A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode. A man in the middle attacker could use this flaw to intercept the request to the KDC and replace the user name (principal) in the request with any desired user name (principal) that exists in the KDC effectively obtaining a ticket for that principal.

The remote Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5675-1 advisory.

  - A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up     to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode. A man in the middle     attacker could use this flaw to intercept the request to the KDC and replace the user name (principal) in     the request with any desired user name (principal) that exists in the KDC effectively obtaining a ticket     for that principal. (CVE-2018-16860)

  - In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange     permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.
    (CVE-2019-12098)

  - A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ     (Ticket Granting Server - Request). An authenticated user could use this flaw to crash the samba server.
    (CVE-2021-3671)

  - The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker     with network access to an application that depends on the vulnerable code path can cause the application     to crash. (CVE-2022-3116)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the samba packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An elevation of privilege vulnerability exists when an     attacker establishes a vulnerable Netlogon secure     channel connection to a domain controller, using the     Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon     Elevation of Privilege Vulnerability'.(CVE-2020-1472)

  - A flaw was found in the AD DC NBT server in all Samba     versions before 4.10.17, before 4.11.11 and before     4.12.4. A samba user could send an empty UDP packet to     cause the samba server to crash.(CVE-2020-14303)

  - There is an issue in all samba 4.11.x versions before     4.11.5, all samba 4.10.x versions before 4.10.12 and     all samba 4.9.x versions before 4.9.18, where the     removal of the right to create or modify a subtree     would not automatically be taken away on all domain     controllers.(CVE-2019-14902)

  - All samba versions 4.9.x before 4.9.18, 4.10.x before     4.10.12 and 4.11.x before 4.11.5 have an issue where if     it is set with 'log level = 3' (or above) then the     string obtained from the client, after a failed     character conversion, is printed. Such strings can be     provided during the NTLMSSP authentication exchange. In     the Samba AD DC in particular, this may cause a     long-lived process(such as the RPC server) to     terminate. (In the file server case, the most likely     target, smbd, operates as process-per-client and so a     crash there is harmless).(CVE-2019-14907)

  - All Samba versions 4.x.x before 4.9.17, 4.10.x before     4.10.11 and 4.11.x before 4.11.3 have an issue, where     the (poorly named) dnsserver RPC pipe provides     administrative facilities to modify DNS records and     zones. Samba, when acting as an AD DC, stores DNS     records in LDAP. In AD, the default permissions on the     DNS partition allow creation of new records by     authenticated users. This is used for example to allow     machines to self-register in DNS. If a DNS record was     created that case-insensitively matched the name of the     zone, the ldb_qsort() and dns_name_compare() routines     could be confused into reading memory prior to the list     of DNS entries when responding to DnssrvEnumRecords()     or DnssrvEnumRecords2() and so following invalid memory     as a pointer.(CVE-2019-14861)

  - All Samba versions 4.x.x before 4.9.17, 4.10.x before     4.10.11 and 4.11.x before 4.11.3 have an issue, where     the S4U (MS-SFU) Kerberos delegation model includes a     feature allowing for a subset of clients to be opted     out of constrained delegation in any way, either     S4U2Self or regular Kerberos authentication, by forcing     all tickets for these clients to be non-forwardable. In     AD this is implemented by a user attribute     delegation_not_allowed (aka not-delegated), which     translates to disallow-forwardable. However the Samba     AD DC does not do that for S4U2Self and does set the     forwardable flag even if the impersonated client has     the not-delegated flag set.(CVE-2019-14870)

  - A flaw was found in samba's Heimdal KDC implementation,     versions 4.8.x up to, excluding 4.8.12, 4.9.x up to,     excluding 4.9.8 and 4.10.x up to, excluding 4.10.3,     when used in AD DC mode. A man in the middle attacker     could use this flaw to intercept the request to the KDC     and replace the user name (principal) in the request     with any desired user name (principal) that exists in     the KDC effectively obtaining a ticket for that     principal.(CVE-2018-16860)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the samba packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Heimdal before 7.4 allows remote attackers to     impersonate services with Orpheus' Lyre attacks because     it obtains service-principal names in a way that     violates the Kerberos 5 protocol specification. In
    _krb5_extract_ticket() the KDC-REP service name must be     obtained from the encrypted version stored in     'enc_part' instead of the unencrypted version stored in     'ticket'. Use of the unencrypted version provides an     opportunity for successful server impersonation and     other attacks. NOTE: this CVE is only for Heimdal and     other products that embed Heimdal code it does not     apply to other instances in which this part of the     Kerberos 5 protocol specification is     violated.(CVE-2017-11103)

