Advisory: Samba Vulnerabilities CVE-2018-1050, CVE-2018-1057

This article discusses the recently announced Samba vulnerabilities and their impact to Sophos products. The following vulnerabilities are covered:

  • CVE-2018-1050: All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash.
  • CVE-2018-1057: On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users’ passwords, including administrative users and privileged service accounts.

Details can be found at https://lists.samba.org/archive/samba-announce/2018/000435.html

The following sections are covered:

Applies to the following Sophos products and versions

Not product specific

No Sophos products are affected by these vulnerabilities.

All customers using Samba are encouraged to patch their Samba deployments if they are impacted by these vulnerabilities.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Invalid Login Issue on MCS Provisioned Linux Machines with Winbind

To fix this issue on SUSE 12.3, you downgrade the version of samba on your template machine using the following command:

sudo zypper in -f samba-4.6.7+git.51.327af8d0a11-3.12.1

After this, update your machine catalog using the new master image.

On RHEL 7.4, you need to create a new template machine, then use the following command to restrict the package version:

echo ‘7.4’ >/etc/yum/vars/releasever

If your system is not registered or using other repos, you can install specific version of samba and lock it with yum version lock.

yum install yum-plugin-versionlock

yum install samba-winbind-clients-4.6.2-12.el7_4.x86_64

yum versionlock samba*

If there are other packages fail to install due to this version of samba, you need to install their lower versions accordingly.

Update on RHEL 7 Platform

RHEL team has fixed this issue in their latest samba package: 4.7.1-9.el7_5. However, after upgrading to this samba version, you will still get invalid login error. To solve this issue, in the template machine, you need to add a line in /var/xdl/mcs/mcs_util.sh, in function join_domain(), find the line:

tdbtool ${SAMBA_SECRETS} store SECRETS/MACHINE_PASSWORD/${WORKGROUP} "${PASSWORD}" 2>&1 >> "$logFile"

add a line below:

tdbtool ${SAMBA_SECRETS} store "SECRETS/MACHINE_SEC_CHANNEL_TYPE/${WORKGROUP}" "2000"

After this, create a new snapshot of the template machine and update machine catalog using this snapshot.

Related:

Re: Isilon OneFS not authenticating against Samba AD ?

Hi,

we are in the process of migrating our current environment consisting of an Isilon OneFS cluster (v8.0.0.4) serving SMB and NFS shares, LDAP servers (for authentication/authorization) and a mix of Linux, Mac en Windows clients to an environment which will use Samba AD as a replacement for LDAP for authentication/authorization.

We managed to get the Isilon OneFS cluster to join the domain on the Samba AD server and we can get the user and group lists from the domain both on the command line and in the web interface of the Isilon OneFS cluster. However, authentication/authorization fails when trying to connect with a Windows, Mac or Linux client to a SMB share on the Isilon cluster.

For the record, I am testing this on a seperate environment using the Isilon OneFS simulator v8.1.0.1.

When I have a look in the logfiles I can find the following in the /var/log/lsass.log file ( I masked out our domain/user values) :

2018-04-04T14:11:49Z <30.4> dbg-test-1 lsass[2433]: [LwKrb5InitializeUserLoginCredentialsS4U /b/mnt/src/isilon/fsp/lwadvapi/threaded/lwkrb5.c:1390] KRB5 Error code: -1765328243 (Message: Matching credential not found (filename: /var/lib/likewise/krb5cc_lsass_S4U.<DOMAIN>))

2018-04-04T14:11:49Z <30.3> dbg-test-1 lsass[2433]: [lsass] Failed to find group memberships of SID=S-1-5-21-1654374101-3569970681-3921896634-11811. [error code:41874] [Symbol: LW_ERROR_KRB5_CC_NOTFOUND]

2018-04-04T14:11:49Z <30.3> dbg-test-1 lsass[2433]: [lsass] Failed to find memberships for ‘<DOMAIN><user>’ (error = 41874)

Is there anyone who has this kind of setup working (Isilon OneFS with Samba AD) ?

Any help would be greatly aprreciated !!

Kind Regards,

Michel van Deventer

Related:

Using samba SID from LDAP?

