Samba 3.5.x < 3.5.22 / 3.6.x < 3.6.25 / 4.0.x < 4.0.25 / 4.1.x < 4.1.17 TALLOC_FREE() RCE

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote Samba server is affected by a remote code execution
vulnerability.

Description :

According to its banner, the version of Samba running on the remote
host is 3.5.x prior to 3.5.22, 3.6.x prior to 3.6.25, 4.0.x prior to
4.0.25, or 4.1.x prior to 4.1.17. It is, therefore, affected by a
remote code execution vulnerability in the TALLOC_FREE() function of
'rpc_server/netlogon/srv_netlog_nt.c'. A remote attacker, using a
specially crafted sequence of packets followed by a subsequent
anonymous netlogon packet, can execute arbitrary code as the root
user.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.

See also :

https://www.samba.org/samba/security/CVE-2015-0240.html
http://www.samba.org/samba/history/samba-3.6.25.html
http://www.samba.org/samba/history/samba-4.0.25.html
http://www.samba.org/samba/history/samba-4.1.17.html

Solution :

Upgrade to Samba 3.6.25 / 4.0.25 / 4.1.17 or later. Alternatively,
install the patch or apply the workaround referenced in the vendor
advisory.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 81485 ()

Bugtraq ID: 72711

CVE ID: CVE-2015-0240

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now