  - A use-after-free flaw was found in all samba LDAP     server versions before 4.10.17, before 4.11.11, before     4.12.4 used in a AC DC configuration. A Samba LDAP user     could use this flaw to crash samba.(CVE-2020-10760)

  - There is an issue in all samba 4.11.x versions before     4.11.5, all samba 4.10.x versions before 4.10.12 and     all samba 4.9.x versions before 4.9.18, where the     removal of the right to create or modify a subtree     would not automatically be taken away on all domain     controllers.(CVE-2019-14902)

  - All samba versions 4.9.x before 4.9.18, 4.10.x before     4.10.12 and 4.11.x before 4.11.5 have an issue where if     it is set with 'log level = 3' (or above) then the     string obtained from the client, after a failed     character conversion, is printed. Such strings can be     provided during the NTLMSSP authentication exchange. In     the Samba AD DC in particular, this may cause a     long-lived process(such as the RPC server) to     terminate. (In the file server case, the most likely     target, smbd, operates as process-per-client and so a     crash there is harmless).(CVE-2019-14907)

  - All Samba versions 4.x.x before 4.9.17, 4.10.x before     4.10.11 and 4.11.x before 4.11.3 have an issue, where     the (poorly named) dnsserver RPC pipe provides     administrative facilities to modify DNS records and     zones. Samba, when acting as an AD DC, stores DNS     records in LDAP. In AD, the default permissions on the     DNS partition allow creation of new records by     authenticated users. This is used for example to allow     machines to self-register in DNS. If a DNS record was     created that case-insensitively matched the name of the     zone, the ldb_qsort() and dns_name_compare() routines     could be confused into reading memory prior to the list     of DNS entries when responding to DnssrvEnumRecords()     or DnssrvEnumRecords2() and so following invalid memory     as a pointer.(CVE-2019-14861)

  - All Samba versions 4.x.x before 4.9.17, 4.10.x before     4.10.11 and 4.11.x before 4.11.3 have an issue, where     the S4U (MS-SFU) Kerberos delegation model includes a     feature allowing for a subset of clients to be opted     out of constrained delegation in any way, either     S4U2Self or regular Kerberos authentication, by forcing     all tickets for these clients to be non-forwardable. In     AD this is implemented by a user attribute     delegation_not_allowed (aka not-delegated), which     translates to disallow-forwardable. However the Samba     AD DC does not do that for S4U2Self and does set the     forwardable flag even if the impersonated client has     the not-delegated flag set.(CVE-2019-14870)

  - A flaw was found in the samba client, all samba     versions before samba 4.11.2, 4.10.10 and 4.9.15, where     a malicious server can supply a pathname to the client     with separators. This could allow the client to access     files and folders outside of the SMB network pathnames.
    An attacker could use this vulnerability to create     files outside of the current working directory using     the privileges of the client user.(CVE-2019-10218)

  - A flaw was found in Samba, all versions starting samba     4.5.0 before samba 4.9.15, samba 4.10.10, samba 4.11.2,     in the way it handles a user password change or a new     password for a samba user. The Samba Active Directory     Domain Controller can be configured to use a custom     script to check for password complexity. This     configuration can fail to verify password complexity     when non-ASCII characters are used in the password,     which could lead to weak passwords being set for samba     users, making it vulnerable to dictionary     attacks.(CVE-2019-14833)

  - A flaw was found in samba 4.0.0 before samba 4.9.15 and     samba 4.10.x before 4.10.10. An attacker can crash AD     DC LDAP server via dirsync resulting in denial of     service. Privilege escalation is not possible with this     issue.(CVE-2019-14847)

  - A flaw was found in the AD DC NBT server in all Samba     versions before 4.10.17, before 4.11.11 and before     4.12.4. A samba user could send an empty UDP packet to     cause the samba server to crash.(CVE-2020-14303)

