Date: Sat, 5 Aug 2023 06:03:43 GMT From: Yasuhiro Kimura <yasu@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 3f30fc05f43a - main - security/vuxml: Document multiple vulnerabilities in Samba Message-ID: <202308050603.37563hwU093729@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by yasu: URL: https://cgit.FreeBSD.org/ports/commit/?id=3f30fc05f43a38cea67ecab0bef9f5e674dd5559 commit 3f30fc05f43a38cea67ecab0bef9f5e674dd5559 Author: Yasuhiro Kimura <yasu@FreeBSD.org> AuthorDate: 2023-07-21 09:27:44 +0000 Commit: Yasuhiro Kimura <yasu@FreeBSD.org> CommitDate: 2023-08-05 06:02:23 +0000 security/vuxml: Document multiple vulnerabilities in Samba PR: 272638 --- security/vuxml/vuln/2023.xml | 141 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 141 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 1252e5b3cec6..64ad8330f851 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,144 @@ + <vuln vid="441e1e1a-27a5-11ee-a156-080027f5fec9"> + <topic>samba -- multiple vulnerabilities</topic> + <affects> + <package> + <name>samba416</name> + <range><lt>4.16.11</lt></range> + </package> + <package> + <name>samba413</name> + <range><lt>4.13.18</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Samba Team reports:</p> + <blockquote cite="https://www.samba.org/samba/latest_news.html#4.18.5">; + <dl> + <dt>CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability</dt> + <dd> + When parsing Spotlight mdssvc RPC packets, one encoded + data structure is a key-value style dictionary where the + keys are character strings and the values can be any of + the supported types in the mdssvc protocol. Due to a + lack of type checking in callers of the function + dalloc_value_for_key(), which returns the object + associated with a key, a caller may trigger a crash in + talloc_get_size() when talloc detects that the passed in + pointer is not a valid talloc pointer. + + As RPC worker processes are shared among multiple client + connections, a malicious client can crash the worker + process affecting all other clients that are also served + by this worker. + </dd> + <dt>CVE-2022-2127: Out-Of-Bounds read in winbind AUTH_CRAP</dt> + <dd> + When doing NTLM authentication, the client sends replies + to cryptographic challenges back to the server. These + replies have variable length. Winbind did not properly + bounds-check the lan manager response length, which + despite the lan manager version no longer being used is + still part of the protocol. + + If the system is running Samba's ntlm_auth as + authentication backend for services like Squid (or a + very unusual configuration with FreeRADIUS), the + vulnarebility is remotely exploitable + + If not so configured, or to exploit this vulnerability + locally, the user must have access to the privileged + winbindd UNIX domain socket (a subdirectory with name + 'winbindd_privileged' under "state directory", as set in + the smb.conf). + + This access is normally only given so special system + services like Squid or FreeRADIUS, that use this + feature. + </dd> + <dt>CVE-2023-34968: Spotlight server-side Share Path Disclosure</dt> + <dd> + As part of the Spotlight protocol, the initial request + returns a path associated with the sharename targeted by + the RPC request. Samba returns the real server-side + share path at this point, as well as returning the + absolute server-side path of results in search queries + by clients. + + Known server side paths could be used to mount + subsequent more serious security attacks or could + disclose confidential information that is part of the + path. + + To mitigate the issue, Samba will replace the real + server-side path with a fake path constructed from the + sharename. + </dd> + <dt>CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability</dt> + <dd> + When parsing Spotlight mdssvc RPC packets sent by the + client, the core unmarshalling function sl_unpack_loop() + did not validate a field in the network packet that + contains the count of elements in an array-like + structure. By passing 0 as the count value, the attacked + function will run in an endless loop consuming 100% CPU. + + This bug only affects servers where Spotlight is + explicitly enabled globally or on individual shares with + "spotlight = yes". + </dd> + <dt>CVE-2023-3347: SMB2 packet signing not enforced</dt> + <dd> + SMB2 packet signing is not enforced if an admin + configured "server signing = required" or for SMB2 + connections to Domain Controllers where SMB2 packet + signing is mandatory. + + SMB2 packet signing is a mechanism that ensures the + integrity and authenticity of data exchanged between a + client and a server using the SMB2 protocol. + + It provides protection against certain types of attacks, + such as man-in-the-middle attacks, where an attacker + intercepts network traffic and modifies the SMB2 + messages. + + Both client and server of an SMB2 connection can require + that signing is being used. The server-side setting in + Samba to configure signing to be required is "server + signing = required". Note that on an Samba AD DCs this + is also the default for all SMB2 connections. + + Unless the client requires signing which would result in + signing being used on the SMB2 connection, sensitive + data might have been modified by an attacker. + + Clients connecting to IPC$ on an AD DC will require + signed connections being used, so the integrity of these + connections was not affected. + </dd> + </dl> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-34967</cvename> + <cvename>CVE-2022-2127</cvename> + <cvename>CVE-2023-34968</cvename> + <cvename>CVE-2023-34966</cvename> + <cvename>CVE-2023-3347</cvename> + <url>https://www.samba.org/samba/security/CVE-2023-34967.html</url>; + <url>https://www.samba.org/samba/security/CVE-2022-2127.html</url>; + <url>https://www.samba.org/samba/security/CVE-2023-34968.html</url>; + <url>https://www.samba.org/samba/security/CVE-2023-34966.html</url>; + <url>https://www.samba.org/samba/security/CVE-2023-3347.html</url>; + </references> + <dates> + <discovery>2023-07-19</discovery> + <entry>2023-08-05</entry> + </dates> + </vuln> + <vuln vid="6e4e8e87-9fb8-4e32-9f8e-9b4303f4bfd5"> <topic>chromium -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202308050603.37563hwU093729>