CVE-2013-0172:

===========================================================
== Subject:     A Samba AD DC may provide authenticated users with
==		write access to LDAP directory objects.
==
== CVE ID#:     CVE-2013-0172
==
== Versions:    4.0.0
==
== Summary:     Samba 4.0.0 as an AD DC may provide authenticated users with
==              write access to LDAP directory objects.
===========================================================

===========
Description
===========

In AD, Access Control Entries can be assigned based on the objectClass
of the object.  If a user or a group the user is a member of has any
access based on the objectClass, then that user has write access to that
object.

Additionally, if a user has write access to any attribute on the object,
they may have access to write to all attributes.

An important mitigation is that anonymous access is totally disabled by
default.  The second important mitigation is that normal users are
typically only given the problematic per-objectClass right via the
"pre-windows 2000 compatible access" group, and Samba 4.0.0 incorrectly
does not make "authenticated users" part of this group.

==================
Patch Availability
==================

Patches addressing this issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba 4.0.1 has been issued as security releases to correct
the defect.  Samba administrators are advised to upgrade to this releases
or apply the patch as soon as possible.

==========
Workaround
==========

There is no workaround available at this time.

=======
Credits
=======

This issue was found by Andrew Bartlett <abartlet@samba.org> as part of
normal code auditing activities in Samba.


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================