Samba patches flaw that let people change admin passwords

Samba has released security updates for two vulnerabilities in the open-source

Samba has released patches to fix two serious security vulnerabilities in its widely used open-source Windows and Linux networking software.

The patches were rushed out after security specialists found password and denial-of-service flaws, which can be found in all versions of the software released since December 2012.

By tapping into the password vulnerability, anyone with access to a Samba 4.x LDAP server can modify other people's login details. They just have to create an Active Directory Domain Controller.

People logged into the software can also change admin and service account passwords, but Samba explained that it has now fixed this bug for versions 4.7.6, 4.6.14 and 4.5.16.

Alongside the patch, the organisation has released workaround options that can help administrators determine whether someone has meddled with passwords.

"Revoke the change passwords right for 'the world' from all user objects (including computers) in the directory, leaving only the right to change a user's own password," it recommends.

It advised users to upgrade or apply the patch as soon as possible.

"As Samba does not at this time change the machine account passwords of Domain Controllers, any change to these, or to the passwords of administrators should be a concern."

https://twitter.com/rapid7/status/973559963430871040?ref\\_src=twsrc%5Etfw

There is a patch for a new denial-of-service flaw, too. But that flaw should only affect a few particular configurations.

The DDoS flaw was found in Samba 4.7.6, 4.6.14 and 4.5.16, although users of Samba 4.4.16 and 4.3.13 can download the patch as well.

"All versions of Samba from 4.0.0 onwards are vulnerable to a denial-of-service attack when the RPC spoolss service is configured to be run as an external daemon," explained CVE-2018-1050.

"Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash," it added.

Writing on Twitter, cyber security firm Rapid7 suggested that these flaws may only be scratching above the surface. "There are still plenty of internet-facing Samba instances around," it warned, suggesting that they need to be updated, and fast.