Samba 3.x < 3.6.22 / 4.0.x < 4.0.13 / 4.1.x < 4.1.3 Multiple Vulnerabilities

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Samba server is affected by multiple vulnerabilities.

Description :

According to its banner, the version of Samba running on the remote
host is 3.3.x equal or later than 3.3.10, 3.4.x, 3.5.x, 3.6.x prior to
3.6.22, 4.0.x prior to 4.0.13 or 4.1.x prior to 4.1.3. It is,
therefore, potentially affected by multiple vulnerabilities :

- A security bypass vulnerability exists in the
'winbind_name_list_to_sid_string_list()' function of the
'nsswitch/pam_winbind.c' source file. Exploitation could
allow a malicious, authenticated user access to the
'pam_winbind' configuration file. (CVE-2012-6150)

- A buffer overflow exists in the
'dcerpc_read_ncacn_packet_done' function of the
'librpc/rpc/dcerpc_util.c' source file that could allow
remote AD domain controllers to execute arbitrary code
on the remote host via DCE-RPC packet with an invalid
fragment length. (CVE-2013-4408)

Note that Nessus has relied only on the self-reported version number and
has not actually tried to exploit this issue or determine if the
associated patch has been applied.

See also :

https://www.samba.org/samba/security/CVE-2012-6150
https://www.samba.org/samba/security/CVE-2013-4408
https://www.samba.org/samba/history/
https://www.samba.org/samba/history/security.html

Solution :

Upgrade to version 3.6.22 / 4.0.13 / 4.1.3 or later or refer to the
vendor for a patch or workaround.

Risk factor :

High / CVSS Base Score : 7.6
(CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.6
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Misc.

Nessus Plugin ID: 71377 ()

Bugtraq ID: 64101
64191

CVE ID: CVE-2012-6150
CVE-2013-4408