Samba 4.3.x < 4.3.13 / 4.4.x < 4.4.8 / 4.5.x < 4.5.3 Multiple Vulnerabilities

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote Samba server is affected by multiple vulnerabilities.

Description :

The version of Samba running on the remote host is 4.3.x prior to
4.3.13, 4.4.x prior to 4.4.8, or 4.5.x prior to 4.5.3. It is,
therefore, affected by multiple vulnerabilities :

- An overflow condition exists in the ndr_pull_dnsp_name()
function in ndr_dnsp.c that is triggered when handling
'dnsRecord' attributes of DNS objects. An authenticated,
remote attacker can exploit this, via a specially
crafted request, to cause a heap-based buffer overflow,
resulting in a denial of service condition or the
execution of arbitrary code. (CVE-2016-2123)

- A flaw exists in the client code when performing
Kerberos authentication due to always requesting a
forwardable Kerberos ticket. An adjacent attacker can
exploit this to cause a service accepting the AP-REQ
from the client to perform the same actions as the
client within the Kerberos TGT, allowing the attacker to
impersonate an authenticated user or service.
(CVE-2016-2125)

- A denial of service vulnerability exists in the
check_pac_checksum() function in kerberos_pac.c due to
improper handling of the arcfour-hmac-md5 PAC
(Privilege Attribute Certificate) checksum. An
authenticated, remote attacker can exploit this to
corrupt memory, resulting in a crash of the winbindd
process. (CVE-2016-2126)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

https://www.samba.org/samba/security/CVE-2016-2123.html
https://www.samba.org/samba/security/CVE-2016-2125.html
https://www.samba.org/samba/security/CVE-2016-2126.html
http://www.samba.org/samba/history/samba-4.3.13.html
http://www.samba.org/samba/history/samba-4.4.8.html
http://www.samba.org/samba/history/samba-4.5.3.html

Solution :

Upgrade to Samba version 4.3.13 / 4.4.8 / 4.5.3 or later.
Alternatively, apply the vendor-supplied security patch referenced in
the advisory.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 6.7
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Misc.

Nessus Plugin ID: 96142 ()

Bugtraq ID: 94970
94988
94994

CVE ID: CVE-2016-2123
CVE-2016-2125
CVE-2016-2126

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now