CVE-2015-3223

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The ldb_wildcard_compare function in ldb_match.c in ldb before 1.1.24, as used in the AD LDAP server in Samba 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, mishandles certain zero values, which allows remote attackers to cause a denial of service (infinite loop) via crafted packets.

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174076.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174391.html

http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00019.html

http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00020.html

http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00032.html

http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00042.html

http://www.debian.org/security/2016/dsa-3433

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

http://www.securityfocus.com/bid/79731

http://www.securitytracker.com/id/1034493

http://www.ubuntu.com/usn/USN-2855-1

http://www.ubuntu.com/usn/USN-2855-2

http://www.ubuntu.com/usn/USN-2856-1

https://bugzilla.redhat.com/show_bug.cgi?id=1290287

https://git.samba.org/?p=samba.git;a=commit;h=aa6c27148b9d3f8c1e4fdd5dd46bfecbbd0ca465

https://git.samba.org/?p=samba.git;a=commit;h=ec504dbf69636a554add1f3d5703dd6c3ad450b8

https://security.gentoo.org/glsa/201612-47

https://www.samba.org/samba/security/CVE-2015-3223.html

Details

Source: MITRE

Published: 2015-12-29

Updated: 2016-12-31

Type: CWE-189

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Impact Score: 1.4

Exploitability Score: 3.9

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:samba:samba:4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.2:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.4:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.5:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.6:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.7:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.8:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.9:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.10:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.11:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.12:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.13:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.14:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.15:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.16:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.17:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.18:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.19:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.20:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.21:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.22:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.23:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.0.24:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.0:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.1:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.2:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.3:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.4:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.5:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.6:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.7:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.8:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.9:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.10:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.11:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.12:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.13:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.14:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.15:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.16:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.17:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.18:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.19:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.20:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.1.21:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.2.0:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.2.1:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.2.2:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.2.3:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.2.4:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.2.5:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.2.6:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.3.0:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.3.1:*:*:*:*:*:*:*

cpe:2.3:a:samba:samba:4.3.2:*:*:*:*:*:*:*

Tenable Plugins

View all (23 total)

IDNameProductFamilySeverity
96127GLSA-201612-47 : Samba: Multiple vulnerabilities (Badlock)NessusGentoo Local Security Checks
high
9347Samba 4.2.x < 4.2.7 / 4.3.x < 4.3.3 Multiple VulnerabilitiesNessus Network MonitorSamba
medium
9346Samba 4.x < 4.1.22 Multiple VulnerabilitiesNessus Network MonitorSamba
medium
90558openSUSE Security Update : samba (openSUSE-2016-462) (Badlock)NessusSuSE Local Security Checks
high
89376Fedora 23 : samba-4.3.3-0.fc23 (2015-b36076d32e)NessusFedora Local Security Checks
high
89144Fedora 22 : samba-4.2.7-0.fc22 (2015-0e0879cc8a)NessusFedora Local Security Checks
high
88804Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : samba regression (USN-2855-2)NessusUbuntu Local Security Checks
high
87967Amazon Linux AMI : libldb (ALAS-2016-633)NessusAmazon Linux Local Security Checks
high
87855RHEL 6 / 7 : Storage Server (RHSA-2016:0014)NessusRed Hat Local Security Checks
high
87839Scientific Linux Security Update : libldb on SL6.x, SL7.x i386/x86_64 (20160107)NessusScientific Linux Local Security Checks
high
87809RHEL 6 / 7 : libldb (RHSA-2016:0009)NessusRed Hat Local Security Checks
high
87796Oracle Linux 6 / 7 : libldb (ELSA-2016-0009)NessusOracle Linux Local Security Checks
high
87782CentOS 6 / 7 : libldb (CESA-2016:0009)NessusCentOS Local Security Checks
high
87769Samba 4.2.x < 4.2.7 / 4.3.x < 4.3.3 Multiple VulnerabilitiesNessusMisc.
high
87768Samba 4.x < 4.1.22 Multiple VulnerabilitiesNessusMisc.
high
87756Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : ldb vulnerabilities (USN-2856-1)NessusUbuntu Local Security Checks
high
87755Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : samba vulnerabilities (USN-2855-1)NessusUbuntu Local Security Checks
high
87684Debian DSA-3433-1 : samba - security updateNessusDebian Local Security Checks
high
87622openSUSE Security Update : samba / ldb / talloc / etc (openSUSE-2015-945)NessusSuSE Local Security Checks
high
87621openSUSE Security Update : ldb / samba / talloc / etc (openSUSE-2015-943)NessusSuSE Local Security Checks
high
87527SUSE SLED12 / SLES12 Security Update : ldb, samba, talloc, tdb, tevent (SUSE-SU-2015:2305-1)NessusSuSE Local Security Checks
high
87526SUSE SLED12 / SLES12 Security Update : ldb, samba, talloc, tdb, tevent (SUSE-SU-2015:2304-1)NessusSuSE Local Security Checks
high
87514FreeBSD : samba -- multiple vulnerabilities (ef434839-a6a4-11e5-8275-000c292e4fd8)NessusFreeBSD Local Security Checks
high