CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
12.7%
The idmap_ad.so library provides an nss_info extension to Winbind
for retrieving a userβs home directory path, login shell and
primary group id from an Active Directory domain controller. This
functionality is enabled by defining the βwinbind nss infoβ
smb.conf option to either βsfuβ or βrfc2307β.
Both the Windows βIdentity Management for Unixβ and βServices for
Unixβ MMC plug-ins allow a user to be assigned a primary group
for Unix clients that differs from the userβs Windows primary group.
When the rfc2307 or sfu nss_info plugin has been enabled, in
the absence of either the RFC2307 or SFU primary group attribute,
Winbind will assign a primary group ID of 0 to the domain user
queried using the getpwnam() C library call.
A patch addressing this defect has been posted to
http://www.samba.org/samba/security/
Additionally, Samba 3.0.26 has been issued as a security
release to correct the defect.
Samba and Active Directory administrators may avoid this security
issue by two methods:
(a) Ensure that all userβs stored in AD are properly assigned a
Unix primary group, or
(b) Discontinue use of the sfu or rfc2307 βwinbind nss infoβ plugin
until a patched version of the idmap_ad.so library can be
installed.
Note that the problem is only evident on servers using the sfu
or rfc2307 βwinbind nss infoβ plugin and not those only making
use of Winbindβs idmap_ad IDMap backend interface.
This vulnerability was reported to Samba developers by Rick King
as Samba Bug #4927.
The time line is as follows:
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team