CVE-2020-14323: Difference between revisions

From SambaWiki
(CVE-2020-14323)
 
No edit summary
 
Line 1: Line 1:
=CVE-2020-14323 Unprivileged user can crash winbind=
=CVE-2020-14323 Unprivileged user can crash winbind=
:[https://www.samba.org/samba/security/CVE-2020-14323.html Advisory CVE-2020-14323]

== Advisory ==
== Advisory ==

[https://www.samba.org/samba/security/CVE-2020-14323.html Advisory CVE-2020-14323]

:Subject: Unprivileged user can crash winbind
:Subject: Unprivileged user can crash winbind
:GitHub Security Lab (GHSL) Vulnerability Report: 'GHSL-2020-134'
:GitHub Security Lab (GHSL) Vulnerability Report: 'GHSL-2020-134'
:CVE ID#:[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14323 CVE-2020-14323]
:CVE ID#:[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14323 CVE-2020-14323]
:Versions: All versions of Samba since Samba 3.6.0
:Versions: All versions of Samba since Samba 3.6.0

:Summary:
:Summary:
::With a specially crafted winbind request sent over the non-privileged winbind pipe winbind can be made to dereference a NULL pointer
::With a specially crafted winbind request sent over the non-privileged winbind pipe winbind can be made to dereference a NULL pointer


==Description==
==Description==



winbind in version 3.6 and later implements a request to translate multiple Windows SIDs into names in one request. This was done for performance reasons: Active Directory domain controllers can do multiple SID to name translations in one RPC call. It was an obvious extension to also offer this batch operation on the winbind unix domain stream socket that is available to local processes on the Samba server to reduce network round-trips to the domain controller.
winbind in version 3.6 and later implements a request to translate multiple Windows SIDs into names in one request. This was done for performance reasons: Active Directory domain controllers can do multiple SID to name translations in one RPC call. It was an obvious extension to also offer this batch operation on the winbind unix domain stream socket that is available to local processes on the Samba server to reduce network round-trips to the domain controller.

Latest revision as of 11:41, 2 November 2020

CVE-2020-14323 Unprivileged user can crash winbind

Advisory CVE-2020-14323

Advisory

Subject: Unprivileged user can crash winbind
GitHub Security Lab (GHSL) Vulnerability Report: 'GHSL-2020-134'
CVE ID#:CVE-2020-14323
Versions: All versions of Samba since Samba 3.6.0
Summary:
With a specially crafted winbind request sent over the non-privileged winbind pipe winbind can be made to dereference a NULL pointer

Description

winbind in version 3.6 and later implements a request to translate multiple Windows SIDs into names in one request. This was done for performance reasons: Active Directory domain controllers can do multiple SID to name translations in one RPC call. It was an obvious extension to also offer this batch operation on the winbind unix domain stream socket that is available to local processes on the Samba server to reduce network round-trips to the domain controller.

Due to improper input validation a hand-crafted packet can make winbind perform a NULL pointer dereference and thus crash.

Patch Availability

Patches addressing both these issues have been posted to:

   https://www.samba.org/samba/security/

Additionally, Samba 4.11.15, 4.12.9 and 4.13.1 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.

CVSSv3 calculation

CVSS 3.1: AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H (5.0)

Workaround and mitigating factors

Any user with local shell access to the machine running winbind can issue the winbind socket request. The only workaround is to disable shell access to exposed machines.

Typical file servers don't offer full local access, they are not affected.

Credits

Originally reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134.

Advisory written by Volker Lendecke of SerNet and the Samba Team.

Patches provided by Volker Lendecke of SerNet and the Samba Team.