ID CVE-2015-5296
Summary Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 supports connections that are encrypted but unsigned, which allows man-in-the-middle attackers to conduct encrypted-to-unencrypted downgrade attacks by modifying the client-server data stream, related to clidfs.c, libsmb_server.c, and smbXcli_base.c.
References
Vulnerable Configurations
  • Samba 3.0.2a
    cpe:2.3:a:samba:samba:3.0.2a
  • Samba 3.0.3
    cpe:2.3:a:samba:samba:3.0.3
  • Samba 3.0.4
    cpe:2.3:a:samba:samba:3.0.4
  • Samba 3.0.4 release candidate 1
    cpe:2.3:a:samba:samba:3.0.4:rc1
  • Samba 3.0.5
    cpe:2.3:a:samba:samba:3.0.5
  • Samba 3.0.6
    cpe:2.3:a:samba:samba:3.0.6
  • Samba 3.0.7
    cpe:2.3:a:samba:samba:3.0.7
  • Samba 3.0.8
    cpe:2.3:a:samba:samba:3.0.8
  • Samba 3.0.9
    cpe:2.3:a:samba:samba:3.0.9
  • Samba 3.0.25b
    cpe:2.3:a:samba:samba:3.0.25:b
  • Samba 3.0.25c
    cpe:2.3:a:samba:samba:3.0.25:c
  • Samba 3.0.25 pre1
    cpe:2.3:a:samba:samba:3.0.25:pre1
  • Samba 3.0.25 pre2
    cpe:2.3:a:samba:samba:3.0.25:pre2
  • Samba 3.0.25 release candidate 1
    cpe:2.3:a:samba:samba:3.0.25:rc1
  • Samba 3.0.25 release candiate 2
    cpe:2.3:a:samba:samba:3.0.25:rc2
  • Samba 3.0.25 release candidate 3
    cpe:2.3:a:samba:samba:3.0.25:rc3
  • Samba 3.0.25a
    cpe:2.3:a:samba:samba:3.0.25a
  • Samba 3.0.25b
    cpe:2.3:a:samba:samba:3.0.25b
  • Samba 3.0.25c
    cpe:2.3:a:samba:samba:3.0.25c
  • Samba 3.0.26
    cpe:2.3:a:samba:samba:3.0.26
  • Samba 3.0.26a
    cpe:2.3:a:samba:samba:3.0.26:a
  • Samba 3.0.26a
    cpe:2.3:a:samba:samba:3.0.26a
  • Samba 3.0.27
    cpe:2.3:a:samba:samba:3.0.27
  • Samba 3.0.27a
    cpe:2.3:a:samba:samba:3.0.27:a
  • cpe:2.3:a:samba:samba:3.0.27a
    cpe:2.3:a:samba:samba:3.0.27a
  • Samba 3.0.28
    cpe:2.3:a:samba:samba:3.0.28
  • Samba 3.0.28a
    cpe:2.3:a:samba:samba:3.0.28:a
  • cpe:2.3:a:samba:samba:3.0.28a
    cpe:2.3:a:samba:samba:3.0.28a
  • Samba 3.0.29
    cpe:2.3:a:samba:samba:3.0.29
  • Samba 3.0.30
    cpe:2.3:a:samba:samba:3.0.30
  • Samba 3.0.31
    cpe:2.3:a:samba:samba:3.0.31
  • Samba 3.0.32
    cpe:2.3:a:samba:samba:3.0.32
  • Samba 3.0.33
    cpe:2.3:a:samba:samba:3.0.33
  • Samba 3.0.34
    cpe:2.3:a:samba:samba:3.0.34
  • Samba 3.0.35
    cpe:2.3:a:samba:samba:3.0.35
  • Samba 3.0.36
    cpe:2.3:a:samba:samba:3.0.36
  • Samba 3.0.37
    cpe:2.3:a:samba:samba:3.0.37
  • Samba 3.1.0
    cpe:2.3:a:samba:samba:3.1.0
  • cpe:2.3:a:samba:samba:3.2
    cpe:2.3:a:samba:samba:3.2
  • Samba 3.2.0
    cpe:2.3:a:samba:samba:3.2.0
  • Samba 3.2.1
    cpe:2.3:a:samba:samba:3.2.1
  • Samba 3.2.2
    cpe:2.3:a:samba:samba:3.2.2
  • Samba 3.2.3
    cpe:2.3:a:samba:samba:3.2.3
  • Samba 3.2.4
    cpe:2.3:a:samba:samba:3.2.4
  • Samba 3.2.5
    cpe:2.3:a:samba:samba:3.2.5
  • Samba 3.2.6
    cpe:2.3:a:samba:samba:3.2.6
  • Samba 3.2.7
    cpe:2.3:a:samba:samba:3.2.7
  • Samba 3.2.8
    cpe:2.3:a:samba:samba:3.2.8
  • Samba 3.2.9
    cpe:2.3:a:samba:samba:3.2.9
  • Samba 3.2.10
    cpe:2.3:a:samba:samba:3.2.10
  • Samba 3.2.11
    cpe:2.3:a:samba:samba:3.2.11
  • Samba 3.2.12
    cpe:2.3:a:samba:samba:3.2.12
  • Samba 3.2.13
    cpe:2.3:a:samba:samba:3.2.13
  • Samba 3.2.14
    cpe:2.3:a:samba:samba:3.2.14
  • Samba 3.2.15
    cpe:2.3:a:samba:samba:3.2.15
  • cpe:2.3:a:samba:samba:3.3
    cpe:2.3:a:samba:samba:3.3
  • Samba 3.3.0
    cpe:2.3:a:samba:samba:3.3.0
  • Samba 4.0.0
    cpe:2.3:a:samba:samba:4.0.0
  • Samba 4.0.1
    cpe:2.3:a:samba:samba:4.0.1
