Samba Patches Two Critical Vulnerabilities in Server Software

Two critical patches for the free networking software Samba were released Tuesday, addressing vulnerabilities that could allow an unprivileged remote attacker to launch a denial of service attack against servers running the software or allow an adversary to change user passwords, including the admin’s.

Samba, a popular free open source software, allows Windows-based file and print services to be shared via operating systems such as Windows, Linux and UNIX.

The vulnerability  enables hackers to launch denial of service attacks on external print servers, according to the Samba security release posted Tuesday.

According to Samba, CVE-2018-1050 has impacted all versions of Samba from 4.0.0 and above, and stems from missing null pointer checks that may crash the external print server process.

The impacted software versions are vulnerable when the Remote Procedure Call (RPC) Microsoft Spool Subsystem service (spools) is configured to run as an external daemon program, which runs continuously to handle periodic service requests for systems.

RPC is a model for programming in a distributed computing environment, which provides transparent communication so that the client appears to be communicating directly with the server. Typically, spoolss uses RPC as its transport protocol.

But due to missing input sanitization checks on some input parameters for spoolss RPC calls, when the service is run as an external daemon it could cause the background print spooler program to crash, said Samba – which impacts the handling the transfer of print files in a printer.

“There is no known vulnerability associated with this error, merely a denial of service. If the RPC spoolss service is left by default as an internal service, all a client can do is crash its own authenticated connection,” said Samba.

Samba has released a patch addressing this issue in versions 4.7.6, 4.6.14 and 4.5.16. The vulnerability was first discovered by Synopsys’ Defensics intelligent fuzz testing tool, according to Samba.

Meanwhile, the password vulnerability () exists on all versions of Samba from 4.0.0 and above. The vulnerability, allows authenticated users to change other users’ passwords.

This vulnerability incorrectly validates permissions, allowing users to change other users’ passwords – including the passwords of administrative users and privileged service accounts – over the Lightweight Directory Access Protocol (LDAP) server on a Samba 4 Samba Active Directory domain controller.

LDAP is a directory service protocol that runs on a layer above the TCP/IP stack, providing a mechanism used to connect to, search and modify internet directories.

“The LDAP server incorrectly validates certain LDAP password modifications against the ‘Change Password’ privilege, but then performs a password reset operation,” according to Samba’s release. “The change password right in AD is an extended object access right with the GUID ab721a53-1e2f-11d0-9819-00aa0040529b.”

According to Samba, this vulnerability only impacts the Samba AD domain controller, not the read-only domain controller or the Samba3/NT4-like/classic domain controller.

Security researcher Björn Baumbach, with SerNet, is credited for discovering the CVE-2018-1057.

Samba said that while organizations prepare the update for this vulnerability, they can monitor their directory by keeping watch on attributes pwdLastSet and msDS-KeyVersionNumber, which will change if a password has been reset.

Samba has grappled with an array of vulnerabilities over the past 12 months, including two SMB-related man-in-the-middle bugs enabling attacks to hijack client connections in September, and a vulnerability in May that can be exploited with one line of code and could make way for a “wormable” exploit that spreads quickly.