  - A flaw was found in samba's Heimdal KDC implementation,     versions 4.8.x up to, excluding 4.8.12, 4.9.x up to,     excluding 4.9.8 and 4.10.x up to, excluding 4.10.3,     when used in AD DC mode. A man in the middle attacker     could use this flaw to intercept the request to the KDC     and replace the user name (principal) in the request     with any desired user name (principal) that exists in     the KDC effectively obtaining a ticket for that     principal.(CVE-2018-16860)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the samba packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The samba-libs package contains the libraries needed by     programs that link against the SMB, RPC and other     protocols provided by the Samba suite. Security     Fix(es):A flaw was found in samba's Heimdal KDC     implementation, versions 4.8.x up to, excluding 4.8.12,     4.9.x up to, excluding 4.9.8 and 4.10.x up to,     excluding 4.10.3, when used in AD DC mode. A man in the     middle attacker could use this flaw to intercept the     request to the KDC and replace the user name     (principal) in the request with any desired user name     (principal) that exists in the KDC effectively     obtaining a ticket for that principal.(CVE-2018-16860)A     flaw was found in the AD DC NBT server in all Samba     versions before 4.10.17, before 4.11.11 and before     4.12.4. A samba user could send an empty UDP packet to     cause the samba server to crash.(CVE-2020-14303)A NULL     pointer dereference, or possible use-after-free flaw     was found in the Samba AD LDAP server. Although some     versions of Samba shipped with Red Hat Enterprise Linux     do not support Samba in AD mode, the affected code is     shipped with the libldb package. This flaw allows an     authenticated user to possibly trigger a use-after-free     or NULL pointer dereference. The highest threat from     this vulnerability is to system     availability.(CVE-2020-10730)A flaw was found in Samba     in the way it processed NetBios over TCP/IP. This flaw     allows a remote attacker could to cause the Samba     server to consume excessive CPU use, resulting in a     denial of service. This highest threat from this     vulnerability is to system     availability.(CVE-2020-10745)A use-after-free flaw was     found in all samba LDAP server versions before 4.10.17,     before 4.11.11, before 4.12.4 used in a AC DC     configuration. A Samba LDAP user could use this flaw to     crash samba.(CVE-2020-10760)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the samba packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - All Samba versions 4.x.x before 4.9.17, 4.10.x before     4.10.11 and 4.11.x before 4.11.3 have an issue, where     the S4U (MS-SFU) Kerberos delegation model includes a     feature allowing for a subset of clients to be opted     out of constrained delegation in any way, either     S4U2Self or regular Kerberos authentication, by forcing     all tickets for these clients to be non-forwardable. In     AD this is implemented by a user attribute     delegation_not_allowed (aka not-delegated), which     translates to disallow-forwardable. However the Samba     AD DC does not do that for S4U2Self and does set the     forwardable flag even if the impersonated client has     the not-delegated flag set.(CVE-2019-14870)

  - All Samba versions 4.x.x before 4.9.17, 4.10.x before     4.10.11 and 4.11.x before 4.11.3 have an issue, where     the (poorly named) dnsserver RPC pipe provides     administrative facilities to modify DNS records and     zones. Samba, when acting as an AD DC, stores DNS     records in LDAP. In AD, the default permissions on the     DNS partition allow creation of new records by     authenticated users. This is used for example to allow     machines to self-register in DNS. If a DNS record was     created that case-insensitively matched the name of the     zone, the ldb_qsort() and dns_name_compare() routines     could be confused into reading memory prior to the list     of DNS entries when responding to DnssrvEnumRecords()     or DnssrvEnumRecords2() and so following invalid memory     as a pointer.(CVE-2019-14861)

  - All samba versions 4.9.x before 4.9.18, 4.10.x before     4.10.12 and 4.11.x before 4.11.5 have an issue where if     it is set with 'log level = 3' (or above) then the     string obtained from the client, after a failed     character conversion, is printed. Such strings can be     provided during the NTLMSSP authentication exchange. In     the Samba AD DC in particular, this may cause a     long-lived process(such as the RPC server) to     terminate. (In the file server case, the most likely     target, smbd, operates as process-per-client and so a     crash there is harmless).(CVE-2019-14907)

  - There is an issue in all samba 4.11.x versions before     4.11.5, all samba 4.10.x versions before 4.10.12 and     all samba 4.9.x versions before 4.9.18, where the     removal of the right to create or modify a subtree     would not automatically be taken away on all domain     controllers.(CVE-2019-14902)

  - A flaw was found in samba's Heimdal KDC implementation,     versions 4.8.x up to, excluding 4.8.12, 4.9.x up to,     excluding 4.9.8 and 4.10.x up to, excluding 4.10.3,     when used in AD DC mode. A man in the middle attacker     could use this flaw to intercept the request to the KDC     and replace the user name (principal) in the request     with any desired user name (principal) that exists in     the KDC effectively obtaining a ticket for that     principal.(CVE-2018-16860)

  - A use-after-free flaw was found in the way samba AD DC     LDAP servers, handled 'Paged Results' control is     combined with the 'ASQ' control. A malicious user in a     samba AD could use this flaw to cause denial of     service. This issue affects all samba versions before     4.10.15, before 4.11.8 and before     4.12.2.(CVE-2020-10700)

