Samba < 3.6.23 / 4.0.16 / 4.1.6 Multiple Vulnerabilities

High

Synopsis

The remote version of Samba is outdated and thus affected by multiple vulnerabilities.

Description

Versions of Samba older than 3.6.23 / 4.0.16 / 4.1.6 are unpatched for the following vulnerabilities:

- An information disclosure due to an error in the Security Account Manager Remote (SAMR) implementation, which fails to properly validate the lockout state for user accounts after a certain number of bad password attempts. (CVE-2013-4496)

- An error in the 'smbcacls' command causes the removal of access control lists (ACLs) when used with a '--chown' or '--chgrp' option, which could be leveraged by a remote attacker after an unintended administrative change to bypass intended restrictions. (CVE-2013-6442)

Solution

Install the patch referenced in the project's advisory, or upgrade to 3.6.23 / 4.0.16 / 4.1.6 or later.