Alpine: libsmbclient, pam-winbind, multiple samba packages: security update to 4.6.6-r1 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 400767

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- It was found that samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8 did not enforce "SMB
signing" when certain configuration options were enabled. A remote attacker could launch a man-in-the-
middle attack and retrieve information in plain-text. (CVE-2017-12150)

- A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption
with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to
any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-
middle attack. (CVE-2017-12151)

- An information leak flaw was found in the way SMB1 protocol was implemented by Samba before 4.4.16, 4.5.x
before 4.5.14, and 4.6.x before 4.6.8. A malicious client could use this flaw to dump server memory
contents to a file on the samba share or to a shared printer, though the exact area of server memory
cannot be controlled by the attacker. (CVE-2017-12163)

See Also

https://git.alpinelinux.org/aports/commit/?id=427ff6422a5158b148b925494e82d2da9dd9cafb

https://git.alpinelinux.org/aports/commit/?id=827f4bcd760cf400406186ba3b0cc42f171fee14

Plugin Details

Severity: High

ID: 400767

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2017-12151

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/25/2017

Vulnerability Publication Date: 9/20/2017

Reference Information

CVE: CVE-2017-12150, CVE-2017-12151, CVE-2017-12163

BID: 100917, 100918, 100925

IAVA: 2017-A-0281-S