Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allows remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation.

The version of Samba on the remote host is 4.x prior to 4.0.24, 4.1.x prior to 4.1.16, or 4.2.x prior to 4.2rc4 and is affected by a flaw in the Active Directory Domain Controller (AD DC) component due to a failure to implement a required check on the 'UF_SERVER_TRUST_ACCOUNT' bit of the 'userAccountControl' attributes. This vulnerability could allow a remote, authenticated attacker to elevate privileges.

Multiple vulnerabilities has been discovered and corrected in samba4 :

Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allows remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation (CVE-2014-8143).

An uninitialized pointer use flaw was found in the Samba daemon (smbd). A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd (by default, the root user) (CVE-2015-0240).

The updated packages provides a solution for these security issues.

samba was updated to fix two security issues.

These security issues were fixed :

  - CVE-2015-0240: Ensure we don't call talloc_free on an     uninitialized pointer (bnc#917376).

  - CVE-2014-8143: Samba 4.0.x before 4.0.24, 4.1.x before     4.1.16, and 4.2.x before 4.2rc4, when an Active     Directory Domain Controller (AD DC) is configured,     allowed remote authenticated users to set the LDB     userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and     consequently gain privileges, by leveraging delegation     of authority for user-account or computer-account     creation (bnc#914279).

Several non-security issues were fixed, please refer to the changes file.

Andrew Bartlett discovered that Samba incorrectly handled delegation of authority when being used as an Active Directory Domain Controller.
An attacker given delegation privileges could use this issue to escalate their privileges further.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of Samba on the remote host is 4.x prior to 4.0.24 / 4.1.16. It is, therefore, affected by a flaw in the Active Directory Domain Controller (AD DC) component due to a failure to implement a required check on the 'UF_SERVER_TRUST_ACCOUNT' bit of the 'userAccountControl' attributes. This vulnerability could allow a remote, authenticated attacker to elevate privileges.

Note that this issue only affects Samba installations acting as Active Directory Domain Controllers that allow delegation for the creation of user or computer accounts.

Also note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

New samba packages are available for Slackware 14.1 and -current to fix a security issue.

Samba team reports :

In Samba's AD DC we neglected to ensure that attempted modifications of the userAccountControl attribute did not allow the UF_SERVER_TRUST_ACCOUNT bit to be set.

ID	Name	Product	Family	Severity
90558	openSUSE Security Update : samba (openSUSE-2016-462) (Badlock)	Nessus	SuSE Local Security Checks	high
8758	Samba 4.x < 4.0.24 / 4.1.x < 4.1.16 / 4.2.x < 4.2rc4 UF_SERVER_TRUST_ACCOUNT AD DC Privilege Escalation	Nessus Network Monitor	Samba	high
82336	Mandriva Linux Security Advisory : samba4 (MDVSA-2015:083)	Nessus	Mandriva Local Security Checks	critical
81561	openSUSE Security Update : samba (openSUSE-2015-179)	Nessus	SuSE Local Security Checks	critical
80944	Ubuntu 14.04 LTS : Samba vulnerability (USN-2481-1)	Nessus	Ubuntu Local Security Checks	high
80916	Samba 4.x < 4.0.24 / 4.1.16 UF_SERVER_TRUST_ACCOUNT AD DC Privilege Escalation	Nessus	Misc.	high
80883	Slackware 14.1 / current : samba (SSA:2015-020-01)	Nessus	Slackware Local Security Checks	high
80559	FreeBSD : samba -- Elevation of privilege to Active Directory Domain Controller (d4f45676-9d33-11e4-8275-000c292e4fd8)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2014-8143

high

Tenable Plugins

high

high

critical

critical

high

high

high

high