=========================================================== == Subject: Denial of service attack against Windows == Active Directory server. == == CVE ID#: CVE-2015-8467 == == Versions: Samba 4.0.0 to 4.3.2 == == Summary: Samba can expose Windows DCs to MS15-096 == Denial of service via the creation of multiple == machine accounts. == == (The Microsoft issue is CVE-2015-2535) == =========================================================== =========== Description =========== Samba, operating as an AD DC, is sometimes operated in a domain with a mix of Samba and Windows Active Directory Domain Controllers. All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as an AD DC in the same domain with Windows DCs, could be used to override the protection against the MS15-096 / CVE-2015-2535 security issue in Windows. Prior to MS16-096 it was possible to bypass the quota of machine accounts a non-administrative user could create. Pure Samba domains are not impacted, as Samba does not implement the SeMachineAccountPrivilege functionality to allow non-administrator users to create new computer objects. ================== Patch Availability ================== Patches addressing this defect have been posted to https://www.samba.org/samba/history/security.html Additionally, Samba 4.3.3, 4.2.7 and 4.1.22 have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions as an AD DC in combination with Windows AD DCs are advised to pgrade or apply the patch as soon as possible. ========== Workaround ========== Only users with SeMachineAccountPrivilege can exploit this issue in Windows, removing this privilege from "Authenticated Users" can provide a mitigation. ======= Credits ======= This problem was found by Andrew Bartlett <abartlet@samba.org> of the Samba Team and Catalyst (www.catalyst.net.nz), who also provided the fix.