Versions of Samba 4.4.x prior to 4.4.14, 4.5.x prior to 4.5.10, and 4.6.x prior to 4.6.4 are unpatched, and therefore affected by a flaw in the 'is_known_pipename()' function in 'rpc_server/srv_pipe.c' that is due to the program failing to restrict users from accessing files as nt specific pipes. By uploading a shared library to a writable location, this may allow an authenticated, remote attacker to execute arbitrary code with root privileges.

Versions of Samba 4.4.x prior to 4.4.12, 4.5.x prior to 4.5.7, and 4.6.x prior to 4.6.1 are unpatched, and therefore affected by a race condition that is triggered after the 'realpath()' system call has checked a path. This may allow a local attacker to potentially rename a recently checked path and use a symlink to read from unauthorized parts of the file system.

Versions of Samba 4.3.x prior to 4.3.13, 4.4.x prior to 4.4.8, and 4.5.x prior to 4.5.3 are unpatched, and therefore affected by the following vulnerabilities :

 - An overflow condition exists in the 'ndr_pull_dnsp_name()' function in 'librpc/ndr/ndr_dnsp.c' that is triggered when handling 'dnsRecord' attributes of DNS objects.  With a specially crafted request, an authenticated, remote attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. 
 - A flaw exists related to the client code always requesting a forwardable Kerberos ticket when performing Kerberos authentication.  This may allow a service accepting the 'AP-REQ' from the client to perform the same actions as the client within the Kerberos TGT.
 - A flaw exists in the 'check_pac_checksum()' function in 'auth/kerberos/kerberos_pac.c' that is triggered when handling Kerberos PAC (Privilege Attribute Certificate) validation.  This may allow an authenticated, remote attacker to corrupt memory and crash the winbindd process.

According to its banner, the version of Samba running on the remote host is 4.2.x prior to 4.2.14, 4.3.x prior to 4.3.11, or 4.4.x prior to 4.4.5. Therefore, it is affected by a flaw within 'libcli/smb/smbXcli_base.c' that is triggered when handling SMB2/3 client connections. This may allow a MitM attacker to downgrade the required signing for a SMB2/3 client connection.

According to its banner, the version of Samba running on the remote host is 4.2.x prior to 4.2.11, 4.3.x prior to 4.3.8, or 4.4.x prior to 4.4.2. Therefore, it is affected by the following vulnerabilities :

 - A flaw exists in the DCE-RPC client that is triggered during the handling of specially crafted DCE-RPC packets. This may allow a remote attacker to conduct a MitM attack, downgrade a secure connection to an insecure one, cause a consumption of CPU resources, or potentially execute arbitrary code. (CVE-2015-5370)
 - A flaw exists in the implementation of NTLMSSP authentication that may allow a MitM attacker to conduct multiple attacks. This may allow the attacker to clear 'NTLMSSP_NEGOTIATE_SIGN' and 'NTLMSSP_NEGOTIATE_SEAL', take over connections, cause traffic to be sent without encryption, or potentially have other impacts. (CVE-2016-2110)
 - A flaw exists in NETLOGON that is due to the program failing to properly establish a secure channel connection. This may allow a remote MitM attacker to spoof a secure channel's endpoints' computer name and potentially obtain session information. (CVE-2016-2111)
 - A flaw exists that is due to a lack of integrity protection mechanisms. This may allow a remote MitM attacker to downgrade a secure LDAP connection to an insecure version of the connection. (CVE-2016-2112)
 - A flaw exists as TLS certificates are not properly validated for the LDAP and HTTP protocols. By spoofing the server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data. (CVE-2016-2113)
 - A flaw exists that is due to the program failing to enforce the 'server signing = mandatory' option in 'smb.conf' for clients using the SMB1 protocol. This may result in SMB signing not being properly required, potentially allowing a MitM attacker to conduct spoofing attacks. (CVE-2016-2114)
 - A flaw exists that is due to the program failing to perform integrity checks for SMB client connections. As the protection mechanisms for DCERPC communication sessions are inherited from the underlying SMB connection, this may allow a MitM attacker to conduct spoofing attacks. (CVE-2016-2115)

According to its banner, the version of Samba is 3.x earlier than 3.4.0.  It is therefore affected by an overflow condition.  The application fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow.  With a specially crafted 'Any Batched (AndX)' request packet, a remote attacker can potentially cause arbitrary code execution.

