/RHSA-2012-0533.html

Comment 16 Jonathan Peatfield 2012-05-01 16:14:46 UTC
I know that the report says it affects samba 3.4.x - 3.6.x but it would be nice to have an explicit confirmation that this does not affect the el5 samba 3.0.x ...

 -- Jon

Note You need to log in before you can comment on or make changes to this bug.