  - A use-after-free flaw was found in the way samba AD DC     LDAP servers, handled 'Paged Results' control is     combined with the 'ASQ' control. A malicious user in a     samba AD could use this flaw to cause denial of     service. This issue affects all samba versions before     4.10.15, before 4.11.8 and before     4.12.2.(CVE-2020-10700)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the samba packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - A flaw was found in samba's Heimdal KDC implementation,     versions 4.8.x up to, excluding 4.8.12, 4.9.x up to,     excluding 4.9.8 and 4.10.x up to, excluding 4.10.3,     when used in AD DC mode. A man in the middle attacker     could use this flaw to intercept the request to the KDC     and replace the user name (principal) in the request     with any desired user name (principal) that exists in     the KDC effectively obtaining a ticket for that     principal.(CVE-2018-16860)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-202003-52 (Samba: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Samba. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code, cause a Denial       of Service condition, conduct a man-in-the-middle attack, or obtain       sensitive information.
  Workaround :

    There is no known workaround at this time.

According to the versions of the samba packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - Samba from version 4.9.0 and before version 4.9.3 that     have AD DC configurations watching for bad passwords     (to restrict brute forcing of passwords) in a window of     more than 3 minutes may not watch for bad passwords at     all. The primary risk from this issue is with regards     to domains that have been upgraded from Samba 4.8 and     earlier. In these cases the manual testing done to     confirm an organisation's password policies apply as     expected may not have been re-done after the     upgrade.(CVE-2018-16857)

  - Samba from version 4.9.0 and before version 4.9.3 is     vulnerable to a NULL pointer de-reference. During the     processing of an DNS zone in the DNS management DCE/RPC     server, the internal DNS server or the Samba DLZ plugin     for BIND9, if the DSPROPERTY_ZONE_MASTER_SERVERS     property or DSPROPERTY_ZONE_SCAVENGING_SERVERS property     is set, the server will follow a NULL pointer and     terminate. There is no further vulnerability associated     with this issue, merely a denial of     service.(CVE-2018-16852)

  - A flaw was found in samba versions 4.9.x up to 4.9.13,     samba 4.10.x up to 4.10.8 and samba 4.11.x up to     4.11.0rc3, when certain parameters were set in the     samba configuration file. An unauthenticated attacker     could use this flaw to escape the shared directory and     access the contents of directories outside the     share.(CVE-2019-10197)

  - A flaw was found in samba 4.0.0 before samba 4.9.15 and     samba 4.10.x before 4.10.10. An attacker can crash AD     DC LDAP server via dirsync resulting in denial of     service. Privilege escalation is not possible with this     issue.(CVE-2019-14847)

  - A flaw was found in Samba, all versions starting samba     4.5.0 before samba 4.9.15, samba 4.10.10, samba 4.11.2,     in the way it handles a user password change or a new     password for a samba user. The Samba Active Directory     Domain Controller can be configured to use a custom     script to check for password complexity. This     configuration can fail to verify password complexity     when non-ASCII characters are used in the password,     which could lead to weak passwords being set for samba     users, making it vulnerable to dictionary     attacks.(CVE-2019-14833)

  - A flaw was found in the samba client, all samba     versions before samba 4.11.2, 4.10.10 and 4.9.15, where     a malicious server can supply a pathname to the client     with separators. This could allow the client to access     files and folders outside of the SMB network pathnames.
    An attacker could use this vulnerability to create     files outside of the current working directory using     the privileges of the client user.(CVE-2019-10218)

  - A flaw was found in the way an LDAP search expression     could crash the shared LDAP server process of a samba     AD DC in samba before version 4.10. An authenticated     user, having read permissions on the LDAP server, could     use this flaw to cause denial of     service.(CVE-2019-3824)

  - All Samba versions 4.x.x before 4.9.17, 4.10.x before     4.10.11 and 4.11.x before 4.11.3 have an issue, where     the S4U (MS-SFU) Kerberos delegation model includes a     feature allowing for a subset of clients to be opted     out of constrained delegation in any way, either     S4U2Self or regular Kerberos authentication, by forcing     all tickets for these clients to be non-forwardable. In     AD this is implemented by a user attribute     delegation_not_allowed (aka not-delegated), which     translates to disallow-forwardable. However the Samba     AD DC does not do that for S4U2Self and does set the     forwardable flag even if the impersonated client has     the not-delegated flag set.(CVE-2019-14870)

  - All Samba versions 4.x.x before 4.9.17, 4.10.x before     4.10.11 and 4.11.x before 4.11.3 have an issue, where     the (poorly named) dnsserver RPC pipe provides     administrative facilities to modify DNS records and     zones. Samba, when acting as an AD DC, stores DNS     records in LDAP. In AD, the default permissions on the     DNS partition allow creation of new records by     authenticated users. This is used for example to allow     machines to self-register in DNS. If a DNS record was     created that case-insensitively matched the name of the     zone, the ldb_qsort() and dns_name_compare() routines     could be confused into reading memory prior to the list     of DNS entries when responding to DnssrvEnumRecords()     or DnssrvEnumRecords2() and so following invalid memory     as a pointer.(CVE-2019-14861)