According to its banner, the version of Samba running on the remote host is 4.1.x prior to 4.1.23, 4.2.x prior to 4.2.9, 4.3.x prior to 4.3.6, or 4.4.0 prior to 4.4.0rc4.  It is therefore affected by the following vulnerabilities :

 - A security bypass vulnerability exists in the SMB1 implementation that is triggered when a symlink created to a file or directory using SMB1 UNIX extensions is accessed using non-UNIX SMB1 calls.  An authenticated, remote attacker can exploit this to overwrite file and directory ACLs. (CVE-2015-7560)
 - An out-of-bounds read error exists in the internal DNS server due to improper handling of TXT records when an AD DC is configured.  An authenticated, remote attacker can exploit this, via a crafted DNS TXT record, to cause a crash or disclose memory contents. (CVE-2016-0771)

According to its banner, the version of Samba is 4.2.x earlier than 4.2.7, or 4.3.x earlier than 4.3.3.  It is therefore affected by the following vulnerabilities :

 - A flaw exists in the 'ldb_wildcard_compare()' function in 'lib/ldb/common/ldb_match.c' that is triggered when handling LDAP requests.  This may allow a remote attacker to exhaust available CPU resources. (CVE-2015-3223)
 - A flaw exists in the 'check_reduced_name_with_privilege()' and 'check_reduced_name()' functions in 'smbd/vfs.c' that allows traversing outside of a restricted path.  The issue is due to users being permitted to follow symlinks pointing to resources in another directory that shares a common path prefix.  This may allow a remote attacker to access files outside the exported share path.  According to the vendor, exploitation requires that a Samba share "is configured with a path that shares a common path prefix with another directory on the file system". (CVE-2015-5252)
 - A flaw exists that is triggered when handling encrypted client sessions due to missing signing.  This may allow a Man-in-the-Middle (MitM) attacker to downgrade the security of the connection, making it easier to break the encryption and monitor or manipulate communication. (CVE-2015-5296)
 - A flaw exists in the 'shadow_copy2_get_shadow_copy_data()' function in 'modules/vfs_shadow_copy2.c' due to missing access control checks when accessing snapshots.  This may allow an authenticated, remote attacker to gain knowledge of potentially sensitive information. (CVE-2015-5299)
 - A flaw exists in 'libcli/ldap/ldap_message.c' that is triggered when handling LDAP requests.  This may allow a remote attacker to exhaust available memory resources and potentially cause the process to be terminated. (CVE-2015-7540)

According to its banner, the version of Samba is 4.x earlier than 4.1.22.  It is therefore affected by the following vulnerabilities :

 - A flaw exists in the 'ldb_wildcard_compare()' function in 'lib/ldb/common/ldb_match.c' that is triggered when handling LDAP requests.  This may allow a remote attacker to exhaust available CPU resources. (CVE-2015-3223)
 - A flaw exists in the 'check_reduced_name_with_privilege()' and 'check_reduced_name()' functions in 'smbd/vfs.c' that allows traversing outside of a restricted path.  The issue is due to users being permitted to follow symlinks pointing to resources in another directory that shares a common path prefix.  This may allow a remote attacker to access files outside the exported share path.  According to the vendor, exploitation requires that a Samba share "is configured with a path that shares a common path prefix with another directory on the file system". (CVE-2015-5252)
 - A flaw exists that is triggered when handling encrypted client sessions due to missing signing.  This may allow a Man-in-the-Middle (MitM) attacker to downgrade the security of the connection, making it easier to break the encryption and monitor or manipulate communication. (CVE-2015-5296)
 - A flaw exists in the 'shadow_copy2_get_shadow_copy_data()' function in 'modules/vfs_shadow_copy2.c' due to missing access control checks when accessing snapshots.  This may allow an authenticated, remote attacker to gain knowledge of potentially sensitive information. (CVE-2015-5299)
 - An unspecified flaw exists that is triggered when handling LDAP requests.  This may allow a remote attacker to disclose uninitialized memory contents. (CVE-2015-5330)
 - A flaw exists in 'libcli/ldap/ldap_message.c' that is triggered when handling LDAP requests.  This may allow a remote attacker to exhaust available memory resources and potentially cause the process to be terminated. (CVE-2015-7540)
 - A flaw exists in the 'samldb_check_user_account_control_acl()' function in 'dsdb/samdb/ldb_modules/samldb.c' that is triggered when operating as an Active Directory domain controller.  This may allow a remote attacker to bypass a certain Microsoft patch for Windows AD DCs in the same domain and crash them.  (CVE-2015-8467)

According to its banner, the version of Samba is 4.x earlier than 4.0.1.  It is therefore affected by a flaw when acting as an AD (Active Directory) DC (Domain Controller).  The vulnerability is triggered when a user or group is granted any access to a LDAP directory object based on objectClass or granted write access to any attribute on the object.  This results in an authenticated user automatically being granted write access to the object or all attributes.