Hi,

we use an openldap server as the authentication provider in OneFS 8.1.2. The attribute sambaSID from the samba schema contains the users’ SID which is used by our samba servers. Is it possible to use this attribute for smb shares in OneFS? OneFS creates its own default SID for every ldap user. For example:

On our samba servers:

# net sam show xmuster

SAMBAxmuster is a User with SID S-1-5-21-400xxx2-314xxx9-252xxx7-69720

On our Isilon:

# isi auth users view xmuster

Domain: LDAP_USERS

Provider: lsa-ldap-provider:LDAP Cluster

Sam Account Name: xmuster

UID: 34360

SID: S-1-22-1-34360

Thanks.

Related:

SAV for UNIX (AIX) fails to update over UNC after upgrading to 9.14.0

In some rare cases, SAV for UNIX 9.14 (AIX) can fail to update over UNC after installing/upgrading to 9.14.0. This only impacts UNC updating. HTTP updating is not impacted.

This is due to a defect in the Samba code we use for this connection, which fails if an IPv6 address is added on a network adapter with IPv4 configured. We have also informed the Samba community of this bug to ensure it can be fixed at the appropriate level.

This bug is corrected in the version 9.14.1, available as of December 7th, 2017.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Unix 9.14.0

If the system is already impacted by this issue (Failing to update), there are three solutions. #1 and #3 will work without the updated SAV version (9.14.1+), but it is recommended to upgrade to this anyways. #2 is the recommended solution.

Solution 1 – HTTP Updating:

Switch to HTTP WebCID updating. This will allow the client to update.


Solution 2– Reinstall:

Switch to a Subscription that contains 9.14.1+ (Preview, Recommended, and Previous all have this version as of December 7th, 2017).

Since this is an updating issue, if Solution 1 is not an option, the way to correct it is to uninstall and reinstall each impacted client, using the updated client.

Solution 3 – Disable IPv6:

Turn off IPv6 on all network adapters on the AIX system. This will allow the client to update.

  • KB38238 – Configuring Microsoft Internet Information Services for endpoint updating
  • KB64787 – SAV for Linux / Unix / OS X : IIS WebCID update troubleshooting

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Re: SAMBA server not respecting ACLs on OneFS

Hello guys,

I have created a mix environment for multiprotocol access on Isilon OneFS creating ACLs where from one side users access the information using Windows with AD credentials (SMB) and from the other side they use UNIX with LDAP credentials (NFS). This is how the ACLs are set on OneFS level:

dc2isi1-20# ls -led BHTC

drwxrwx— + 3 root wheel 541 Jul 2 16:03 BHTC

OWNER: user:root

GROUP: group:wheel

CONTROL:dacl_auto_inherited,sacl_auto_inherited,dacl_protected

0: group:HELLADEprj.ep3-sim_daten_bhtc_rw allow dir_gen_all,object_inherit,container_inherit

1: group:sim_daten_BHTC_rw allow dir_gen_all,object_inherit,container_inherit

We have some users that does not belong to our domain and need access using Windows, but this is not working at all, so we have decided create a Samba server on Linux VM for authenticating with LDAP account from WIndows client. The server was working on an old environment without ACLs, but now that we have migrated to this environment is not, I presume the authentication is done but somehow is not seeing the real ACLs, instead Samba server is using the POSIX permissions for providing access.

This is the smb.cong file:

dc1tcs116:~ # cat /etc/samba/smb.conf

# smb.conf is the main Samba configuration file. You find a full commented

# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the

# samba-doc package is installed.

# Date: 2016-12-15

[global]



workgroup = SIMULATION

netbios name = tcs71.hei.hella.com

logon path = \%Lprofiles.msprofile

logon home = \%L%U

#logon home = \%L%U.9xprofile

logon drive = V:

domain logons = No

preferred master = auto

local master = Yes



# passdb backend = ldapsam:ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com

passdb backend = ldapsam:”ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com”

ldap suffix = dc=SIM,dc=hella,dc=com

ldap admin dn = cn=Administrator,dc=SIM,dc=hella,dc=com

# ldap group suffix = ou=groups,dc=SIM,dc=hella,dc=com

ldap group suffix = ou=groups

# ldap user suffix = ou=people,dc=SIM,dc=hella,dc=com

ldap user suffix = ou=people

# ldap machine suffix = ou=machines,dc=SIM,dc=hella,dc=com

ldap machine suffix = ou=machines

ldap idmap suffix = ou=Idmap

ldap ssl = no



ldapsam:editposix = yes

## idmap backend = ldap:”ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com”

idmap backend = ldap:”ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com”

