The Samba-Bugzilla – Attachment 16499 Details for
Bug 14571
CVE-2021-20254 [SECURITY] Buffer overrun in sids_to_unixids() [source3/passdb/lookup_sid.c]
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Preliminary cut at a CVE text.
CVE-2021-20254.txt (text/plain), 2.34 KB, created by
Jeremy Allison
on 2021-03-04 22:34:43 UTC
(
hide
)
Description:
Preliminary cut at a CVE text.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2021-03-04 22:34:43 UTC
Size:
2.34 KB
patch
obsolete
>=========================================================== >== Subject: Negative idmap cache entries can cause incorrect >== group entries in the Samba file server process >== token. >== >== CVE ID#: CVE-2021-20254 >== >== >== Versions: All versions of the Samba file server since >== Samba 3.6.0 >== >== Summary: A coding error converting SIDs to gids could >== allow unexpected group entries in a process token. >== This could allow unauthorized access to files. >=========================================================== > >=========== >Description >=========== > >The Samba smbd file server must map Windows group identities (SIDs) >into unix group ids (gids). The code that performs this had a flaw >that could allow it to read data beyond the end of the array in the >case where a negative cache entry had been added to the mapping >cache. This could cause the calling code to return those values into >the process token that stores the group membership for a user. > >Most commonly this flaw caused the calling code to crash, but an alert >user (Peter Eriksson) found this flaw by noticing an unprivileged user >was able to delete a file within a network share that they should have >been disallowed access to. > >Analysis of the code paths has not allowed us to discover a way for a >remote user to be able to trigger this flaw reproducibly or on demand, >but this CVE has been issued out of an abundance of caution. > >================== >Patch Availability >================== > >Patches addressing this issue has been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.x.y 4.x.y and 4.x.y have been issued as >security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon as >possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N/MAV:N/MAC:H/MPR:L/MUI:N > >base score of 8.2 - high. > >================================= >Workaround and mitigating factors >================================= > >None. > >======= >Credits >======= > >Reported by Peter Eriksson. Volker Lendecke of SerNet and the Samba >Team provided the fix. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16499">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
vl
:
review+
Actions:
View
Attachments on
bug 14571
:
16407
|
16410
|
16466
|
16467
|
16499
|
16505
|
16506
|
16507
|
16508
|
16509
|
16510
|
16511
|
16516
|
16517
|
16519
|
16520
|
16532
|
16533
|
16534
|
16535
|
16536
|
16537
|
16538
|
16539
|
16542
|
16543
|
16544
|
16545
|
16546
|
16548
|
16551
|
16553
|
16595