According to its banner, the version of Samba is 3.4.x earlier than 3.4.17, 3.5.x earlier than 3.5.15, or 3.6.x earlier than 3.6.5.  It is therefore affected by a flaw in the application security checks for the 'CreateAccount', 'OpenAccount', 'AddAccountRights', and 'RemoveAccountRights' remote procedure calls in the local security authority.  This may allow a remote attacker to manipulate the ownership of arbitrary files and directories.

According to its banner, the version of Samba is 3.5.x earlier than 3.5.10, or 3.4.x earlier than 3.4.14, or 3.3.x earlier than 3.3.16, and is therefore affected by multiple vulnerabilities :

 - A cross-site scripting vulnerability exists because of a failure to sanitize input to the username parameter of the 'passwd' program. (CVE-2011-2522)/n - A cross-site request forgery (CSRF) vulnerability exists which can allow SWAT to be manipulated when a user who is logged in as root is tricked into clicking specially crafted URLs sent by an attacker.

Note that these issues are only exploitable when SWAT is enabled (SWAT is disabled by default) (CVE-2011-2694).

According to its banner, the version of Samba is 3.3.x earlier than 3.3.11, or 3.4.x earlier than 3.4.6, or 3.5.x earlier than 3.5.0rc3, and is therefore affected by a directory-traversal vulnerability as the application fails to sufficiently sanitize user-supplied input.  According to the vendor, the issue stems from an insecure default configuration.  The vendor advises administrators to set 'wide links = no' in the '[global]' section of 'smb.conf'.  To exploit this issue, attackers require authenticated access to a writable share, and may be exploited through a writable share accessible by guest accounts.  This may allow an attacker to access files outside of the Samba user's root directory to obtain sensitive information and perform other attacks.

According to its banner, the version of Samba is 3.0.x earlier than 3.0.7.  It is, therefore, affected by multiple vulnerabilities :

 - A flaw exists that may allow a remote denial of service.  The issue is triggered when an attacker sends specially crafted packets to the smbd daemon during the ASN.1 parsing routine causing many processes to spawn resulting in a loss of availability for the platform. (CVE-2004-0807)
 - A flaw exists that may allow a remote denial of service.  The issue is triggered when an attacker sends a malformed UDP packet and will result in loss of availability for Samba's nmbd daemon.  The 'process_logon_packet' function does not properly validate that the packet is appropriately sized to contain the number of structures it claims, when processing a 'SAM_UAS_CHANGE' request.  If the packet claims a large number of structures and a smaller number are contained in the packet, nmbd will reference memory outside of the packet, possibly causing the daemon to crash. (CVE-2004-0808)

According to its banner, the version of Samba running on the remote host is between 3.0.2 and 3.0.4, inclusive.  An error exists in the base64 decoding functions, which can result in a buffer overflow.

According to its banner, the version of Samba is 2.2.x earlier than 2.2.10, or 3.0.x earlier than 3.0.5, and is therefore affected by a flaw related to setting the option 'mangling method' to 'hash' in 'smb.conf' (which is not the default setting), and may allow an attacker to cause a buffer overflow.  No further details have been provided.

According to its banner, the version of Samba is earlier than 2.2.11.  It is, therefore, affected by a flaw that may allow a remote denial of service.  The issue is triggered when sending a 'FindNextPrintChangeNotify()' request from a Windows XP SP2 client without initially issuing a 'FindFirstPrintChangeNotify()' request, which could allow a remote attacker to cause the Samba daemon to crash, resulting in a loss of availability of the service.

The version of Samba on the remote host is 4.4.x prior to 4.4.1 and is affected by the following vulnerabilities :

