Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > March 2006 > Samba Security Advisory: CAN_2006-1059 - Exposure of machine account credentials in winbindd log files

March 2006

Samba Security Advisory: CAN_2006-1059 - Exposure of machine account credentials in winbindd log files

ID: 00257
Ref: 255/2006
Date: 31 March 2006:14:10:51
Version: 1
Title: Samba Security Advisory: CAN_2006-1059 - Exposure of machine account credentials in winbindd log files
Abstract:
Vendors affected: Samba
Operating systems affected: Samba
Applications affected: Samba
Title
=====

Samba Security Advisory: CAN_2006-1059 - Exposure of machine account credentials
in winbindd log files

Detail
======

The machine trust account password is the secret shared
between a domain controller and a specific member server.
Access to the member server machine credentials allows
an attacker to impersonate the server in the domain and
gain access to additional information regarding domain
users and groups.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

==========================================================
==
== Subject: Exposed clear text of domain machine
== account password in debug logs (log
== level >= 5)
== CVE ID#: CAN_2006-1059
==
== Versions: Samba Samba 3.0.21 - 3.0.21c (inclusive)
==
== Summary: The winbindd daemon writes the clear text
== of the machine trust account password to
== log files. These log files are world
== readable by default.
==
==========================================================


===========
Description
===========

The machine trust account password is the secret shared
between a domain controller and a specific member server.
Access to the member server machine credentials allows
an attacker to impersonate the server in the domain and
gain access to additional information regarding domain
users and groups.

The winbindd daemon included in Samba 3.0.21 and subsequent
patch releases (3.0.21a-c) writes the clear text of server's
machine credentials to its log file at level 5. The winbindd
log files are world readable by default and often log files
are requested on open mailing lists as tools used to debug
server misconfigurations.

This affects servers configured to use domain or ads security
and possibly Samba domain controllers as well (if configured
to use winbindd).


==================
Patch Availability
==================

Samba 3.0.22 has been released to address this one security
defect. A patch for Samba 3.0.21[a-c] has been posted at

http://www.samba.org/samba/security/

An unpatched server may be protected by ensuring that
non-administrative users are unable to read any winbindd
log files generated at level 5 or greater.


=======
Credits
=======

This security issue discovered during an internal security
audit of the Samba source code by the Samba Team.


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEK2piIR7qMdg1EfYRAtVZAJ4oUqLY1NKkqC1FeA0wDyVunB5ZmACeMz4J
NbgcM9b7xY7GKWJYsNBPb8g=
=kGSA
- -----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |