==========================================================================
Ubuntu Security Notice USN-4559-1
September 30, 2020
samba update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 20.04 LTS
– Ubuntu 18.04 LTS
– Ubuntu 16.04 LTS
Summary:
Several security improvements were added to Samba.
Software Description:
– samba: SMB/CIFS file, print, and login server for Unix
Details:
Tom Tervoort discovered that the Netlogon protocol implemented by Samba
incorrectly handled the authentication scheme. A remote attacker could use
this issue to forge an authentication token and steal the credentials of
the domain admin.
While a previous security update fixed the issue by changing the “server
schannel” setting to default to “yes”, instead of “auto”, which forced a
secure netlogon channel, this update provides additional improvements.
For compatibility reasons with older devices, Samba now allows specifying
an insecure netlogon configuration per machine. See the following link for
examples: https://www.samba.org/samba/security/CVE-2020-1472.html
In addition, this update adds additional server checks for the protocol
attack in the client-specified challenge to provide some protection when
‘server schannel = no/auto’ and avoid the false-positive results when
running the proof-of-concept exploit.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
samba 2:4.11.6+dfsg-0ubuntu1.5
Ubuntu 18.04 LTS:
samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.20
Ubuntu 16.04 LTS:
samba 2:4.3.11+dfsg-0ubuntu0.16.04.31
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4559-1
CVE-2020-1472
Package Information:
https://launchpad.net/ubuntu/+source/samba/2:4.11.6+dfsg-0ubuntu1.5
https://launchpad.net/ubuntu/+source/samba/2:4.7.6+dfsg~ubuntu-0ubuntu2.20
https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.31
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl90lcgACgkQZWnYVadE
vpNyYw//YVFP4Hb6VgElVufBpE9BrDh9mrXUIvo/LNjmicmVjtlLpF6RGt262Xut
Dj1U2mM+U3xwNKHTHziDltlifefQJ59NWcvGYDhVFplTGGDcg/tgpwaovdxUKC0o
kNEUuE6iZeQc8hc9Vv8C4pwoOSp42wd79FpRmrb0hj+EMUs6weSB/ubeK+SwHT7m
ALUvo10LVWG9VofC+xA0A1oWbHphMhwxF7ikb+mLVaWMMvDir+tkTGVef6+NVCSw
8hfus7d2BwwTuKeN7G57wbR5OUFLSAS+Cq2v/RZyi/WaaZ4UGLixfq+UMPqg5t/d
sJAH+mIN8G8gS77elx6ZPSO+W48K42UwHL0WQGCfFaGCkYHcG1v+OcbeOsVQynga
ltmJokcc4h4eQr+97Ol/egQuKD4AHGeDDSmCzJaaPe+kqe/jVhHzxZjv2r21vdHN
WMuumjmO1QdecJU8/IbdtlFXJH5Rdrf/GMImPloNBEBuLQeAtPjcOOYI9KWzcvOz
W0Myqs3rvDKkU+si/a8hwOa4Kh3YimfdBYUz1mkJEGqt7f21mHhf4rS9qlgZriIM
tpkhKlZ1L1w3O5OJ7KnRf5jN1MYksAu40gF+GlylxS4izD+rOIv2OgybwJ6vTrNr
XCuOER2oyIAc7ZjZ3mskqfwVEOzZz1uiWaamdsZUuK7yMBVMTa4=
=UVS1
—–END PGP SIGNATURE—–
—