 - A flaw exists in the DCE-RPC client when handling specially crafted DCE-RPC packets. A man-in-the-middle (MitM) attacker can exploit this to downgrade the connection security, cause a denial of service through resource exhaustion, or potentially execute arbitrary code. (CVE-2015-5370)
 - A flaw exists in the implementation of NTLMSSP authentication. A MitM attacker can exploit this to clear the NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL settings, take over the connections, cause traffic to be sent unencrypted, or have other unspecified impact. (CVE-2016-2110)
 - A flaw exists in NETLOGON due to a failure to properly establish a secure channel connection. A MitM attacker can exploit this to spoof the computer names of a secure channel's endpoints, potentially gaining session information. (CVE-2016-2111)
 - A flaw exists in the integrity protection mechanisms that allows a MitM attacker to downgrade a secure LDAP connection to an insecure version. (CVE-2016-2112)
 - A flaw exists due to improper validation of TLS certificates for the LDAP and HTTP protocols. A MitM attacker can exploit this, via a crafted certificate, to spoof a server, resulting in the disclosure or manipulation of the transmitted traffic. (CVE-2016-2113)
 - A flaw exists due to a failure to enforce the 'server signing = mandatory' option in smb.conf for clients using the SMB1 protocol. A MitM attacker can exploit this to conduct spoofing attacks. (CVE-2016-2114)
 - A flaw exists due to a failure to perform integrity checking for SMB client connections. A MitM attacker can exploit this to conduct spoofing attacks since the protection mechanisms for DCERPC communication sessions are inherited from the underlying SMB connection. (CVE-2016-2115)
  - A flaw, known as Badlock, exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) protocols due to improper authentication level negotiation over Remote Procedure Call (RPC) channels. A MitM attacker who is able to able to intercept the traffic between a client and a server hosting a SAM database can exploit this flaw to force a downgrade of the authentication level, which allows the execution of arbitrary Samba network calls in the context of the intercepted user, such as viewing or modifying sensitive security data in the Active Directory (AD) database or disabling critical services. (CVE-2016-2118)

The version of Samba on the remote host is 4.3.x prior to 4.3.7 and is affected by the following vulnerabilities :

 - A flaw exists in the DCE-RPC client when handling specially crafted DCE-RPC packets. A man-in-the-middle (MitM) attacker can exploit this to downgrade the connection security, cause a denial of service through resource exhaustion, or potentially execute arbitrary code. (CVE-2015-5370)
 - A flaw exists in the implementation of NTLMSSP authentication. A MitM attacker can exploit this to clear the NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL settings, take over the connections, cause traffic to be sent unencrypted, or have other unspecified impact. (CVE-2016-2110)
 - A flaw exists in NETLOGON due to a failure to properly establish a secure channel connection. A MitM attacker can exploit this to spoof the computer names of a secure channel's endpoints, potentially gaining session information. (CVE-2016-2111)
 - A flaw exists in the integrity protection mechanisms that allows a MitM attacker to downgrade a secure LDAP connection to an insecure version. (CVE-2016-2112)
 - A flaw exists due to improper validation of TLS certificates for the LDAP and HTTP protocols. A MitM attacker can exploit this, via a crafted certificate, to spoof a server, resulting in the disclosure or manipulation of the transmitted traffic. (CVE-2016-2113)
 - A flaw exists due to a failure to enforce the 'server signing = mandatory' option in smb.conf for clients using the SMB1 protocol. A MitM attacker can exploit this to conduct spoofing attacks. (CVE-2016-2114)
 - A flaw exists due to a failure to perform integrity checking for SMB client connections. A MitM attacker can exploit this to conduct spoofing attacks since the protection mechanisms for DCERPC communication sessions are inherited from the underlying SMB connection. (CVE-2016-2115)
  - A flaw, known as Badlock, exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) protocols due to improper authentication level negotiation over Remote Procedure Call (RPC) channels. A MitM attacker who is able to able to intercept the traffic between a client and a server hosting a SAM database can exploit this flaw to force a downgrade of the authentication level, which allows the execution of arbitrary Samba network calls in the context of the intercepted user, such as viewing or modifying sensitive security data in the Active Directory (AD) database or disabling critical services. (CVE-2016-2118)

The version of Samba on the remote host is 4.2.x prior to 4.2.10 and is affected by the following vulnerabilities :

 - A flaw exists in the DCE-RPC client when handling specially crafted DCE-RPC packets. A man-in-the-middle (MitM) attacker can exploit this to downgrade the connection security, cause a denial of service through resource exhaustion, or potentially execute arbitrary code. (CVE-2015-5370)
 - A flaw exists in the implementation of NTLMSSP authentication. A MitM attacker can exploit this to clear the NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL settings, take over the connections, cause traffic to be sent unencrypted, or have other unspecified impact. (CVE-2016-2110)
 - A flaw exists in NETLOGON due to a failure to properly establish a secure channel connection. A MitM attacker can exploit this to spoof the computer names of a secure channel's endpoints, potentially gaining session information. (CVE-2016-2111)
 - A flaw exists in the integrity protection mechanisms that allows a MitM attacker to downgrade a secure LDAP connection to an insecure version. (CVE-2016-2112)
 - A flaw exists due to improper validation of TLS certificates for the LDAP and HTTP protocols. A MitM attacker can exploit this, via a crafted certificate, to spoof a server, resulting in the disclosure or manipulation of the transmitted traffic. (CVE-2016-2113)
 - A flaw exists due to a failure to enforce the 'server signing = mandatory' option in smb.conf for clients using the SMB1 protocol. A MitM attacker can exploit this to conduct spoofing attacks. (CVE-2016-2114)
 - A flaw exists due to a failure to perform integrity checking for SMB client connections. A MitM attacker can exploit this to conduct spoofing attacks since the protection mechanisms for DCERPC communication sessions are inherited from the underlying SMB connection. (CVE-2016-2115)
  - A flaw, known as Badlock, exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) protocols due to improper authentication level negotiation over Remote Procedure Call (RPC) channels. A MitM attacker who is able to able to intercept the traffic between a client and a server hosting a SAM database can exploit this flaw to force a downgrade of the authentication level, which allows the execution of arbitrary Samba network calls in the context of the intercepted user, such as viewing or modifying sensitive security data in the Active Directory (AD) database or disabling critical services. (CVE-2016-2118)

