Bug 27299 - samba new security issue CVE-2020-1472
Summary: samba new security issue CVE-2020-1472
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-09-21 19:54 CEST by David Walser
Modified: 2020-09-30 12:03 CEST (History)
5 users (show)

See Also:
Source RPM: samba-4.10.17-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-09-21 19:54:41 CEST 
Samba has issued an advisory on September 18:
https://www.samba.org/samba/security/CVE-2020-1472.html

The issue is fixed upstream in 4.10.18 and 4.12.7:
https://www.samba.org/samba/history/samba-4.10.18.html
https://www.samba.org/samba/history/samba-4.12.7.html

Mageia 7 is also affected (though we're not affected in the default configuration).
David Walser 2020-09-21 19:54:49 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-09-22 20:20:06 CEST 
Ubuntu has issued an advisory for this on September 17:
https://ubuntu.com/security/notices/USN-4510-1

Severity: normal => major

Comment 2 Buchan Milne 2020-09-26 23:53:35 CEST 
4.10.18 submitted to core/updates_testing for mga7 from r1630707

4.12.7 in progress for cauldron
Comment 3 David Walser 2020-09-27 01:13:27 CEST 
Package list for Mageia 7:
samba-4.10.18-1.mga7
samba-client-4.10.18-1.mga7
samba-common-4.10.18-1.mga7
samba-dc-4.10.18-1.mga7
libsamba-dc0-4.10.18-1.mga7
libkdc-samba4_2-4.10.18-1.mga7
libheimntlm-samba4_1-4.10.18-1.mga7
libsamba-devel-4.10.18-1.mga7
samba-krb5-printing-4.10.18-1.mga7
libsamba1-4.10.18-1.mga7
libsmbclient0-4.10.18-1.mga7
libsmbclient-devel-4.10.18-1.mga7
libwbclient0-4.10.18-1.mga7
libwbclient-devel-4.10.18-1.mga7
python2-samba-4.10.18-1.mga7
python3-samba-4.10.18-1.mga7
samba-pidl-4.10.18-1.mga7
samba-test-4.10.18-1.mga7
libsamba-test0-4.10.18-1.mga7
samba-winbind-4.10.18-1.mga7
samba-winbind-clients-4.10.18-1.mga7
samba-winbind-krb5-locator-4.10.18-1.mga7
samba-winbind-modules-4.10.18-1.mga7
ctdb-4.10.18-1.mga7
ctdb-tests-4.10.18-1.mga7
Comment 4 David Walser 2020-09-28 02:38:48 CEST 
samba-4.12.7-1.mga8 uploaded for Cauldron by Buchan.  Mageia 7 package list in Comment 3.

Advisory:
========================

Updated samba packages fix security vulnerability:

When Samba is used as a domain controller, an unauthenticated attacker on the
network can gain administrator access by exploiting a netlogon protocol flaw
(CVE-2020-1472).

Note that Samba installations are not vulnerable unless they have the smb.conf
lines 'server schannel = no' or 'server schannel = auto'.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472
https://www.samba.org/samba/history/samba-4.10.18.html
https://www.samba.org/samba/security/CVE-2020-1472.html

CC: (none) => bgmilne
Version: Cauldron => 7
Source RPM: samba-4.12.6-1.mga8.src.rpm, samba-4.10.17-1.mga7.src.rpm => samba-4.10.17-1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)
Assignee: bgmilne => qa-bugs

Comment 5 Herman Viaene 2020-09-28 15:58:30 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug 26566 Comment 4 for testing
Used MCC to do basic setup of samba server, used webmin to define samba users
Could connect to my own samba server from this laptop by:
$ smbclient  //mach1/herman -U herman
Enter MYGROUP\herman's password: 
Try "help" to get a list of possible commands.
smb: \> help
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            deltree        dir            
du             echo           exit           get            getfacl        
geteas         hardlink       help           history        iosize         
lcd            link           lock           lowercase      ls             
l              mask           md             mget           mkdir          
more           mput           newer          notify         open           
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
posix_unlink   posix_whoami   print          prompt         put            
pwd            q              queue          quit           readlink       
rd             recurse        reget          rename         reput          
rm             rmdir          showacls       setea          setmode        
scopy          stat           symlink        tar            tarmode        
timeout        translate      unlock         volume         vuid           
wdel           logon          listconnect    showconnect    tcon           
tdis           tid            utimes         logoff         ..             
!              
smb: \> pwd
Current directory is \\mach1\herman\
smb: \> ls
  .                                   D        0  Mon Sep 28 11:26:20 2020
  ..                                  D        0  Fri Sep  4 10:06:10 2020
  Viaene-2020-08-07-17-48-13.gramps      N   509508  Fri Aug  7 17:48:17 2020
  rpmbuild                            D        0  Sun Aug 16 11:16:34 2020
  idkaartherman.jpg                   N   235947  Thu Sep 23 17:27:46 2010
  Watteeuw-2020-08-29-14-22-33.gramps      N   678052  Sat Aug 29 14:22:37 2020
  kerst2015nedklein.ppsx              N  1514274  Fri Dec 25 20:05:05 2015
  .gnucash                           DH        0  Sun Dec 29 11:33:23 2019
  ipv6.html                           N    22650  Tue Dec 29 12:35:25 2009
  CV muzikaal.odt                     N    11374  Sat May 28 09:04:16 2016
  Picture1.jpg                        N   118784  Tue Dec 29 12:35:24 2009
  atl.dll                             N    73785  Tue Dec 29 12:35:24 2009
  IP-Masquerade-HOWTO-5.html          N    22228  Tue Dec 29 12:35:24 2009
  montage.pdf                         N  5889267  Fri Jan 10 09:31:57 2014
  vis.mp3                             N   160344  Tue Dec 29 12:35:25 2009
  index.php                           N    72003  Tue Dec 29 12:35:25 2009
  DATA                                D        0  Mon Jul 27 11:15:39 2020
  .VirtualBox                        DH        0  Fri Aug 28 14:39:45 2020
  oraInventory                        D        0  Sun May 13 17:16:34 2018
  audacity2.0-herman                  D        0  Mon Jul 27 11:14:53 2020
and a lot more.


Did the same from my desktop to the samba server on this laptop, equally successfull.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 6 James Kerr 2020-09-29 09:49:04 CEST 
On mga7-64   kernel-desktop   plasma

packages installed cleanly:
- lib64gnutls30-3.6.15-1.mga7.x86_64
- lib64heimntlm-samba4_1-4.10.18-1.mga7.x86_64
- lib64kdc-samba4_2-4.10.18-1.mga7.x86_64
- lib64samba-dc0-4.10.18-1.mga7.x86_64
- lib64samba1-4.10.18-1.mga7.x86_64
- lib64smbclient0-4.10.18-1.mga7.x86_64
- lib64wbclient0-4.10.18-1.mga7.x86_64
- samba-4.10.18-1.mga7.x86_64
- samba-client-4.10.18-1.mga7.x86_64
- samba-common-4.10.18-1.mga7.x86_64

I have r/w access to a share on this system from another system on the LAN
I have r/w access to a share on another system on the LAN from this system

looks OK for mga7-64

CC: (none) => jim

Aurelien Oudelet 2020-09-29 15:38:53 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 7 Mageia Robot 2020-09-30 12:03:00 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0380.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.