  - A flaw was found in samba's Heimdal KDC implementation,     versions 4.8.x up to, excluding 4.8.12, 4.9.x up to,     excluding 4.9.8 and 4.10.x up to, excluding 4.10.3,     when used in AD DC mode. A man in the middle attacker     could use this flaw to intercept the request to the KDC     and replace the user name (principal) in the request     with any desired user name (principal) that exists in     the KDC effectively obtaining a ticket for that     principal.(CVE-2018-16860)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the samba packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in samba's Heimdal KDC implementation,     versions 4.8.x up to, excluding 4.8.12, 4.9.x up to,     excluding 4.9.8 and 4.10.x up to, excluding 4.10.3,     when used in AD DC mode. A man in the middle attacker     could use this flaw to intercept the request to the KDC     and replace the user name (principal) in the request     with any desired user name (principal) that exists in     the KDC effectively obtaining a ticket for that     principal.(CVE-2018-16860)

  - All Samba versions 4.x.x before 4.9.17, 4.10.x before     4.10.11 and 4.11.x before 4.11.3 have an issue, where     the (poorly named) dnsserver RPC pipe provides     administrative facilities to modify DNS records and     zones. Samba, when acting as an AD DC, stores DNS     records in LDAP. In AD, the default permissions on the     DNS partition allow creation of new records by     authenticated users. This is used for example to allow     machines to self-register in DNS. If a DNS record was     created that case-insensitively matched the name of the     zone, the ldb_qsort() and dns_name_compare() routines     could be confused into reading memory prior to the list     of DNS entries when responding to DnssrvEnumRecords()     or DnssrvEnumRecords2() and so following invalid memory     as a pointer.(CVE-2019-14861)

  - All Samba versions 4.x.x before 4.9.17, 4.10.x before     4.10.11 and 4.11.x before 4.11.3 have an issue, where     the S4U (MS-SFU) Kerberos delegation model includes a     feature allowing for a subset of clients to be opted     out of constrained delegation in any way, either     S4U2Self or regular Kerberos authentication, by forcing     all tickets for these clients to be non-forwardable. In     AD this is implemented by a user attribute     delegation_not_allowed (aka not-delegated), which     translates to disallow-forwardable. However the Samba     AD DC does not do that for S4U2Self and does set the     forwardable flag even if the impersonated client has     the not-delegated flag set.(CVE-2019-14870)

  - A flaw was found in the samba client, all samba     versions before samba 4.11.2, 4.10.10 and 4.9.15, where     a malicious server can supply a pathname to the client     with separators. This could allow the client to access     files and folders outside of the SMB network pathnames.
    An attacker could use this vulnerability to create     files outside of the current working directory using     the privileges of the client user.(CVE-2019-10218)

  - A flaw was found in the way an LDAP search expression     could crash the shared LDAP server process of a samba     AD DC. An authenticated user, having read permissions     on the LDAP server, could use this flaw to cause denial     of service.(CVE-2019-3824)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running Mac OS X 10.12.6 or Mac OS X 10.13.6 and is missing a security update. It is, therefore, affected by multiple vulnerabilities :

  - An application may be able to read restricted memory     (CVE-2019-8691, CVE-2019-8692, CVE-2019-8693)

  - Extracting a zip file containing a symbolic link to an     endpoint in an NFS mount that is attacker controlled may     bypass Gatekeeper (CVE-2019-8656)

  - A remote attacker may be able to cause arbitrary code     execution (CVE-2019-8648, CVE-2018-19860, CVE-2019-8661)

  - A remote attacker may be able to leak memory     (CVE-2019-8646, CVE-2019-8663)

  - A remote attacker may be able to cause unexpected     application termination or arbitrary code execution     ( CVE-2019-8641, CVE-2019-8660)

  - An application may be able to execute arbitrary code     with system privileges (CVE-2019-8695, CVE-2019-8697)

  - An issue existed in Samba that may allow attackers to     perform unauthorized actions by intercepting     communications between services (CVE-2018-16860)

  - An application may be able to execute arbitrary code     with kernel privileges (CVE-2019-8694)

  - A remote attacker may be able to view sensitive     information (CVE-2019-13118)

  - An attacker may be able to trigger a use-after-free in     an application deserializing an untrusted NSDictionary     (CVE-2019-8662)

  - Visiting a malicious website may lead to address bar     spoofing (CVE-2019-8670)

  - The encryption status of a Time Machine backup may be     incorrect (CVE-2019-8667)

