Updated Samba packages has been released for Arch Linux to address multiple issues, including arbitrary filesystem access, insufficient validation, and denial of service.
Arch Linux Security Advisory ASA-201911-6
========================================
Severity: Medium
Date : 2019-11-03
CVE-ID : CVE-2019-10218 CVE-2019-14833 CVE-2019-14847
Package : samba
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1057
Summary
======
The package samba before version 4.10.10-1 is vulnerable to multiple issues including arbitrary filesystem access, insufficient validation and denial of service.
Resolution
=========
Upgrade to 4.10.10-1.
# pacman -Syu "samba>=4.10.10-1"
The problems have been fixed upstream in version 4.10.10.
Workaround
=========
None.
Description
==========
- CVE-2019-10218 (arbitrary filesystem access)
An issue has been found in Samba before 4.10.10 where a malicious server can craft a pathname containing separators and return this to client code, causing the client to use this access local pathnames for reading or writing instead of SMB network pathnames.
- CVE-2019-14833 (insufficient validation)
A security issue has been found in Samba before 4.10.10, where the check password script does not receive the full password string when the password contains multi-byte (non-ASCII) characters.
Since Samba Version 4.5.0 a Samba AD DC can use a custom command to verify the password complexity. The command can be specified with the "check password script" smb.conf parameter. This command is called when Samba handles a user password change or a new user password is set. The script receives the new cleartext password string in order to run custom password complexity checks like dictionary checks to avoid weak user passwords. If the check password script parameter is not specified, Samba runs the internal password quality checks. The internal check makes sure that a password contains characters from three of five different characters categories.
- CVE-2019-14847 (denial of service)
A denial of service has been found in Samba before 4.10.10, where users with the "get changes" extended access right can crash the AD DC LDAP server by requesting an attribute using the range= syntax.
By default, the supported versions of Samba impacted by this issue run using the "standard" process model, which is unaffected. This is controlled by the -M or --model parameter to the samba binary. Unsupported Samba versions before Samba 4.7 use a single process for the LDAP server, and so are impacted. Samba 4.8, 4.9 and 4.10 are impacted if -M prefork or -M single is used. To mitigate this issue, select -M standard (the default).
Impact
=====
An attacker is able to access and write on files via arbitrary paths or crash the application.
References
=========
https://www.samba.org/samba/security/CVE-2019-10218.html
https://www.samba.org/samba/ftp/patches/security/samba-4.10.9-security-2019-10-29.patch
https://www.samba.org/samba/security/CVE-2019-14833.html
https://download.samba.org/pub/samba/patches/security/samba-4.10.9-security-2019-10-29.patch
https://www.samba.org/samba/security/CVE-2019-14847.html
https://security.archlinux.org/CVE-2019-10218
https://security.archlinux.org/CVE-2019-14833
https://security.archlinux.org/CVE-2019-14847