The version of Samba on the remote host is 4.x prior to 4.0.21 / 4.1.x prior to 4.1.11 and is affected by a flaw in the NetBIOS name services daemon (nmbd). This flaw may allow an attacker to execute arbitrary code as the superuser.

The version of Samba on the remote host is 4.x prior to 4.0.24, 4.1.x prior to 4.1.16, or 4.2.x prior to 4.2rc4 and is affected by a flaw in the Active Directory Domain Controller (AD DC) component due to a failure to implement a required check on the 'UF_SERVER_TRUST_ACCOUNT' bit of the 'userAccountControl' attributes. This vulnerability could allow a remote, authenticated attacker to elevate privileges.

The version of Samba on the remote host is 3.6.x prior to 3.6.24, 4.0.x prior to 4.0.19, or 4.1.x prior to 4.1.9 and is affected by the following vulnerabilities :

 - A denial of service flaw exists with 'nmbd'. A remote attacker, with a specially crafted packet, could cause the CPU to loop the same code segment, preventing further NetBIOS name services. (CVE-2014-0244)

 - A denial of service flaw exists with 'smbd' when an authenticated client makes a non-unicode request for a valid unicode path. An invalid return code from the conversion of bad unicode to Windows character set can cause memory at an offset from the expected return buffer to be overwritten. This could allow a remote authenticated attacker to cause a denial of service. (CVE-2014-3493)

The version of Samba running on the remote host is 3.5.x prior to 3.5.22, 3.6.x prior to 3.6.25, 4.0.x prior to 4.0.25, 4.1.x prior to 4.1.17, or 4.2.x prior to 4.2rc5 and is affected by a remote code execution vulnerability in the TALLOC_FREE() function of 'rpc_server/netlogon/srv_netlog_nt.c'. A remote attacker, using a specially crafted sequence of packets followed by a subsequent anonymous netlogon packet, can execute arbitrary code as the root user.

An error exists related to GET_SHADOW_COPY_DATA() and FSCTL_SRV_ENUMERATE_SNAPSHOTS() request handling in which the SRV_SNAPSHOT_ARRAY response field is not properly initialized. Therefore, configurations with 'shadow_copy' or 'shadow-copy2' specified for the 'vfs objects' parameter can allow the disclosure of uninitialized memory contents.

Versions of Samba older than 3.6.20 / 4.0.11 / 4.1.1 are unpatched for the following two vulnerabilities:

  - Private key for SSL/TLS encryption is stored in a 'key.pem' file with world-readable permissions, which can allow a local attacker to extract sensitive information and decrypt network traffic. (CVE-2013-4476)

  - Versions of Samba 3.2.0 and above do not check the underlying file or directory ACL when opening an alternate data stream. (CVE-2013-4475)

Versions of Samba older than 4.0.18 or 4.1.8 are unpatched for the following vulnerabilities:

  - An error in the 'dns_process_send()' function in the internal DNS server can cause an infinite loop that results in denial of service, due to the server not checking the 'reply' flag in a DNS packet header when processing a request. (CVE-2014-0239)

  - A flaw in the 'vfswrap_fsctl()' function that is triggered when responding to authenticated FSCTL_GET_SHADOW_COPY_DATA or FSCTL_SRV_ENUMERATE_SNAPSHOTS client requests can result in the exposure of eight bytes of uninitialized memory. This affects versions of Samba 3.6.6 and onward. (CVE-2014-0178)

Versions of Samba older than 3.6.23 / 4.0.16 / 4.1.6 are unpatched for the following vulnerabilities:

  - An information disclosure due to an error in the Security Account Manager Remote (SAMR) implementation, which fails to properly validate the lockout state for user accounts after a certain number of bad password attempts. (CVE-2013-4496)

  - An error in the 'smbcacls' command causes the removal of access control lists (ACLs) when used with a '--chown' or '--chgrp' option, which could be leveraged by a remote attacker after an unintended administrative change to bypass intended restrictions. (CVE-2013-6442)