follow symlinks = yes

wide links = yes

unix extensions = no



#acl check permissions = no

#log level = 10

#log level = 3 auth:10

#log level = 2 auth:10



[tcs_root]

path = /tcs_root

comment = Directory for Simulation and Validation

browsable = yes

public = yes

writeable = yes

inherit acls = yes

#create mask = 0770

#force create mode = 0770

#directory mask = 0770

#force directory mode = 0770



vfs objects = acl_xattr

map acl inherit = yes

store dos attributes = yes

acl_xattr:ignore system acls = yes

acl_xattr:default acl style = everyone

acl check permissions = true

Can somebody please let me know if I’m missing something in here or lead me to the right way to do it? Thanks a lot in advance!

Related:

SAMBA server not respecting ACLs on OneFS

Hello guys,

I have created a mix environment for multiprotocol access on Isilon OneFS creating ACLs where from one side users access the information using Windows with AD credentials (SMB) and from the other side they use UNIX with LDAP credentials (NFS). This is how the ACLs are set on OneFS level:

dc2isi1-20# ls -led BHTC

drwxrwx— + 3 root wheel 541 Jul 2 16:03 BHTC

OWNER: user:root

GROUP: group:wheel

CONTROL:dacl_auto_inherited,sacl_auto_inherited,dacl_protected

0: group:HELLADEprj.ep3-sim_daten_bhtc_rw allow dir_gen_all,object_inherit,container_inherit

1: group:sim_daten_BHTC_rw allow dir_gen_all,object_inherit,container_inherit

We have some users that does not belong to our domain and need access using Windows, but this is not working at all, so we have decided create a Samba server on Linux VM for authenticating with LDAP account from WIndows client. The server was working on an old environment without ACLs, but now that we have migrated to this environment is not, I presume the authentication is done but somehow is not seeing the real ACLs, instead Samba server is using the POSIX permissions for providing access.

This is the smb.cong file:

dc1tcs116:~ # cat /etc/samba/smb.conf

# smb.conf is the main Samba configuration file. You find a full commented

# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the

# samba-doc package is installed.

# Date: 2016-12-15

[global]



workgroup = SIMULATION

netbios name = tcs71.hei.hella.com

logon path = \%Lprofiles.msprofile

logon home = \%L%U

#logon home = \%L%U.9xprofile

logon drive = V:

domain logons = No

preferred master = auto

local master = Yes



# passdb backend = ldapsam:ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com

passdb backend = ldapsam:”ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com”

ldap suffix = dc=SIM,dc=hella,dc=com

ldap admin dn = cn=Administrator,dc=SIM,dc=hella,dc=com

# ldap group suffix = ou=groups,dc=SIM,dc=hella,dc=com

ldap group suffix = ou=groups

# ldap user suffix = ou=people,dc=SIM,dc=hella,dc=com

ldap user suffix = ou=people

# ldap machine suffix = ou=machines,dc=SIM,dc=hella,dc=com

ldap machine suffix = ou=machines

ldap idmap suffix = ou=Idmap

ldap ssl = no



ldapsam:editposix = yes

## idmap backend = ldap:”ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com”

idmap backend = ldap:”ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com”

follow symlinks = yes

wide links = yes

unix extensions = no



#acl check permissions = no

#log level = 10

#log level = 3 auth:10

#log level = 2 auth:10



[tcs_root]

path = /tcs_root

comment = Directory for Simulation and Validation

browsable = yes

public = yes

writeable = yes

inherit acls = yes

#create mask = 0770

#force create mode = 0770

#directory mask = 0770

#force directory mode = 0770



vfs objects = acl_xattr

map acl inherit = yes

store dos attributes = yes

acl_xattr:ignore system acls = yes

acl_xattr:default acl style = everyone

acl check permissions = true

Can somebody please let me know if I’m missing something in here or lead me to the right way to do it? Thanks a lot in advance!

Related:

VNX: SMB client side update for backlock causes SMB/CIFS mounts to fail

Article Number: 483162 Article Version: 4 Article Type: Break Fix



VNX Operating Environment,VNX OE for File,VNX/VNXe Family

With the release of the “Badlock Bug” patch for Samba and Windows on 4/12, SMB client connections from updated Linux machines are now failing.

