Debian DSA-3983-1 : samba - security update

high Nessus Plugin ID 103432

Synopsis

The remote Debian host is missing a security-related update.

Description

Multiple security issues have been discoverd in Samba, a SMB/CIFS file, print, and login server for Unix :

- CVE-2017-12150 Stefan Metzmacher discovered multiple code paths where SMB signing was not enforced.

- CVE-2017-12151 Stefan Metzmacher discovered that tools using libsmbclient did not enforce encryption when following DFS redirects, which could allow a man-in-the-middle attacker to read or modify connections which were meant to be encrypted.

- CVE-2017-12163 Yihan Lian and Zhibin Hu discovered that insufficient range checks in the processing of SMB1 write requests could result in disclosure of server memory.

Solution

Upgrade the samba packages.

For the oldstable distribution (jessie), these problems have been fixed in version 2:4.2.14+dfsg-0+deb8u8.

For the stable distribution (stretch), these problems have been fixed in version 2:4.5.8+dfsg-2+deb9u2.

See Also

https://security-tracker.debian.org/tracker/CVE-2017-12150

https://security-tracker.debian.org/tracker/CVE-2017-12151

https://security-tracker.debian.org/tracker/CVE-2017-12163

https://packages.debian.org/source/jessie/samba

https://packages.debian.org/source/stretch/samba

https://www.debian.org/security/2017/dsa-3983

Plugin Details

Severity: High

ID: 103432

File Name: debian_DSA-3983.nasl

Version: 3.6

Type: local

Agent: unix

Published: 9/25/2017

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS v3

Risk Factor: High

Base Score: 7.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:samba, cpe:/o:debian:debian_linux:8.0, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 9/22/2017

Reference Information

CVE: CVE-2017-12150, CVE-2017-12151, CVE-2017-12163

DSA: 3983