According to its banner, the version of Samba running on this system (i.e., earlier than 3.6.22 / 4.0.13 / 4.1.3) contain the following known vulnerabilities:

  - A security bypass vulnerability via the 'winbind_name_list_to_sid_string_list()' that would allow a malicious authenticated user to modify the 'pam_winbind' configuration file. (CVE-2012-6150)

  - A buffer overflow vulnerability in the 'dcerpc_read_ncacn_packet_done()' function that can allow remote AD domain controllers to execute arbitrary code (CVE-2013-4408)

  - ACLs were not checked when opening files with alternate data streams, though this issue is only exploitable if the VFS modules vfs_streams_depot and/or vfs_streams_xattr are used. (CVE-2013-4475)

According to its banner, the version of Samba running on the remote host may contain a vulnerability wherein a malformed packet can cause the smbd server to go into an infinite loop, denying service to legitimate users.

The remote Samba server is be vulnerable to a remote file creation vulnerability. This vulnerability allows an attacker overwrite arbitrary files by supplying an arbitrartily formed NetBIOS machine name to this server, and to potentially become root on this host.

According to its banner, the version of Samba 3.6.x running on the remote host is earlier than 3.6.x. It is, therefore, affected by a remote security bypass vulnerability because it fails to properly enforce CIFS share attributes.

This may allow a remote, authenticated attacker to write to read-only shares, impact integrity related to oplock, locking, coherency, or leases or leases attributes

According to its banner, the version of Samba 3.x running on the remote host is earlier than 3.6.4 / 3.5.14 / 3.4.16.  It is, therefore, affected by multiple heap-based buffer overflow vulnerabilities.

An error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling code it generates to contain multiple heap-based buffer overflow vulnerabilities.  This generated code can allow a remote, unauthenticated attacker to use malicious RPC calls to crash the application and possibly execute arbitrary code as the root user.

According to its banner, the version of Samba 4.x running on the remote host is earlier than 4.0.4. It is, therefore, affected by a file permissions vulnerability.

Files on Active Directory Domain Controllers(AD DC) may be created with world-writeable permissions when additional CIFS file shares are created on the AD DC.

Note that this issue does not affect the AD DC by default and thus, does not affect files in the 'sysvol' and 'netlogon' shares.  Further, installs configured as standalone server, domain member, file server, classic domain controller and installs built with '--without-ad-dc' are not affected.  However, it does affect files on shares with simple Unix permissions.

According to its banner, the version of Samba 3.x or 4.x running on the remote host is earlier than 3.5.21 / 3.6.12 or 4.0.2. It is, therefore, affected by the following vulnerabilities :

  - An error exists in the SWAT interface that could allow 'clickjacking' attacks. (CVE-2013-0213, Issue #9576)

  - An error exists in the SWAT interface that could allow cross-site request forgery (XSRF) attacks. (CVE-2013-0214, Issue #9577)

Note that these issues are only exploitable when SWAT is enabled and it is not enabled by default.

According to its banner, the version of Samba 3.6.x running on the remote host is earlier than 3.6.3.  Errors exist in the files 'source3/lib/substitute.c' and 'source3/smbd/server.c' that leak small amounts of memory when processing every connection attempt.

An attacker can continually make connections to the server and cause a denial of service attack against the affected smbd service.

According to its banner, the version of Samba 3.x running on the remote host is earlier than 3.5.5.  The 'sid_parse()' and related 'dom_sid_parse()' functions in such versions fail to correctly check their input lengths when reading a binary representation of a Windows SID (Security ID).  An attacker who is able to get a connection to a file share, either authenticated or via a guest connection, can leverage this issue to launch a stack buffer overflow attack against the affected smbd service and possibly execute arbitrary code.

Versions of Samba 3.x earlier than 3.3.13 are potentially affected by a memory corruption vulnerability when handling specially crafted SMB1 packets.  A remote unauthenticated attacker, exploiting this flaw, could crash the affected service or potentially execute arbitrary code subject to the privileges of the user running the affected application.

The remote client is a Microsoft Group Policy client.

According to its banner, the version of Samba Server on the remote host is potentially affected by a flaw which would allow a remote attacker to disable the service.  An attacker, exploiting this flaw, would need network access to the SAMBA server.

According to its banner, the version of Samba Server on the remote host is potentially affected by a security bypass vulnerability.  A flaw exists that causes all smbd processes to inherit CAP_DAC_OVERRIDE capabilities, allowing all file system access to be allowed even when permissions should have denied access.

According to its banner, the version of Samba server on the remote host is potentially affected by multiple vulnerabilities : 

  - If a user in '/etc/passwd' is misconfigured to have an empty home directory then connecting to the home share of this user will use the root of the filesystem as the home directory. (CVE-2009-2813)

  - Specially crafted SMB requests on authenticated SMB connections can send smbd into a 100% loop, causing a denial of service. (CVE-2009-2906)

  - When 'mount.cifs' is installed as a setuid program, a user can pass it a credential or password path to which he or she does not have access and then use the '--verbose' option to view the first line of that file. (CVE-2009-2948)

According to its banner, the version of the Samba server on the remote host is between 3.2.0 and 3.2.6 inclusive.  Such versions reportedly allow an authenticated remote user to gain access to the root filesystem, subject to his or her privileges, by making a request for a share called '' (empty string) from a version of smbclient prior to 3.0.28.  Successful exploitation of this issue requires 'registry shares' to be enabled, which is not enabled by default.

According to its banner, the version of the Samba server on the remote host is between 3.0.29 and 3.2.4 inclusive.  Such versions reportedly can potentially leak arbitrary memory contents of the 'smbd' process due to a missing bounds check on client-generated offsets of secondary 'trans', 'trans2', and 'nttrans' requests.

According to its banner, the version of the Samba server on the remote host is reportedly affected by a boundary error in 'nmbd' within the 'receive_smb_raw' function in 'lib/util_sock.c' when parsing SMB packets received in a client context.  By sending specially-crafted packets to an 'nmbd' server configured as a local or domain master browser, an attacker can leverage this issue to produce a heap-based buffer overflow and execute arbitrary code with system privileges.

According to its banner, the version of the Samba server on the remote host is reportedly affected by a boundary error in 'nmbd' within the 'send_mailslot' function.  Provided the 'domain logons' option is enabled in 'smb.conf', an attacker can leverage this issue to produce a stack-based buffer overflow using a 'SAMLOGON' domain logon packet in which the username string is placed at an odd offset and is followed by a long 'GETDC' string.  Note that NNM has not verified whether 'domain logons' are enabled on the remote host.

According to its banner, the version of the Samba server on the remote host contains a boundary error in the 'reply_netbios_packet()' function in 'nmbd/nmbd_packets.c' when sending NetBIOS replies.  Provided the server is configured to run as a WINS server, a remote attacker can exploit this issue by sending multiple specially-crafted WINS 'Name Registration' requests followed by a WINS 'Name Query' request, leading to a stack-based buffer overflow and allow for execution of arbitrary code.
There is also a stack buffer overflow in nmbd's logon request processing code that can be triggered by means of specially-crafted GETDC mailslot requests when the affected server is configured as a Primary or Backup Domain Controller.  The Samba security team currently does not believe this particular vulnerability can be exploited to execute arbitrary code remotely.

According to its banner, the version of the Samba server installed on the remote host is affected by a flaw where a local attacker can gain group-0 access.  In order for the exploit to work, the local system must be configured to use Microsoft Active Directory and return a NULL value for the group ID.  Successful exploitation would result in the local attacker gaining elevated access on the local machine.

According to its banner, the version of the Samba server installed on the remote host is affected by multiple buffer overflow and remote command injection vulnerabilities that can be exploited remotely, as well as a local privilege escalation bug.

The version of the Samba server installed on the remote host is affected by multiple heap overflow vulnerabilities that can be exploited remotely to execute code with the privileges of the samba daemon.

