NewStart CGSL MAIN 6.02 : samba Multiple Vulnerabilities (NS-SA-2024-0054)

critical Nessus Plugin ID 206855

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 6.02, has samba packages installed that are affected by multiple vulnerabilities:

- Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names). (CVE-2007-2446)

- The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the username map script smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management. (CVE-2007-2447)

- Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response. (CVE-2008-1105)

- Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances involving user accounts that lack home directories. (CVE-2009-2813)

- smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break notification reply packet. (CVE-2009-2906)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL samba packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

https://security.gd-linux.com/info/CVE-2008-1105

https://security.gd-linux.com/info/CVE-2009-2813

https://security.gd-linux.com/info/CVE-2009-2906

https://security.gd-linux.com/info/CVE-2009-2948

https://security.gd-linux.com/info/CVE-2012-0817

https://security.gd-linux.com/info/CVE-2012-1182

https://security.gd-linux.com/info/CVE-2012-2111

https://security.gd-linux.com/info/CVE-2012-6150

https://security.gd-linux.com/info/CVE-2013-0172

https://security.gd-linux.com/info/CVE-2013-0213

https://security.gd-linux.com/info/CVE-2013-0214

https://security.gd-linux.com/info/CVE-2013-4408

https://security.gd-linux.com/info/CVE-2013-4475

https://security.gd-linux.com/info/CVE-2013-4496

https://security.gd-linux.com/info/CVE-2013-6442

https://security.gd-linux.com/info/CVE-2014-0178

https://security.gd-linux.com/info/CVE-2014-0244

https://security.gd-linux.com/info/CVE-2014-3493

https://security.gd-linux.com/info/CVE-2014-3560

https://security.gd-linux.com/info/CVE-2015-3223

https://security.gd-linux.com/info/CVE-2015-5252

https://security.gd-linux.com/info/CVE-2015-5296

https://security.gd-linux.com/info/CVE-2015-5299

https://security.gd-linux.com/info/CVE-2015-5370

https://security.gd-linux.com/info/CVE-2015-7540

https://security.gd-linux.com/info/CVE-2015-7560

https://security.gd-linux.com/info/CVE-2016-2110

https://security.gd-linux.com/info/CVE-2016-2111

https://security.gd-linux.com/info/CVE-2016-2112

https://security.gd-linux.com/info/CVE-2016-2113

https://security.gd-linux.com/info/CVE-2016-2114

https://security.gd-linux.com/info/CVE-2016-2115

https://security.gd-linux.com/info/CVE-2016-2118

https://security.gd-linux.com/info/CVE-2016-2119

https://security.gd-linux.com/info/CVE-2016-2123

https://security.gd-linux.com/info/CVE-2016-2125

https://security.gd-linux.com/info/CVE-2016-2126

https://security.gd-linux.com/info/CVE-2017-12150

https://security.gd-linux.com/info/CVE-2017-12151

https://security.gd-linux.com/info/CVE-2017-12163

https://security.gd-linux.com/info/CVE-2017-14746

https://security.gd-linux.com/info/CVE-2017-15275

https://security.gd-linux.com/info/CVE-2017-2619

https://security.gd-linux.com/info/CVE-2017-7494

https://security.gd-linux.com/info/CVE-2018-1050

https://security.gd-linux.com/info/CVE-2018-1057

https://security.gd-linux.com/info/CVE-2018-10858

https://security.gd-linux.com/info/CVE-2018-10918

https://security.gd-linux.com/info/CVE-2018-10919

https://security.gd-linux.com/info/CVE-2018-1139

https://security.gd-linux.com/info/CVE-2020-14383

https://security.gd-linux.com/info/CVE-2021-44142

https://security.gd-linux.com/info/CVE-2023-34966

https://security.gd-linux.com/info/CVE-2023-34967

https://security.gd-linux.com/notice/NS-SA-2024-0054

https://security.gd-linux.com/info/CVE-2007-2446

https://security.gd-linux.com/info/CVE-2007-2447

Plugin Details

Severity: Critical

ID: 206855

File Name: newstart_cgsl_NS-SA-2024-0054_samba.nasl

Version: 1.3

Type: local

Published: 9/10/2024

Updated: 9/17/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2017-7494

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:zte:cgsl_main:samba-common, cpe:/o:zte:cgsl_main:6, p-cpe:/a:zte:cgsl_main:samba-libs, p-cpe:/a:zte:cgsl_main:samba-winbind, p-cpe:/a:zte:cgsl_main:samba-winbind-modules, p-cpe:/a:zte:cgsl_main:samba, p-cpe:/a:zte:cgsl_main:samba-common-libs, p-cpe:/a:zte:cgsl_main:samba-client-libs, p-cpe:/a:zte:cgsl_main:libwbclient, p-cpe:/a:zte:cgsl_main:libsmbclient, p-cpe:/a:zte:cgsl_main:samba-winbind-clients, p-cpe:/a:zte:cgsl_main:samba-client, p-cpe:/a:zte:cgsl_main:samba-common-tools

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/3/2024

Vulnerability Publication Date: 5/14/2007

CISA Known Exploited Vulnerability Due Dates: 4/20/2023

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Samba lsa_io_trans_names Heap Overflow)

Reference Information

CVE: CVE-2007-2446, CVE-2007-2447, CVE-2008-1105, CVE-2009-2813, CVE-2009-2906, CVE-2009-2948, CVE-2012-0817, CVE-2012-1182, CVE-2012-2111, CVE-2012-6150, CVE-2013-0172, CVE-2013-0213, CVE-2013-0214, CVE-2013-4408, CVE-2013-4475, CVE-2013-4496, CVE-2013-6442, CVE-2014-0178, CVE-2014-0244, CVE-2014-3493, CVE-2014-3560, CVE-2015-3223, CVE-2015-5252, CVE-2015-5296, CVE-2015-5299, CVE-2015-5370, CVE-2015-7540, CVE-2015-7560, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, CVE-2016-2115, CVE-2016-2118, CVE-2016-2119, CVE-2016-2123, CVE-2016-2125, CVE-2016-2126, CVE-2017-12150, CVE-2017-12151, CVE-2017-12163, CVE-2017-14746, CVE-2017-15275, CVE-2017-2619, CVE-2017-7494, CVE-2018-1050, CVE-2018-1057, CVE-2018-10858, CVE-2018-10918, CVE-2018-10919, CVE-2018-1139, CVE-2020-14383, CVE-2021-44142, CVE-2023-34966, CVE-2023-34967

IAVA: 2016-A-0002-S, 2016-A-0095-S, 2016-A-0195-S, 2016-A-0353-S, 2017-A-0085-S, 2017-A-0163-S, 2017-A-0281-S, 2017-A-0344-S, 2018-A-0074-S, 2018-A-0257-S, 2020-A-0508-S, 2022-A-0054-S, 2023-A-0376-S

IAVB: 2009-B-0050-S, 2012-B-0045-S, 2012-B-0047-S, 2013-B-0006-S, 2013-B-0010-S, 2013-B-0131-S, 2014-B-0067-S, 2014-B-0105-S