-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ========================================================== == == Subject: Exposed clear text of domain machine == account password in debug logs (log == level >= 5) == CVE ID#: CAN_2006-1059 == == Versions: Samba Samba 3.0.21 - 3.0.21c (inclusive) == == Summary: The winbindd daemon writes the clear text == of the machine trust account password to == log files. These log files are world == readable by default. == ========================================================== =========== Description =========== The machine trust account password is the secret shared between a domain controller and a specific member server. Access to the member server machine credentials allows an attacker to impersonate the server in the domain and gain access to additional information regarding domain users and groups. The winbindd daemon included in Samba 3.0.21 and subsequent patch releases (3.0.21a-c) writes the clear text of server's machine credentials to its log file at level 5. The winbindd log files are world readable by default and often log files are requested on open mailing lists as tools used to debug server misconfigurations. This affects servers configured to use domain or ads security and possibly Samba domain controllers as well (if configured to use winbindd). ================== Patch Availability ================== Samba 3.0.22 has been released to address this one security defect. A patch for Samba 3.0.21[a-c] has been posted at http://www.samba.org/samba/security/ An unpatched server may be protected by ensuring that non-administrative users are unable to read any winbindd log files generated at level 5 or greater. ======= Credits ======= This security issue discovered during an internal security audit of the Samba source code by the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEK2saIR7qMdg1EfYRAl6kAJ43G/1StS5lRt56EnojGSY8ndjjRgCfbJxV d9QaHIC1lgJMc3U+bMDh2Zw= =33BN -----END PGP SIGNATURE-----