ID	Name	Severity
700127	Samba 4.4.x < 4.4.14 / 4.5.x < 4.5.10 / 4.6.x < 4.6.4 RCE (SambaCry)	Critical
700022	Samba 4.4.x < 4.4.12 / 4.5.x < 4.5.7 / 4.6.x < 4.6.1 Local File Disclosure	Low
9857	Samba 4.3.x < 4.3.13 / 4.4.x < 4.4.8 / 4.5.x < 4.5.3 Multiple Vulnerabilities	High
9823	Samba 4.2.x < 4.2.14 / 4.3.x < 4.3.11 / 4.4.x < 4.4.5 MitM	Medium
9822	Samba 4.2.x < 4.2.11 / 4.3.x < 4.3.8 / 4.4.x < 4.4.2 Multiple MitM	Medium
9349	Samba 3.x < 3.4.0 Buffer Overflow	High
9348	Samba 4.x < 4.1.23 / 4.2.x < 4.2.9 / 4.3.x < 4.3.6 / 4.4.x < 4.4.0rc4 Multiple Vulnerabilities	Medium
9347	Samba 4.2.x < 4.2.7 / 4.3.x < 4.3.3 Multiple Vulnerabilities	Medium
9346	Samba 4.x < 4.1.22 Multiple Vulnerabilities	Medium
9345	Samba 4.x < 4.0.1 Remote Security Bypass	Medium
9344	Samba 3.x < 3.4.17 / 3.5.x < 3.5.15 / 3.6.x < 3.6.5 Remote Security Bypass	Medium
9343	Samba 3.x < 3.3.16 / 3.4.14 / 3.5.10 Multiple Vulnerabilities	Medium
9342	Samba 3.3.x < 3.3.11 / 3.4.x < 3.4.6 / 3.5.x < 3.5.0rc3 Directory Traversal	High
9341	Samba 3.0.x < 3.0.7 Multiple DoS	Medium
9340	Samba 3.0.x versions 3.0.2 through 3.0.4 Buffer Overflow	Critical
9339	Samba 2.2.x < 2.2.10 / 3.0.x < 3.0.5 Buffer Overflow	Medium
9338	Samba 2.x < 2.2.11 Remote DoS	Medium
9233	Samba 4.4.x < 4.4.1 Multiple Vulnerabilities (Badlock)	Medium
9232	Samba 4.3.x < 4.3.7 Multiple Vulnerabilities (Badlock)	Medium
9231	Samba 4.2.x < 4.2.10 Multiple Vulnerabilities (Badlock)	Medium
8759	Samba 4.x < 4.0.21 / 4.1.x < 4.1.11 nmbd Remote Code Execution	High
8758	Samba 4.x < 4.0.24 / 4.1.x < 4.1.16 / 4.2.x < 4.2rc4 UF_SERVER_TRUST_ACCOUNT AD DC Privilege Escalation	High
8757	Samba 3.6.x < 3.6.24 / 4.0.x < 4.0.19 / 4.1.x < 4.1.9 Multiple Vulnerabilities	Medium
8753	Samba 3.5.x / 3.6.x < 3.6.25 / 4.0.x < 4.0.25 / 4.1.x < 4.1.17 / 4.2.x < 4.2rc5 TALLOC_FREE() RCE	Critical
8752	Samba 3.6.6 < 3.6.25 Memory Disclosure	Low
8288	Samba < 3.6.20 / 4.0.11 / 4.1.1 Multiple Vulnerabilities	Low
3540	Samba 4.0.x < 4.0.18 / 4.1.x < 4.1.8 Multiple Vulnerabilities	Medium
8276	Samba < 3.6.23 / 4.0.16 / 4.1.6 Multiple Vulnerabilities	Medium
8075	Samba < 3.6.22 / 4.0.13 / 4.1.3 Multiple Vulnerabilities	High
6965	Samba < 3.5.22 / 3.6.17 / 4.0.8 Denial of Service Vulnerability	Low
1338	Samba < 2.0.10 Remote Arbitrary File Overwrite	Critical
6930	Samba 3.6.x < 3.6.6 Remote Security Bypass	Medium
6443	Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows	Critical
6720	Samba 4.x < 4.0.4 AD DC File Permissions	Low
6686	Samba 3.x < 3.5.21 / 3.6.12 and 4.x < 4.0.2 SWAT Multiple Vulnerabilities (deprecated)	Medium
6299	Samba 3.6.x < 3.6.3 Denial of Service	Medium
5663	Samba 3.x < 3.5.5 / 3.4.9 / 3.3.14 sid_parse Buffer Overflow	Critical
5572	Samba 3.x < 3.3.13 SMB1 Packet Chaining Memory Corruption	Critical
5538	Microsoft Group Policy Client Detection	Info
5534	Samba < 3.5.2 / 3.4.8 Multiple DoS	Medium
5360	Samba 3.3.11 / 3.4.6 / 3.5.0 Security Bypass Vulnerability	High
5194	Samba < 3.0.37 / 3.2.15 / 3.3.8 / 3.4.2 Multiple Vulnerabilities	Medium
4807	Samba 3.2.0 - 3.2.6 Unauthorized Access	Medium
4774	Samba 3.0.29 - 3.2.4 Potential Memory Disclosure	Medium
4522	Samba < 3.0.30 'receive_smb_raw' Buffer Overflow Vulnerability	High
4311	Samba < 3.0.28 'send_mailslot' Function Buffer Overflow	Critical
4285	Samba < 3.0.27 Multiple Vulnerabilities	Critical
4208	Samba < 3.0.26 'idmap_ad.co' Local Privilege Escalation	Low
3990	Samba < 3.0.25 Multiple Vulnerabilities	High
3988	Samba < 3.0.25 NDR MS-RPC Request Heap-Based Overflow	Medium

Samba Family for Nessus Network Monitor