Samba 4.2.x < 4.2.7 / 4.3.x < 4.3.3 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 9347
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Samba server is affected by a multiple security issues.

Description

According to its banner, the version of Samba is 4.2.x earlier than 4.2.7, or 4.3.x earlier than 4.3.3. It is therefore affected by the following vulnerabilities :

- A flaw exists in the 'ldb_wildcard_compare()' function in 'lib/ldb/common/ldb_match.c' that is triggered when handling LDAP requests. This may allow a remote attacker to exhaust available CPU resources. (CVE-2015-3223)
- A flaw exists in the 'check_reduced_name_with_privilege()' and 'check_reduced_name()' functions in 'smbd/vfs.c' that allows traversing outside of a restricted path. The issue is due to users being permitted to follow symlinks pointing to resources in another directory that shares a common path prefix. This may allow a remote attacker to access files outside the exported share path. According to the vendor, exploitation requires that a Samba share "is configured with a path that shares a common path prefix with another directory on the file system". (CVE-2015-5252)
- A flaw exists that is triggered when handling encrypted client sessions due to missing signing. This may allow a Man-in-the-Middle (MitM) attacker to downgrade the security of the connection, making it easier to break the encryption and monitor or manipulate communication. (CVE-2015-5296)
- A flaw exists in the 'shadow_copy2_get_shadow_copy_data()' function in 'modules/vfs_shadow_copy2.c' due to missing access control checks when accessing snapshots. This may allow an authenticated, remote attacker to gain knowledge of potentially sensitive information. (CVE-2015-5299)
- A flaw exists in 'libcli/ldap/ldap_message.c' that is triggered when handling LDAP requests. This may allow a remote attacker to exhaust available memory resources and potentially cause the process to be terminated. (CVE-2015-7540)

Solution

Upgrade Samba to version 4.3.3 or later. If 4.3.x cannot be obtained, version 4.2.7 is also patched for these issues.

See Also

https://www.samba.org/samba/security/CVE-2015-3223.html

https://www.samba.org/samba/security/CVE-2015-5252.html

https://www.samba.org/samba/security/CVE-2015-5296.html

https://www.samba.org/samba/security/CVE-2015-5299.html

https://www.samba.org/samba/security/CVE-2015-7540.html

http://www.samba.org/samba/history/samba-4.2.7.html

http://www.samba.org/samba/history/samba-4.3.3.html

Plugin Details

Severity: Medium

ID: 9347

Family: Samba

Published: 6/9/2016

Updated: 3/6/2019

Dependencies: 8741

Nessus ID: 87768, 89144, 89376

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.4

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*

Patch Publication Date: 12/16/2015

Vulnerability Publication Date: 9/26/2014

Reference Information

CVE: CVE-2015-5252, CVE-2015-5296, CVE-2015-5299, CVE-2015-3223, CVE-2015-7540

BID: 79732, 79733, 79729, 79731, 79736