  • Samba 4.0.2
    cpe:2.3:a:samba:samba:4.0.2
  • Samba 4.0.3
    cpe:2.3:a:samba:samba:4.0.3
  • Samba 4.0.4
    cpe:2.3:a:samba:samba:4.0.4
  • Samba 4.0.5
    cpe:2.3:a:samba:samba:4.0.5
  • Samba 4.0.6
    cpe:2.3:a:samba:samba:4.0.6
  • Samba 4.0.7
    cpe:2.3:a:samba:samba:4.0.7
  • Samba 4.0.8
    cpe:2.3:a:samba:samba:4.0.8
  • Samba 4.0.9
    cpe:2.3:a:samba:samba:4.0.9
  • Samba 4.0.10
    cpe:2.3:a:samba:samba:4.0.10
  • Samba 4.0.11
    cpe:2.3:a:samba:samba:4.0.11
  • Samba 4.0.12
    cpe:2.3:a:samba:samba:4.0.12
  • Samba 4.0.13
    cpe:2.3:a:samba:samba:4.0.13
  • Samba 4.0.14
    cpe:2.3:a:samba:samba:4.0.14
  • Samba 4.0.15
    cpe:2.3:a:samba:samba:4.0.15
  • Samba 4.0.16
    cpe:2.3:a:samba:samba:4.0.16
  • Samba 4.0.17
    cpe:2.3:a:samba:samba:4.0.17
  • Samba 4.0.18
    cpe:2.3:a:samba:samba:4.0.18
  • Samba 4.0.19
    cpe:2.3:a:samba:samba:4.0.19
  • Samba 4.0.20
    cpe:2.3:a:samba:samba:4.0.20
  • Samba 4.0.21
    cpe:2.3:a:samba:samba:4.0.21
  • Samba 4.0.22
    cpe:2.3:a:samba:samba:4.0.22
  • Samba 4.0.23
    cpe:2.3:a:samba:samba:4.0.23
  • Samba 4.0.24
    cpe:2.3:a:samba:samba:4.0.24
  • Samba 4.1.0
    cpe:2.3:a:samba:samba:4.1.0
  • Samba 4.1.1
    cpe:2.3:a:samba:samba:4.1.1
  • Samba 4.1.2
    cpe:2.3:a:samba:samba:4.1.2
  • Samba 4.1.3
    cpe:2.3:a:samba:samba:4.1.3
  • Samba 4.1.4
    cpe:2.3:a:samba:samba:4.1.4
  • Samba 4.1.5
    cpe:2.3:a:samba:samba:4.1.5
  • Samba 4.1.6
    cpe:2.3:a:samba:samba:4.1.6
  • Samba 4.1.7
    cpe:2.3:a:samba:samba:4.1.7
  • Samba 4.1.8
    cpe:2.3:a:samba:samba:4.1.8
  • Samba 4.1.9
    cpe:2.3:a:samba:samba:4.1.9
  • Samba 4.1.10
    cpe:2.3:a:samba:samba:4.1.10
  • Samba 4.1.11
    cpe:2.3:a:samba:samba:4.1.11
  • Samba 4.1.12
    cpe:2.3:a:samba:samba:4.1.12
  • Samba 4.1.13
    cpe:2.3:a:samba:samba:4.1.13
  • Samba 4.1.14
    cpe:2.3:a:samba:samba:4.1.14
  • Samba 4.1.15
    cpe:2.3:a:samba:samba:4.1.15
  • Samba 4.1.16
    cpe:2.3:a:samba:samba:4.1.16
  • Samba 4.1.17
    cpe:2.3:a:samba:samba:4.1.17
  • Samba 4.1.18
    cpe:2.3:a:samba:samba:4.1.18
  • Samba 4.1.19
    cpe:2.3:a:samba:samba:4.1.19
  • Samba 4.1.20
    cpe:2.3:a:samba:samba:4.1.20
  • Samba 4.1.21
    cpe:2.3:a:samba:samba:4.1.21
  • Samba 4.2.0
    cpe:2.3:a:samba:samba:4.2.0
  • Samba 4.2.1
    cpe:2.3:a:samba:samba:4.2.1
  • Samba 4.2.2
    cpe:2.3:a:samba:samba:4.2.2
  • Samba 4.2.3
    cpe:2.3:a:samba:samba:4.2.3
  • Samba 4.2.4
    cpe:2.3:a:samba:samba:4.2.4
  • Samba 4.2.5
    cpe:2.3:a:samba:samba:4.2.5
  • Samba 4.2.6
    cpe:2.3:a:samba:samba:4.2.6
  • Samba 4.3.0
    cpe:2.3:a:samba:samba:4.3.0
  • Samba 4.3.1
    cpe:2.3:a:samba:samba:4.3.1
  • Samba 4.3.2
    cpe:2.3:a:samba:samba:4.3.2
CVSS
Base: 4.3 (as of 30-12-2015 - 11:04)
Impact:
Exploitability:
CWE CWE-20
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Object Relational Mapping Injection
    An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.
  • SQL Injection through SOAP Parameter Tampering
    An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • LDAP Injection
    An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
  • Relative Path Traversal
    An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Variable Manipulation
    An attacker manipulates variables used by an application to perform a variety of possible attacks. This can either be performed through the manipulation of function call parameters or by manipulating external variables, such as environment variables, that are used by an application. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it).
