Vulnerabilities in SAMBA

Latest response

Hello!
Recently multiple vulnerabilities was found in SAMBA packages.
https://access.redhat.com/security/cve/CVE-2016-2124
https://access.redhat.com/security/cve/CVE-2020-25717
https://access.redhat.com/security/cve/cve-2020-25719
https://access.redhat.com/security/cve/cve-2021-23192

How can I update samba packages:
samba-common-tools-4.14.5-2.el8.x86_64
samba-client-libs-4.14.5-2.el8.x86_64
samba-libs-4.14.5-2.el8.x86_64
samba-common-4.14.5-2.el8.noarch
samba-common-libs-4.14.5-2.el8.x86_64
samba-client-4.14.5-2.el8.x86_64

to version 4.15.2 or 4.14.10 according to this article https://www.samba.org/samba/security/CVE-2020-25717.html.
Red Hat 8.
When I try to update it through command yum update samba*, system not finding any updates.

Also I want to update packages on Red Hat 6:
samba-winbind-3.6.23-53.el6_10.x86_64
samba4-libs-4.2.10-15.el6.x86_64
samba-common-3.6.23-53.el6_10.x86_64
samba-winbind-clients-3.6.23-53.el6_10.x86_64
samba-client-3.6.23-53.el6_10.x86_64

Here the same problem with update.

Responses

Hi Darya,

If you look at the links, you see that Red Hat has not created a fix yet fo RHEL 7 and RHEL 8.

For RHEL 6 no fix will be created, out of scope.

Regards,

Jan Gerrit

Ok, thanks. Is there any date when this issue will be fixed for RHEL7 and RHEL8?

Hi Darya,

I am customer, not a Red Hat employee. I cannot answer that question.

If you wish to get an estimate on the release of the fixes, please open a support case

Regards,

Jan Gerrit

Hi Darya,

See previous posts of course, like Jan's above.

https://access.redhat.com/security/cve/CVE-2016-2124 mentions this mitigation (not an RPM fix), so this is a configuration mitigation:

Ensure the following [global] smb.conf parameters are set to their default values as shown below:

  client lanman auth = no
  client NTLMv2 auth = yes
  client plaintext auth = no
  client min protocol = SMB2_02
Or use the '-k' command line option only without the -U option, which will make use of an existing krb5 ccache.

https://access.redhat.com/security/cve/CVE-2020-25717 mentions this mitigation:

Mitigation
Setting "gensec:require_pac=true" in the smb.conf makes, due to a cache prime in winbind, the DOMAIN\user lookup succeed, provided nss_winbind is in use, 'winbind use default domain = no' (the default) and no error paths are hit.

It would be prudent to pre-create disabled users in Active Directory matching on all privileged names not held in Active Directory, eg

 samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
 samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password

 (repeat for eg all system users under 1000 in /etc/passwd or special to any other AD-connected services, eg perhaps "admin" for a web-app)

https://access.redhat.com/security/cve/cve-2020-25719 mentions samba and samba4 is not affected up through RHEL 8, however, the ipa package IS AFFECTED according to this link.

https://access.redhat.com/security/cve/cve-2021-23192 shows RHEL 8 is affected, prior releases of 6 through 7 are not.

Like Jan said, open a case with Red Hat for the non-resolved items.

Some of these (for the moment) mandate fixes in the configuration (excerpts above in text blocks).

Regarding RHEL 6, the only way to resolve the rpms is to purchase extended update support. I'd recommend migrating to a current version of RHEL for anything that is RHEL 6 (and begin an action plan to get from RHEL 7 to 8). RHEL 6 has numerous other security vulnerabilities otherwise, please see this link regarding RHEL 6

Kind Regards,
RJ