  - Parsing a maliciously crafted office document may lead     to an unexpected application termination or arbitrary     code execution (CVE-2019-8657)

  - Processing maliciously crafted web content may lead to     universal cross site scripting (CVE-2019-8649,     CVE-2019-8658, CVE-2019-8690)

  - Processing maliciously crafted web content may lead to     arbitrary code execution (CVE-2019-8644, CVE-2019-8666,     CVE-2019-8669, CVE-2019-8671, CVE-2019-8672,     CVE-2019-8673, CVE-2019-8676, CVE-2019-8677,     CVE-2019-8678, CVE-2019-8679, CVE-2019-8680,     CVE-2019-8681, CVE-2019-8683, CVE-2019-8684,     CVE-2019-8685, CVE-2019-8686, CVE-2019-8687,     CVE-2019-8688, CVE-2019-8689)

Note that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.

The remote host is running a version of macOS / Mac OS X that is 10.14.x prior to 10.14.6. It is, therefore, affected by multiple vulnerabilities :

  - An application may be able to read restricted memory     (CVE-2019-8691, CVE-2019-8692, CVE-2019-8693)

  - Extracting a zip file containing a symbolic link to an     endpoint in an NFS mount that is attacker controlled may     bypass Gatekeeper (CVE-2019-8656)

  - A remote attacker may be able to cause arbitrary code     execution (CVE-2019-8648, CVE-2018-19860, CVE-2019-8661)

  - A remote attacker may be able to leak memory     (CVE-2019-8646, CVE-2019-8663)

  - A remote attacker may be able to cause unexpected     application termination or arbitrary code execution     (CVE-2019-8641, CVE-2019-8660)

  - An application may be able to execute arbitrary code     with system privileges (CVE-2019-8695, CVE-2019-8697)

  - An issue existed in Samba that may allow attackers to     perform unauthorized actions by intercepting     communications between services (CVE-2018-16860)

  - An application may be able to execute arbitrary code     with kernel privileges (CVE-2019-8694)

  - A remote attacker may be able to view sensitive     information (CVE-2019-13118)

  - An attacker may be able to trigger a use-after-free in     an application deserializing an untrusted NSDictionary     (CVE-2019-8662)

  - Visiting a malicious website may lead to address bar     spoofing (CVE-2019-8670)

  - The encryption status of a Time Machine backup may be     incorrect (CVE-2019-8667)

  - Parsing a maliciously crafted office document may lead     to an unexpected application termination or arbitrary     code execution (CVE-2019-8657)

  - Processing maliciously crafted web content may lead to     universal cross site scripting (CVE-2019-8690,     CVE-2019-8649, CVE-2019-8658)

  - Processing maliciously crafted web content may lead to     arbitrary code execution (CVE-2019-8644, CVE-2019-8666,     CVE-2019-8669, CVE-2019-8671, CVE-2019-8672,     CVE-2019-8673, CVE-2019-8676, CVE-2019-8677,     CVE-2019-8678, CVE-2019-8679, CVE-2019-8680,     CVE-2019-8681, CVE-2019-8683, CVE-2019-8684,     CVE-2019-8685, CVE-2019-8686, CVE-2019-8687,     CVE-2019-8688, CVE-2019-8689)

Note that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.

According to its banner, the version of Apple TV on the remote device is prior to 12.4. It is therefore affected by multiple vulnerabilities as described in HT210351.

The version of Apple iOS running on the mobile device is prior to 12.4. It is, therefore, affected by multiple vulnerabilities.

This update for libheimdal fixes the following issues :

libheimdal was updated to version 7.7.0 :

  + Bug fixes :

  - PKCS#11 hcrypto back-end :

  + initialize the p11_module_load function list

  + verify that not only is a mechanism present but that its     mechanism info states that it offers the required     encryption, decryption or digest services

  - krb5 :

  + Starting with 7.6, Heimdal permitted requesting     authenticated anonymous tickets. However, it did not     verify that a KDC in fact returned an anonymous ticket     when one was requested.

  + Cease setting the KDCOption reaquest_anonymous flag when     issuing S4UProxy (constrained delegation) TGS requests.

  + when the Win2K PKINIT compatibility option is set, do     not require krbtgt otherName to match when validating     KDC certificate.

  + set PKINIT_BTMM flag per Apple implementation

  + use memset_s() instead of memset()

  - kdc :

  + When generating KRB5SignedPath in the AS, use the reply     client name rather than the one from the request, so     validation will work correctly in the TGS.

