Winbind's rfc2307 & SFU nss_info plugin in Samba 3.0.25[a-c] assigns users a primary gid of 0 by default

2007.09.15
Credit: Gerald (Jerry) Carter
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2007-4138
CWE: CWE-264


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ========================================================== == == Subject: Incorrect primary group assignment for == domain users using the rfc2307 or sfu == winbind nss info plugin. == == CVE ID#: CVE-2007-4138 == == Versions: Samba 3.0.25 - 3.0.25c (inclusive) == == Summary: When the "winbind nss info" parameter in == smb.conf is set to either "sfu" or "rfc2307", == Windows users are incorrectly assigned == a primary gid of 0 in the absence of the == RFC2307 or Services or Unix (SFU) primary == group attributes. == ========================================================== =========== Description =========== The idmap_ad.so library provides an nss_info extension to Winbind for retrieving a user's home directory path, login shell and primary group id from an Active Directory domain controller. This functionality is enabled by defining the "winbind nss info" smb.conf option to either "sfu" or "rfc2307". Both the Windows "Identity Management for Unix" and "Services for Unix" MMC plug-ins allow a user to be assigned a primary group for Unix clients that differs from the user's Windows primary group. When the rfc2307 or sfu nss_info plugin has been enabled, in the absence of either the RFC2307 or SFU primary group attribute, Winbind will assign a primary group ID of 0 to the domain user queried using the getpwnam() C library call. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 3.0.26 has been issued as a security release to correct the defect. ========== Workaround ========== Samba and Active Directory administrators may avoid this security issue by two methods: (a) Ensure that all user's stored in AD are properly assigned a Unix primary group, or (b) Discontinue use of the sfu or rfc2307 "winbind nss info" plugin until a patched version of the idmap_ad.so library can be installed. Note that the problem is only evident on servers using the sfu or rfc2307 "winbind nss info" plugin and not those only making use of Winbind's idmap_ad IDMap backend interface. ======= Credits ======= This vulnerability was reported to Samba developers by Rick King as Samba Bug #4927. The time line is as follows: * Aug 29, 2007: Initial report from Rick King. * Aug 29, 2007: First response from Samba developers confirming the bug along with a proposed patch. * Sep 4, 2007: Announcement to vendor-sec mailing list. * Sep 11, 2007: Public security advisory made available. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG5oH3IR7qMdg1EfYRAk/lAKCSKhAfe/oIJXVtjDMWwr0eAdun9QCfXv3k ddDRZWO/EauwP7vmC2PSyX4= =QW1q -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top