This document contains useful information about easy-samba security and known vulnerabilities.
An easy-samba security vulnerability is named ESV-# (where # is the counter, e.g. ESV-1).
Static function ConfigGen.genRandomPassword() of ConfigGen.js library has a security vulnerability, present since its debut in ConfigGen.js version 1.7.0. The purpose of this function is to generate a random password of variable length.
This function is used also in other methods of ConfigGen.js library (i.e. config.users.add() and config.users.addArray()).
Moreover, easy-samba since version 1.12.0 makes use of ConfigGen.genRandomPassword() in Remote API, in order to generate a random token in case none is provided.
Severity is moderate, because passwords generated with ConfigGen.genRandomPassword() may follow a predictable pattern, so that an attacker would be able to predict some chars of the next random passwords. In practice, this is a very remote scenario.
No case of successful exploit is known.
The only available fix is to update easy-samba and ConfigGen.js library to version 1.18.2 or newer.
In easy-samba versions 1.17.0-1.18.0, Remote API feature certificate-negotiation makes an improper use of AES-256-CTR encryption algorithm.
certificate-negotiation feature is used (for example, in ConfigGen.js library) in order to automatically get the remote container's HTTPS certificate (and not manually supply one). When a remote client wants to retrieve the remote container's certificate, it sends a request to the Remote API server (i.e. easy-samba), and the server replies with the certificate encrypted using the secret token as password. This way, the remote client can verify if the certificate is authentic, by decrypting the latter with the secret token.
Severity is moderate, because an attacker may eavesdrop the communication between a remote client and the easy-samba container, and in some way may be able to pass a malevolent certificate to the remote client and thus steal the secret token.
In practice, since the encrypted content is not confidential (Remote API certificate is public), this security vulnerability should not be harmful.
No case of successful exploit is known.
The only available fix is to update easy-samba to version 1.18.1 or newer.
If you are not able to update easy-samba and/or remote client's ConfigGen.js library, you should stop using certificate-negotiation feature, by manually passing the container's certificate to ConfigGen.remote() function.
SEE ALSO: changelog of
easy-sambaversion1.18.1
In easy-samba versions 1.11.0-1.16.1, Remote API implementation unsafely checks the token sent by a remote client.
Severity is moderate, because an attacker may perform a timing attack in order to steal the secret token of Remote API. If the token gets stolen, the attacker may get access to confidential data, and may cause denial of service in several ways.
No case of successful exploit is known.
The only available fix is to update easy-samba to version 1.17.0 or newer.
First versions of easy-samba didn't check password property of users defined in config.json file. Since easy-samba passes password property as stdin to Linux command passwd during users creation phase, this is a potential security vulnerability.
Severity is low enough, because an attacker that is able to malevolently modify a password property in config.json file has also root privilege. Since the attacker has already root privilege, they can cause more serious damage directly, without the need of exploit password property.
The only available fix is to update easy-samba to version 1.0.2 or newer.