See KBA 481861

During Session_Setup NTLMSSP_NEGOTIATE the SAMBA CIFS client set Negotiate Sign: Set and DM Session_Setup NTLMSSP_CHALLENGE reply did not have this flag set Negotiate Sign: Not set, potentially this is causing the new upgraded SAMBA CIFS client to close the TCP connection and failed to map the CIFS share. This perhaps correspond the provided error in the SR notes.

ntlmssp_handle_neg_flags: Got challenge flags[0x60898201] – possible downgrade detected! missing_flags[0x00000010] – NT code 0x80090302

NTLMSSP_NEGOTIATE_SIGN

SPNEGO(ntlmssp) login failed: NT code 0x80090302

session setup failed: NT code 0x80090302

Upgraded SAMBA client from 4.1.6 to 4.3.8 to address CVE-2016-2118

Workaround:

From SAMBA client;

  • Rollback to previous SAMBA version to restore access

OR:

From VNX;

  • Set the following data mover parameter

**If you are not comfortable applying this data move parameter, please engage EMC technical support quoting this article.**

param NTsec.ntlmsspFlags force=0x10

Steps to add or modify a server parameter for a single Data Mover are:

1. Log in to the Control Station via SSH

2. Go to the directory that contains the server parameter file for the Data Mover by using this command syntax:

$ cd /nas/server/slot_<x>

where:

<x> = slot number for the Data Mover

3. Open the param file by using a text editor, such as vi.

4. Add a parameter by appending the following line to the file:

  • param NTsec.ntlmsspFlags force=0x10

where:

<facility> = name of the facility (case-sensitive) to which the parameter applies

<parameter> = name of the server parameter (case-sensitive) to set

<value> = value for the parameter

5. Save your changes and close the param file.

6. Confirm the parameter entry in the file, by typing:

$ more param

The contents of the param file appear.

7. Reboot a Data Mover following the procedure below.

To Reboot the Data Mover;

1. From Unisphere, select System > Data Movers.

2. Select the Data Mover, and click Reboot.

3. Click OK to send a reboot message to the selected Data Movers. While the reboot is in progress,refreshing Data Movers shows the rebooting Data Mover in various states as they appear in the Status column.

Permanent Fix:

Permanent fix is TBD from engineering. ETA is TDB. Please refer to KBA 481861 for fix details when available.

Related:

Re: AD provider offline after adding SPNs

Today something strange happened to our cluster connection with the AD server.

Was doing some tests and at the end ultimately had to re-join the AD. Obviously, we lost all the SPNs and SMB clients are unable to access the samba shares now.

Adding manually the records causes the cluster to drop connection with AD:

EMC-1# isi_for_array -s ‘isi auth status |grep -i activedirectory’

EMC-1: lsa-activedirectory-provider:WWFX.CO.UK ad.wwfx.co.uk offline

EMC-2: lsa-activedirectory-provider:WWFX.CO.UK ad.wwfx.co.uk offline

EMC-3: lsa-activedirectory-provider:WWFX.CO.UK ad.wwfx.co.uk offline

EMC-4: lsa-activedirectory-provider:WWFX.CO.UK ad.wwfx.co.uk online

EMC-5: lsa-activedirectory-provider:WWFX.CO.UK ad.wwfx.co.uk online

Rejoining the cluster to AD works for a while, even though it keep flapping between Online and Offline. Adding SPNs ultimately breaks it.

Also, 4 out of the 5 nodes are having the orange light.

Related:

AD provider offline after adding SPNs

Today something strange happened to our cluster connection with the AD server.

Was doing some tests and at the end ultimately had to re-join the AD. Obviously, we lost all the SPNs and SMB clients are unable to access the samba shares now.

Adding manually the records causes the cluster to drop connection with AD:

EMC-1# isi_for_array -s ‘isi auth status |grep -i activedirectory’

EMC-1: lsa-activedirectory-provider:WWFX.CO.UK ad.wwfx.co.uk offline

EMC-2: lsa-activedirectory-provider:WWFX.CO.UK ad.wwfx.co.uk offline

EMC-3: lsa-activedirectory-provider:WWFX.CO.UK ad.wwfx.co.uk offline

EMC-4: lsa-activedirectory-provider:WWFX.CO.UK ad.wwfx.co.uk online

EMC-5: lsa-activedirectory-provider:WWFX.CO.UK ad.wwfx.co.uk online

Rejoining the cluster to AD works for a while, even though it keep flapping between Online and Offline. Adding SPNs ultimately breaks it.

Also, 4 out of the 5 nodes are having the orange light.

Related: