CVE-2006-1059
CVSS1.2
发布时间 :2006-03-30 12:06:00
修订时间 :2011-03-07 21:31:53
NMCOPS    

[原文]The winbindd daemon in Samba 3.0.21 to 3.0.21c writes the machine trust account password in cleartext in log files, which allows local users to obtain the password and spoof the server in the domain.


[CNNVD]Samba机器可信任帐号本地信息泄露漏洞(CNNVD-200603-502)

        Samba是一套实现SMB(Server Messages Block)协议、跨平台进行文件共享和打印共享服务的程序。
        Samba服务器实现上存在漏洞,攻击者可能利用此漏洞在某些情况下非授权获取访问凭据信息。
        Samba机器的可信任帐号口令是在域控制器和特定成员服务器之间秘密共享的。成员服务器凭据允许攻击者扮演成域中的服务器,使之可以访问有关域用户和组的额外信息。
        Samba中捆绑的winbindd守护程序在记录级别设定为level 5时,会向日志文件中以明文写入服务器的机器凭据。默认下winbindd日志文件是完全可读的,而通常可通过开放的邮件列表请求日志文件以便调试服务器的错误配置。

- CVSS (基础分值)

CVSS分值: 1.2 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:samba:samba:3.0.21aSamba 3.0.21a
cpe:/a:samba:samba:3.0.21cSamba 3.0.21c
cpe:/a:samba:samba:3.0.21Samba 3.0.21
cpe:/a:samba:samba:3.0.21bSamba 3.0.21b

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1059
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1059
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-502
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/archive/1/archive/1/429370/100/0/threaded
(PATCH)  BUGTRAQ  20060330 [SECURITY] Samba 3.0.21-3.0.21c: Exposure of machine account credentials in winbindd log files
http://us1.samba.org/samba/security/CAN-2006-1059.html
(PATCH)  CONFIRM  http://us1.samba.org/samba/security/CAN-2006-1059.html
http://secunia.com/advisories/19455
(VENDOR_ADVISORY)  SECUNIA  19455
http://xforce.iss.net/xforce/xfdb/25575
(UNKNOWN)  XF  samba-logfile-account-cleartext(25575)
http://www.vupen.com/english/advisories/2006/1179
(UNKNOWN)  VUPEN  ADV-2006-1179
http://www.trustix.org/errata/2006/0018
(UNKNOWN)  TRUSTIX  2006-0018
http://www.securityfocus.com/bid/17314
(UNKNOWN)  BID  17314
http://www.redhat.com/archives/fedora-announce-list/2006-March/msg00114.html
(UNKNOWN)  FEDORA  FEDORA-2006-259
http://www.osvdb.org/24263
(UNKNOWN)  OSVDB  24263
http://securitytracker.com/id?1015850
(UNKNOWN)  SECTRACK  1015850
http://secunia.com/advisories/19539
(UNKNOWN)  SECUNIA  19539
http://secunia.com/advisories/19468
(UNKNOWN)  SECUNIA  19468

- 漏洞信息

Samba机器可信任帐号本地信息泄露漏洞
低危 设计错误
2006-03-30 00:00:00 2007-02-26 00:00:00
本地  
        Samba是一套实现SMB(Server Messages Block)协议、跨平台进行文件共享和打印共享服务的程序。
        Samba服务器实现上存在漏洞,攻击者可能利用此漏洞在某些情况下非授权获取访问凭据信息。
        Samba机器的可信任帐号口令是在域控制器和特定成员服务器之间秘密共享的。成员服务器凭据允许攻击者扮演成域中的服务器,使之可以访问有关域用户和组的额外信息。
        Samba中捆绑的winbindd守护程序在记录级别设定为level 5时,会向日志文件中以明文写入服务器的机器凭据。默认下winbindd日志文件是完全可读的,而通常可通过开放的邮件列表请求日志文件以便调试服务器的错误配置。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.samba.org/samba/security

- 漏洞信息 (F48177)

smbd-DoS.txt (PacketStormID:F48177)
2006-07-12 00:00:00
 
advisory,denial of service
CVE-2006-1059
[点击下载]

Samba versions 3.0.1 through 3.0.22 suffer from a memory exhaustion vulnerable in smbd that can result in a denial of service.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

==========================================================
==
== Subject:     Memory exhaustion DoS against smbd
== CVE ID#:     CAN-2006-1059
==
== Versions:    Samba Samba 3.0.1 - 3.0.22 (inclusive)
==
== Summary:     smbd may allow internal structures
==              maintaining state for share connections
==              to grow unbounded.
==
==========================================================


===========
Description
===========

The smbd daemon maintains internal data structures used track
active connections to file and printer shares.  In certain
circumstances an attacker may be able to continually increase
the memory usage of an smbd process by issuing a large number
of share connection requests.  This defect affects all Samba
configurations.



==================
Patch Availability
==================

A patch for Samba 3.0.1 - 3.0.22 has been posted at
http://www.samba.org/samba/security/.

Guidelines for securing Samba hosts are listed at
http://www.samba.org/docs/server_security.html


=======
Credits
=======

This security issue discovered during an internal security
audit of the Samba source code by the Samba Team.


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEssD8IR7qMdg1EfYRApZgAJ0TgElO/8CofcdUD9U7sbhvEVJdYgCgo41t
OtSz6FWliXOQwhwsacXOwN4=
=LALn
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F45100)

sambaExpose.txt (PacketStormID:F45100)
2006-04-01 00:00:00
 
advisory
CVE-2006-1059
[点击下载]

Samba versions 3.0.21 through 3.0.21c expose passwords in clear text in debug logs.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

==========================================================
==
== Subject:     Exposed clear text of domain machine
==              account password in debug logs (log
==              level >= 5)
== CVE ID#:     CAN_2006-1059
==
== Versions:    Samba Samba 3.0.21 - 3.0.21c (inclusive)
==
== Summary:     The winbindd daemon writes the clear text
==              of the machine trust account password to
==              log files.  These log files are world
==              readable by default.
==
==========================================================


===========
Description
===========

The machine trust account password is the secret shared
between a domain controller and a specific member server.
Access to the member server machine credentials allows
an attacker to impersonate the server in the domain and
gain access to additional information regarding domain
users and groups.

The winbindd daemon included in Samba 3.0.21 and subsequent
patch releases (3.0.21a-c) writes the clear text of server's
machine credentials to its log file at level 5.  The winbindd
log files are world readable by default and often log files
are requested on open mailing lists as tools used to debug
server misconfigurations.

This affects servers configured to use domain or ads security
and possibly Samba domain controllers as well (if configured
to use winbindd).


==================
Patch Availability
==================

Samba 3.0.22 has been released to address this one security
defect.  A patch for Samba 3.0.21[a-c] has been posted at

	http://www.samba.org/samba/security/

An unpatched server may be protected by ensuring that
non-administrative users are unable to read any winbindd
log files generated at level 5 or greater.


=======
Credits
=======

This security issue discovered during an internal security
audit of the Samba source code by the Samba Team.


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEK2saIR7qMdg1EfYRAl6kAJ43G/1StS5lRt56EnojGSY8ndjjRgCfbJxV
d9QaHIC1lgJMc3U+bMDh2Zw=
=33BN
-----END PGP SIGNATURE-----

    

- 漏洞信息

24263
Samba winbindd Debug Log Server Credentials Local Disclosure
Local Access Required Information Disclosure
Loss of Confidentiality Upgrade
Exploit Public Vendor Verified

- 漏洞描述

Samba winbindd contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plain text winbindd passwords of a domain member server. When the log level is set to 5 or higher, winbindd stores these credentials in a plain text file readable by non-administrative users, which may lead to a loss of confidentiality.

- 时间线

2006-03-29 Unknow
2006-03-29 Unknow

- 解决方案

Upgrade to version 3.0.22 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by ensuring that non-administrative users do not have read read access to log files generated 'winbindd' log files of log level 5 or greater.

- 相关参考

- 漏洞作者

- 漏洞信息

Samba Machine Trust Account Local Information Disclosure Vulnerability
Design Error 17314
No Yes
2006-03-30 12:00:00 2006-12-07 08:39:00
The vendor disclosed this issue.

- 受影响的程序版本

Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
Samba Samba 3.0.21
Samba Samba 3.0.21c
Samba Samba 3.0.21b
Samba Samba 3.0.21a
Red Hat Fedora Core5
Samba Samba 3.0.22
+ Ubuntu Ubuntu Linux 6.06 LTS sparc
+ Ubuntu Ubuntu Linux 6.06 LTS powerpc
+ Ubuntu Ubuntu Linux 6.06 LTS i386
+ Ubuntu Ubuntu Linux 6.06 LTS amd64

- 不受影响的程序版本

Samba Samba 3.0.22
+ Ubuntu Ubuntu Linux 6.06 LTS sparc
+ Ubuntu Ubuntu Linux 6.06 LTS powerpc
+ Ubuntu Ubuntu Linux 6.06 LTS i386
+ Ubuntu Ubuntu Linux 6.06 LTS amd64

- 漏洞讨论

Samba is susceptible to a local information-disclosure vulnerability. This issue is due to a design error that potentially leads to sensitive information being written to log files. This occurs when the debugging level has been set to 5 or higher.

This issue allows local attackers to gain access to the machine trust account of affected computers. Attackers may then impersonate the affected server in the domain. By impersonating the member server, attackers may gain access to further sensitive information, including the users and groups in the domain; other information may also be available. This may aid attackers in further attacks.

Samba versions 3.0.21 through to 3.0.21c that use the 'winbindd' daemon are susceptible to this issue.

- 漏洞利用

An exploit is not required.

- 解决方案

The vendor has released an advisory along with version 3.0.22 of Samba to address this issue. Patches are also available for previous releases.

Please see the referenced vendor advisories for details on obtaining and applying fixes.


Samba Samba 3.0.21c

Samba Samba 3.0.21b

Samba Samba 3.0.21a

Samba Samba 3.0.21

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站