  + allow checksum of PA-FOR-USER to be HMAC_MD5. Even if     TGT used an enctype with a different checksum. Per     [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always     HMAC_MD5, and that's what Windows and MIT clients send.
    In Heimdal both the client and kdc use instead the     checksum of the TGT, and therefore work with each other     but Windows and MIT clients fail against Heimdal KDC.
    Both Windows and MIT KDC would allow any keyed checksum     to be used so Heimdal client work fine against it.
    Change Heimdal KDC to allow HMAC_MD5 even for non RC4     based TGT in order to support per-spec clients.

  + use memset_s() instead of memset()

  + Detect Heimdal 1.0 through 7.6 clients that issue     S4UProxy (constrained delegation) TGS Requests with the     request anonymous flag set. These requests will be     treated as S4UProxy requests and not anonymous requests.

  - HDB :

  + Set SQLite3 backend default page size to 8KB.

  + Add hdb_set_sync() method

  - kadmind :

  + disable HDB sync during database load avoiding     unnecessary disk i/o.

  - ipropd :

  + disable HDB sync during receive_everything. Doing an     fsync per-record when receiving the complete HDB is a     performance disaster. Among other things, if the HDB is     very large, then one slave receving a full HDB can cause     other slaves to timeout and, if HDB write activity is     high enough to cause iprop log truncation, then also     need full syncs, which leads to a cycle of full syncs     for all slaves until HDB write activity drops. Allowing     the iprop log to be larger helps, but improving     receive_everything() performance helps even more.

  - kinit :

  + Anonymous PKINIT tickets discard the realm information     used to locate the issuing AS. Store the issuing realm     in the credentials cache in order to locate a KDC which     can renew them.

  + Do not leak the result of krb5_cc_get_config() when     determining anonymous PKINIT start realm.

  - klist :

  + Show transited-policy-checked, ok-as-delegate and     anonymous flags when listing credentials.

  - tests :

  + Regenerate certs so that they expire before the 2038     armageddon so the test suite will pass on 32-bit     operating systems until the underlying issues can be     resolved.

  - documentation :

  + rename verify-password to verify-password-quality

  + hprop default mode is encrypt

  + kadmind 'all' permission does not include 'get-keys'

  + verify-password-quality might not be stateless

Version 7.6.0 :

  + Security (#555) :

  - CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with     unkeyed checksum

    When the Heimdal KDC checks the checksum that is placed     on the S4U2Self packet by the server to protect the     requested principal against modification, it does not     confirm that the checksum algorithm that protects the     user name (principal) in the request is keyed. This     allows a man-in-the-middle attacker who can intercept     the request to the KDC to modify the packet by replacing     the user name (principal) in the request with any     desired user name (principal) that exists in the KDC and     replace the checksum protecting that name with a CRC32     checksum (which requires no prior knowledge to compute).
    This would allow a S4U2Self ticket requested on behalf     of user name (principal) user@EXAMPLE.COM to any service     to be changed to a S4U2Self ticket with a user name     (principal) of Administrator@EXAMPLE.COM. This ticket     would then contain the PAC of the modified user name     (principal).

  - CVE-2019-12098, client-only :

    RFC8062 Section 7 requires verification of the     PA-PKINIT-KX key exchange when anonymous PKINIT is used.
    Failure to do so can permit an active attacker to become     a man-in-the-middle.

  + Bug fixes :

  - Happy eyeballs: Don't wait for responses from     known-unreachable KDCs.

  - kdc :

  + check return copy_Realm, copy_PrincipalName,     copy_EncryptionKey

  - kinit :

  + cleanup temporary ccaches

  + see man page for 'kinit --anonymous' command line syntax     change

  - kdc :

  + Make anonymous AS-requests more RFC8062-compliant.
    Updated expired test certificates

  + Features :

  - kuser: support authenticated anonymous AS-REQs in kinit

  - kdc: support for anonymous TGS-REQs

  - kgetcred support for anonymous service tickets

  - Support builds with OpenSSL 1.1.1

Several vulnerabilities were discovered in Heimdal, an implementation of Kerberos 5 that aims to be compatible with MIT Kerberos.

  - CVE-2018-16860     Isaac Boukris and Andrew Bartlett discovered that     Heimdal was susceptible to man-in-the-middle attacks     caused by incomplete checksum validation. Details on the     issue can be found in the Samba advisory at     https://www.samba.org/samba/security/CVE-2018-16860.html     .

  - CVE-2019-12098     It was discovered that failure of verification of the     PA-PKINIT-KX key exchange client-side could permit to     perform man-in-the-middle attack.

