Samba 4.x < 4.1.22 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 9346

Synopsis

The remote Samba server is affected by a multiple security issues.

Description

According to its banner, the version of Samba is 4.x earlier than 4.1.22. It is therefore affected by the following vulnerabilities :

- A flaw exists in the 'ldb_wildcard_compare()' function in 'lib/ldb/common/ldb_match.c' that is triggered when handling LDAP requests. This may allow a remote attacker to exhaust available CPU resources. (CVE-2015-3223)
- A flaw exists in the 'check_reduced_name_with_privilege()' and 'check_reduced_name()' functions in 'smbd/vfs.c' that allows traversing outside of a restricted path. The issue is due to users being permitted to follow symlinks pointing to resources in another directory that shares a common path prefix. This may allow a remote attacker to access files outside the exported share path. According to the vendor, exploitation requires that a Samba share "is configured with a path that shares a common path prefix with another directory on the file system". (CVE-2015-5252)
- A flaw exists that is triggered when handling encrypted client sessions due to missing signing. This may allow a Man-in-the-Middle (MitM) attacker to downgrade the security of the connection, making it easier to break the encryption and monitor or manipulate communication. (CVE-2015-5296)
- A flaw exists in the 'shadow_copy2_get_shadow_copy_data()' function in 'modules/vfs_shadow_copy2.c' due to missing access control checks when accessing snapshots. This may allow an authenticated, remote attacker to gain knowledge of potentially sensitive information. (CVE-2015-5299)
- An unspecified flaw exists that is triggered when handling LDAP requests. This may allow a remote attacker to disclose uninitialized memory contents. (CVE-2015-5330)
- A flaw exists in 'libcli/ldap/ldap_message.c' that is triggered when handling LDAP requests. This may allow a remote attacker to exhaust available memory resources and potentially cause the process to be terminated. (CVE-2015-7540)
- A flaw exists in the 'samldb_check_user_account_control_acl()' function in 'dsdb/samdb/ldb_modules/samldb.c' that is triggered when operating as an Active Directory domain controller. This may allow a remote attacker to bypass a certain Microsoft patch for Windows AD DCs in the same domain and crash them. (CVE-2015-8467)

Solution

Upgrade Samba to version 4.1.22 or later.

See Also

https://www.samba.org/samba/security/CVE-2015-3223.html

https://www.samba.org/samba/security/CVE-2015-5252.html

https://www.samba.org/samba/security/CVE-2015-5296.html

https://www.samba.org/samba/security/CVE-2015-5299.html

https://www.samba.org/samba/security/CVE-2015-5330.html

https://www.samba.org/samba/security/CVE-2015-7540.html

https://www.samba.org/samba/security/CVE-2015-8467.html

http://www.samba.org/samba/history/samba-4.1.22.html

Plugin Details

Severity: Medium

ID: 9346

Family: Samba

Published: 6/9/2016

Updated: 3/6/2019

Nessus ID: 87768, 89144, 89376

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS v3

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.4

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:samba:samba

Patch Publication Date: 8/12/2004

Vulnerability Publication Date: 8/12/2004

Reference Information

CVE: CVE-2015-3223, CVE-2015-5252, CVE-2015-5296, CVE-2015-5299, CVE-2015-5330, CVE-2015-7540, CVE-2015-8467

BID: 79732, 79733, 79729, 79731, 79736, 79734, 79735