| Errata ID | 39 |
|---|---|
| Date | 2019-04-08 |
| Source package | samba |
| Fixed in version | 2:4.10.1-1A~4.4.0.201904031509 |
| Description | This update addresses the following issues: * Update to Samba 4.10.1. * Improve `samba-tool ntacl sysvolcheck` to reduce reporting false positives. This can be run by using new option `--mask-msad-differences`. Without the new option the reporting is unchanged. This is another step in the ongoing quest of improving the quality this tool for NTACL inheritance. * Fix mode of dns_update_list and spn_update_list, broken after provision. * During the creation of a new Samba AD DC, files are created in the /var/lib/samba/private/ directory. During initial setup of a UCS domain-controller with UCS 4.4 / Samba 4.10 two files were created with mode 0666, that is world-writable, including the list of DNS names and servicePrincipalName values to update. Most UCS Samba DCs upgraded from UCS 4.3-3 or earlier however will not be affected by this, because the Bug was introduced with Samba 4.8 while UCS 4.3 systems are running Samba 4.7. For details see <https://www.samba.org/samba/security/CVE-2019-3870.html>. * Samba contains an RPC endpoint emulating the Windows registry service API. One of the requests, "winreg_SaveKey", is susceptible to a path/symlink traversal vulnerability. Unprivileged users can use it to create a new registry hive file anywhere they have UNIX permissions to create a new file within a Samba share. If they are able to create symlinks on a Samba share, they can create a new registry hive file anywhere they have write access, even outside a Samba share definition. Existing share restrictions such as "read only" or share ACLs do not prevent new registry hive files being written to the filesystem. A file may be written under any share definition wherever the user has UNIX permissions to create a file. Existing files cannot be overwritten using this vulnerability, only new registry hive files can be created, however the presence of existing files with a specific name can be detected. Samba writes or detects the file as the authenticated user, but by UCS default the "Administrator" account is mapped to root, because it is configured as "admin user" in smb.conf. For details and possible mitigations see <https://www.samba.org/samba/security/CVE-2019-3880.html>. |
| Additional notes | |
| CVE ID | CVE-2019-3870 CVE-2019-3880 |
| UCS Bug number | #49034 #46643 #49025 |