The version of Samba running on the remote host is 4.x prior to 4.8.12, 4.9.x prior to 4.9.8 or 4.10.x prior to 4.10.3. It is, therefore, affected by a man in the middle vulnerability in the Heimdal KDC due to an design error. An authenticated, remote attacker can exploit this, via replacing the user name on intercepted requests to the KDC, to bypass security restrictions.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The samba project reports :

The checksum validation in the S4U2Self handler in the embedded Heimdal KDC did not first confirm that the checksum was keyed, allowing replacement of the requested target (client) principal

Authenticated users with write permission can trigger a symlink traversal to write or detect files outside the Samba share.

Update to Samba 4.9.8, Security fixes for CVE-2018-16860

----

Update to Samba 4.9.7

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to Samba 4.10.3, Security fixes for CVE-2018-16860

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Isaac Boukris and Andrew Bartlett discovered that the S4U2Self Kerberos extension used in Samba's Active Directory support was susceptible to man-in-the-middle attacks caused by incomplete checksum validation.

For Debian 8 'Jessie', this problem has been fixed in version 2:4.2.14+dfsg-0+deb8u13.

We recommend that you upgrade your samba packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3976-1 fixed a vulnerability in Samba. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details :

Isaac Boukris and Andrew Bartlett discovered that Samba incorrectly checked S4U2Self packets. In certain environments, a remote attacker could possibly use this issue to escalate privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Isaac Boukris and Andrew Bartlett discovered that Samba incorrectly checked S4U2Self packets. In certain environments, a remote attacker could possibly use this issue to escalate privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Isaac Boukris and Andrew Bartlett discovered that the S4U2Self Kerberos extension used in Samba's Active Directory support was susceptible to man-in-the-middle attacks caused by incomplete checksum validation.

Details can be found in the upstream advisory at

ID	Name	Product	Family	Severity
166109	Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS : Heimdal vulnerabilities (USN-5675-1)	Nessus	Ubuntu Local Security Checks	high
142333	EulerOS 2.0 SP2 : samba (EulerOS-SA-2020-2396)	Nessus	Huawei Local Security Checks	high
140877	EulerOS 2.0 SP3 : samba (EulerOS-SA-2020-2110)	Nessus	Huawei Local Security Checks	high
140322	EulerOS Virtualization for ARM 64 3.0.2.0 : samba (EulerOS-SA-2020-1952)	Nessus	Huawei Local Security Checks	high
137965	EulerOS Virtualization 3.0.6.0 : samba (EulerOS-SA-2020-1746)	Nessus	Huawei Local Security Checks	high
137034	EulerOS 2.0 SP5 : samba (EulerOS-SA-2020-1616)	Nessus	Huawei Local Security Checks	high
134927	GLSA-202003-52 : Samba: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
132794	EulerOS Virtualization for ARM 64 3.0.5.0 : samba (EulerOS-SA-2020-1040)	Nessus	Huawei Local Security Checks	critical
132625	EulerOS 2.0 SP8 : samba (EulerOS-SA-2020-1032)	Nessus	Huawei Local Security Checks	high
127055	macOS Sierra / High Sierra Multiple Vulnerabilities (Security Update 2019-004)	Nessus	MacOS X Local Security Checks	critical
127054	macOS 10.14.x < 10.14.6 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
127048	Apple TV < 12.4 Multiple Vulnerabilities	Nessus	Misc.	critical
126951	Apple iOS < 12.4 Multiple Vulnerabilities	Nessus	Mobile Devices	critical
126437	openSUSE Security Update : libheimdal (openSUSE-2019-1682)	Nessus	SuSE Local Security Checks	high
125709	Debian DSA-4455-1 : heimdal - security update	Nessus	Debian Local Security Checks	high
125388	Samba 4.x < 4.8.12 / 4.9.x < 4.9.8 / 4.10.x < 4.10.3 Man in the Middle Vulnerability (CVE-2018-16860)	Nessus	Misc.	high
125278	FreeBSD : samba -- multiple vulnerabilities (793a0072-7822-11e9-81e2-005056a311d1)	Nessus	FreeBSD Local Security Checks	high
125271	Fedora 29 : 2:samba (2019-208cc34d40)	Nessus	Fedora Local Security Checks	high
125179	Fedora 30 : 2:samba (2019-307e117a2e)	Nessus	Fedora Local Security Checks	high
125174	Debian DLA-1788-1 : samba security update	Nessus	Debian Local Security Checks	high
125135	Ubuntu 14.04 LTS : samba vulnerability (USN-3976-2)	Nessus	Ubuntu Local Security Checks	high
125134	Ubuntu 16.04 LTS / 18.04 LTS : Samba vulnerability (USN-3976-1)	Nessus	Ubuntu Local Security Checks	high
125094	Debian DSA-4443-1 : samba - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2018-16860

high

Tenable Plugins

high

high

high

high

high

high

critical

critical

high

critical

critical

critical

critical

high

high

high

high

high

high

high

high

high

high