SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Samba Vendors:   Samba.org
Samba winbindd Daemon Discloses Server Password to Local Users
SecurityTracker Alert ID:  1015850
SecurityTracker URL:  http://securitytracker.com/id/1015850
CVE Reference:   CVE-2006-1059   (Links to External Site)
Date:  Mar 30 2006
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0.21 - 3.0.21c
Description:   A vulnerability was reported in Samba. A local user can view the server's password.

The winbindd daemon writes server's machine credentials in clear text to the log file when set at log level 5. The log file is world readable by default. A local user can view the log file to obtain the password.

Servers configured to use domain or ads security are affected. Samba domain controllers configured to use winbindd may also be affected.

This vulnerability was discovered by the Samba Team during an internal code audit.

Impact:   A local user can view the server's password.
Solution:   The vendor has issued a fixed version (3.0.22), available at:

http://samba.org/samba/download/

A patch for Samba 3.0.21[a-c] is available at:

http://www.samba.org/samba/security/

Vendor URL:  http://samba.org/samba/news/#3.0.22 (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [SECURITY] Samba 3.0.21-3.0.21c: Exposure of machine account

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

==========================================================
==
== Subject:     Exposed clear text of domain machine
==              account password in debug logs (log
==              level >= 5)
== CVE ID#:     CAN_2006-1059
==
== Versions:    Samba Samba 3.0.21 - 3.0.21c (inclusive)
==
== Summary:     The winbindd daemon writes the clear text
==              of the machine trust account password to
==              log files.  These log files are world
==              readable by default.
==
==========================================================


===========
Description
===========

The machine trust account password is the secret shared
between a domain controller and a specific member server.
Access to the member server machine credentials allows
an attacker to impersonate the server in the domain and
gain access to additional information regarding domain
users and groups.

The winbindd daemon included in Samba 3.0.21 and subsequent
patch releases (3.0.21a-c) writes the clear text of server's
machine credentials to its log file at level 5.  The winbindd
log files are world readable by default and often log files
are requested on open mailing lists as tools used to debug
server misconfigurations.

This affects servers configured to use domain or ads security
and possibly Samba domain controllers as well (if configured
to use winbindd).


==================
Patch Availability
==================

Samba 3.0.22 has been released to address this one security
defect.  A patch for Samba 3.0.21[a-c] has been posted at

	http://www.samba.org/samba/security/

An unpatched server may be protected by ensuring that
non-administrative users are unable to read any winbindd
log files generated at level 5 or greater.


=======
Credits
=======

This security issue discovered during an internal security
audit of the Samba source code by the Samba Team.


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEK2saIR7qMdg1EfYRAl6kAJ43G/1StS5lRt56EnojGSY8ndjjRgCfbJxV
d9QaHIC1lgJMc3U+bMDh2Zw=
=33BN
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC