SAMBA+ 4.19.2 available, CVE-2018-14628: action required

SAMBA+ 4.19.2-4 has just been released by SerNet's Samba team. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

In addition to the fixed from the release notes above SAMBA+ contains also 2 additional notable fixes:

A fix for Kerboros User2User TGS-REQ, which may prevent users to retrieve tickets for themselves in certain conditions:

Even more important is the second additional change, which fixes the permission of the deleted objects container (CVE-2018-14628). It is however required to run a command to fix the permission, because the ACLs on the container will not be changed automatically. What you will have to do to fix the permission is this:

Action required in order to resolve CVE-2018-14628

The patched Samba does NOT protect existing domains!

The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain:

  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix

The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this:

  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
        Owner mismatch: SY (in ref) DA(in current)
        Group mismatch: SY (in ref) DA(in current)
        Part dacl is different between reference and current here is the detail:
                (A;;LCRPLORC;;;AU) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
                (A;;LCRP;;;BA) ACE is not present in the current
   [y/N/all/none] y
  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'

The change should be confirmed with 'y' for all objects starting with 'CN=Deleted Objects'.

The next updates of the 4.17 and 4.18 SAMBA+ packages will also address CVE-2018-14628.

SAMBA+ packages are available as software subscriptions and can be purchased in the SAMBA+ shop. Detailed information and prices can be found at (currency: USD) or (currency: EUR). The new SAMBA+ packages are included in the existing subscriptions. If you have any further questions or would like to request a quote, please feel free to contact us.

SerNet Samba Team

Contact us
Deutsch English Français