Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet. The function nfsrvd_compound() started statistics gathering for an operation before the operation number (the variable called "op") was sanity checked.
Month: November 2018
ASA-2018-00062 – FreeBSD: Missing validation in nfsrvd_readdirplus()
Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet. Missing validation checking for the dircount hint argument to NFSv3's ReaddirPlus and NFSv4's Readdir operations. The code checked for a zero argument, but did not check for a very large value. This patch clips dircount at the server's maximum data size.
ASA-2018-00061 – Samba: Bad password count in AD DC not always effective
By default, Samba will remember bad passwords for 30min: eg: $ samba-tool domain passwordsettings show ... Reset account lockout after (mins): 30 This is also known as the 'bad password observation window' and is configured in the lockOutObservationWindow attribute on the domain DN or in a fine-grained password policy (also known as a Password Settings Object - PSO). If this value is set to more than 3 minutes, bad password lockout may be ineffective. If the setting were 8-10 minutes or 15-16 minutes, Samba would still offer some bad password lockout protection, but would use a smaller observation window than configured (somewhere between 41 and 170 seconds, depending on the actual configured setting). For all other configured observation windows over 3 minutes (including the default), bad password counting will not work. This will mean the badPwdCount attribute (which stores repeated bad password attempts) will never exceed 1. The 'account lockout threshold' will therefore not be hit, and the user would never get locked out.
ASA-2018-00060 – Samba: AD DC S4U2Self Crash in experimental MIT Kerberos configuration
A user in a Samba AD domain can crash the KDC when Samba is built in the non-default MIT Kerberos configuration.
ASA-2018-00059 – Samba: NULL pointer de-reference in Samba AD DC DNS servers
During the processing of an DNS zone in the DNS management DCE/RPC server, the internal DNS server or the Samba DLZ plugin for BIND9, if the DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS property is set, the server will follow a NULL pointer and terminate. There is no further vulnerability associated with this issue, merely a denial of service.
ASA-2018-00058 – Samba: NULL pointer de-reference in Samba AD DC LDAP server
During the processing of an LDAP search before Samba's AD DC returns the LDAP entries to the client, the entries are cached in a single memory object with a maximum size of 256MB. When this size is reached, the Samba process providing the LDAP service will follow the NULL pointer, terminating the process. There is no further vulnerability associated with this issue, merely a denial of service.
ASA-2018-00057 – Samba: Double-free in Samba AD DC KDC with PKINIT
When configured to accept smart-card authentication, Samba's KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ. This is only possible after authentication with a trusted certificate. talloc is robust against further corruption from a double-free with talloc_free() and directly calls abort(), terminating the KDC process. There is no further vulnerability associated with this issue, merely a denial of service.
ASA-2018-00056 – Samba: Unprivileged adding of CNAME record causing loop in AD Internal DNS server
All versions of Samba from 4.0.0 onwards are vulnerable to infinite query recursion caused by CNAME loops. Any dns record can be added via ldap by an unprivileged user using the ldbadd tool, so this is a security issue.