1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2013-4476.html:</H2>
15 ===========================================================
16 == Subject: Private key in key.pem world readable
18 == CVE ID#: CVE-2013-4476
20 == Versions: Samba 4.0.0 - 4.0.10 (inclusive),
21 == Samba 4.1.0 (inclusive)
23 == Summary: In setups which provide ldap(s) and/or
24 == https services, the private key for SSL/TLS encryption
25 == might be world readable. This typically happens in
26 == active directory domain controller setups.
28 ===========================================================
34 Due to incorrect directory and file permissions a local attacker might
35 obtain the private key that is used for the SSL/TLS encryption for
36 ldaps (including STARTTLS on ldap) and https network traffic.
38 The attacker is then able to decrypt encrypted network traffic which
39 may contain confidential information like passwords.
41 Note that the http(s) service is not started by default, only if the
42 "server services" option contains "web".
44 The ldap(s) service is only started if Samba is configured as an
45 active directory domain controller.
47 $ samba-tool testparm -v --suppress-prompt | grep 'server role'
48 server role = active directory domain controller
50 $ samba-tool testparm -v --suppress-prompt | grep 'server service'
51 server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
53 $ samba-tool testparm -v --suppress-prompt | grep tls
55 tls keyfile = tls/key.pem
56 tls certfile = tls/cert.pem
57 tls cafile = tls/ca.pem
60 $ samba-tool testparm -v --suppress-prompt | grep 'private dir'
61 private dir = /var/lib/samba/private
63 The full path to the keyfile is ${private_dir}/${tls_keyfile},
64 e.g. /var/lib/samba/private/tls/key.pem.
66 The tls certificates are autogenerated and selfsigned on the first
67 start of 'samba'. With the unpatched Samba versions the permissions
68 typically look like this:
70 $ ls -lad /var/lib/samba
71 drwxr-xr-x 7 root root 4096 Feb 13 2013 /var/lib/samba
73 $ ls -lad /var/lib/samba/private
74 drwxr-xr-x 6 root root 4096 Sep 24 04:00 /var/lib/samba/private
76 $ ls -la /var/lib/samba/private/tls/
78 drwxr-xr-x 2 root root 4096 Feb 5 2013 .
79 drwxr-xr-x 6 root root 4096 Sep 24 04:00 ..
80 -rw-r--r-- 1 root root 985 Feb 5 2013 ca.pem
81 -rw-r--r-- 1 root root 985 Feb 5 2013 cert.pem
82 -rw-r--r-- 1 root root 883 Feb 5 2013 key.pem
84 Note: Your vendor/packager might have installed the private directory
85 with more restrictive permissions (0750 or 700).
87 In all cases you should change the permissions of the 'tls' directory
90 You should remove ca.pem, cert.pem and key.pem and let a (re)start of
91 'samba' take care of autogenerating a new set of files, if you are not
92 100% certain that key.pem was protected all the time by parent
93 directory permissions.
95 If you can be 100% certain that key.pem has never been exposed for
96 unauthorized access, you may just change its permission to 0600, if
97 you really have a good reason to keep the existing keys.
99 Note: A patched version of Samba will refuse to start if the
100 permissions of key.pem are not 0600.
106 Follow the instructions for autoregenerating the related files above
107 and change the permissions of key.pem to 0600 yourself.
113 A patch addressing this defect has been posted to
115 http://www.samba.org/samba/security/
117 Additionally, Samba 4.0.11 and 4.1.1 have been issued as security
118 releases to correct the defect. Samba vendors and administrators
119 running affected versions are advised to upgrade or apply the patch as
120 soon as possible or manually apply the workaround.
122 In the fixed version, samba refuses to start if the permissions of
123 /var/lib/samba/private/tls/key.pem are not 0600.
129 This problem was found by an internal audit of the Samba code by
130 Stefan Metzmacher and Björn Baumbach of SerNet.
132 Patches provided by Björn Baumbach of SerNet.