SAMBA+ 4.19.2 available, CVE-2018-14628: action required

SAMBA+ 4.19.2-4 has just been released by SerNet's Samba team. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

https://www.samba.org/samba/history/samba-4.19.2.html

In addition to the fixed from the release notes above SAMBA+ contains also 2 additional notable fixes:

A fix for Kerboros User2User TGS-REQ, which may prevent users to retrieve tickets for themselves in certain conditions: https://bugzilla.samba.org/show_bug.cgi?id=15492

Even more important is the second additional change, which fixes the permission of the deleted objects container (CVE-2018-14628). It is however required to run a command to fix the permission, because the ACLs on the container will not be changed automatically. What you will have to do to fix the permission is this:

==================================================
Action required in order to resolve CVE-2018-14628
==================================================

The patched Samba does NOT protect existing domains!

The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain:

  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix

The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this:

  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
        Owner mismatch: SY (in ref) DA(in current)
        Group mismatch: SY (in ref) DA(in current)
        Part dacl is different between reference and current here is the detail:
                (A;;LCRPLORC;;;AU) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
                (A;;LCRP;;;BA) ACE is not present in the current
   [y/N/all/none] y
  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'

The change should be confirmed with 'y' for all objects starting with 'CN=Deleted Objects'.

The next updates of the 4.17 and 4.18 SAMBA+ packages will also address CVE-2018-14628.

SAMBA+ packages are available as software subscriptions and can be purchased in the SAMBA+ shop. Detailed information and prices can be found at https://usdshop.samba.plus (currency: USD) or https://shop.samba.plus (currency: EUR). The new SAMBA+ packages are included in the existing subscriptions. If you have any further questions or would like to request a quote, please feel free to contact us.

SerNet Samba Team

Newsletter

SerNet's Samba newsletter informs you about all important developments and events with its main focus on new packages.

+ subscribe to Newsletter

RSS Feed

Don't miss any more SAMBA+ news? Read the latest in your feed reader of choice.

+ subscribe to RSS feed

SAMBA+ Shop

Buy software subscriptions and support budgets. SAMBA+ subscriptions are available for 1, 2 and 3 years at the SAMBA+ shop.

+ visit the US Shop ($)

+ visit the World Shop (€)

Contact us
Contact

We are here for you!

Our sales team is happy to help you with any questions about all Samba products and services from SerNet - personally and individually tailored to your needs.

You can call us directly at +1 (415) 248-7818
or outside the US at +49 551 370000-0.
Mail us at sales@remove-this.sernet.com.

Contact us!

linke Spalte
rechte Splate
captcha
* Mandatory Fields
Deutsch English Français