From URL: "The following applies to Samba used as domain controller only (most seriously the Active Directory DC, but also the classic/NT4-style DC). Installations running Samba as a file server only are not directly affected by this flaw, though they may need configuration changes to continue to talk to domain controllers (see "file servers and domain members" below). The netlogon protocol contains a flaw that allows an authentication bypass. This was reported and patched by Microsoft as CVE-2020-1472. Since the bug is a protocol level flaw, and Samba implements the protocol, Samba is also vulnerable. However, since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having 'server schannel = yes' in the smb.conf. Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines 'server schannel = no' or 'server schannel = auto'. Samba versions 4.7 and below are vulnerable unless they have 'server schannel = yes' in the smb.conf. Note each domain controller needs the correct settings in its smb.conf. Vendors supporting Samba 4.7 and below are advised to patch their installations and packages to add this line to the [global] section if their smb.conf file. The 'server schannel = yes' smb.conf line is equivalent to Microsoft's 'FullSecureChannelProtection=1' registry key, the introduction of which we understand forms the core of Microsoft's fix. Consequences ============ [...] The krbtgt password allows the attacker to issue a 'golden ticket' to themselves and return to take over the domain at any point in the future. Other consequences includes disclosure of session keys, as well as general denial of service to the trust account selected. [...] Exploitability of Samba despite 'server schannel = yes' ======================================================= The published proof of concept exploit for this issue only attempts to authenticate to the NetLogon service but does not attempt a takeover of the domain. On domains with 'server schannel = yes', these tests claim to show a vulnerability against Samba despite being unable to access any privileged functionality. This Samba release adds additional server checks for the protocol attack in the client-specified challenge that provides some protection when 'server schannel = no/auto' and avoids this false-positive result. These server checks are identical to the server logic added by Microsoft for their patch for the Windows server code for CVE-2020-1472. The Samba Team would like to thank Microsoft for their disclosure of the method used to prevent the proof of concept exploit code from working against such a hardened server." [Snippets taken].
Please bump to 4.10.18, 4.11.13, and 4.12.7. 4.13.0_rc6 is also out, but 4.13 does not yet have keywords in Gentoo.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=308c7877323618ba61ca09ed8ea6683d66198ebd commit 308c7877323618ba61ca09ed8ea6683d66198ebd Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-09-23 07:31:23 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-09-23 08:01:44 +0000 net-fs/samba: Security bump to versions 4.11.13, 4.12.7 and 4.13.0 Bug: https://bugs.gentoo.org/743433 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> net-fs/samba/Manifest | 4 +- net-fs/samba/samba-4.11.13.ebuild | 321 +++++++++++++++++++++ net-fs/samba/samba-4.12.7.ebuild | 319 ++++++++++++++++++++ ...samba-4.13.0_rc5.ebuild => samba-4.13.0.ebuild} | 2 +- 4 files changed, 644 insertions(+), 2 deletions(-)
arm stable
ppc stable
ppc64 stable
sparc stable
x86 stable
arm64 done
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
Unable to check for sanity: > no match for package: net-fs/samba-4.11.13
Thanks.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e976d174e083ec5b3d31b26c3df6aafb55a5beb6 commit e976d174e083ec5b3d31b26c3df6aafb55a5beb6 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-10-23 11:54:46 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-10-23 12:08:35 +0000 net-fs/samba: Security cleanup Bug: https://bugs.gentoo.org/743433 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> net-fs/samba/Manifest | 1 - net-fs/samba/samba-4.11.11-r1.ebuild | 321 ----------------------------------- net-fs/samba/samba-4.12.6-r1.ebuild | 319 ---------------------------------- 3 files changed, 641 deletions(-)
New GLSA request filed.
This issue was resolved and addressed in GLSA 202012-24 at https://security.gentoo.org/glsa/202012-24 by GLSA coordinator Thomas Deutschmann (whissi).