  • Embedding Scripts in Non-Script Elements
    This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
  • Flash Injection
    An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
  • Cross-Site Scripting Using Alternate Syntax
    The attacker uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • Cross-Site Scripting via Encoded URI Schemes
    An attack of this type exploits the ability of most browsers to interpret "data", "javascript" or other URI schemes as client-side executable content placeholders. This attack consists of passing a malicious URI in an anchor tag HREF attribute or any other similar attributes in other HTML tags. Such malicious URI contains, for example, a base64 encoded HTML content with an embedded cross-site scripting payload. The attack is executed when the browser interprets the malicious content i.e., for example, when the victim clicks on the malicious link.
  • XML Injection
    An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
  • Environment Variable Manipulation
    An attacker manipulates environment variables used by an application to perform a variety of possible attacks. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it).
  • Global variable manipulation
    An attacker manipulates global variables used by an application to perform a variety of possible attacks. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it).
  • Leverage Alternate Encoding
    This attack leverages the possibility to encode potentially harmful input and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult.
  • Fuzzing
    Fuzzing is a software testing method that feeds randomly constructed input to the system and looks for an indication that a failure in response to that input has occurred. Fuzzing treats the system as a black box and is totally free from any preconceptions or assumptions about the system. An attacker can leverage fuzzing to try to identify weaknesses in the system. For instance fuzzing can help an attacker discover certain assumptions made in the system about user input. Fuzzing gives an attacker a quick way of potentially uncovering some of these assumptions without really knowing anything about the internals of the system. These assumptions can then be turned against the system by specially crafting user input that may allow an attacker to achieve his goals.
  • Using Leading 'Ghost' Character Sequences to Bypass Input Filters
    An attacker intentionally introduces leading characters that enable getting the input past the filters. The API that is being targeted, ignores the leading "ghost" characters, and therefore processes the attackers' input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API. Some APIs will strip certain leading characters from a string of parameters. Perhaps these characters are considered redundant, and for this reason they are removed. Another possibility is the parser logic at the beginning of analysis is specialized in some way that causes some characters to be removed. The attacker can specify multiple types of alternative encodings at the beginning of a string as a set of probes. One commonly used possibility involves adding ghost characters--extra characters that don't affect the validity of the request at the API layer. If the attacker has access to the API libraries being targeted, certain attack ideas can be tested directly in advance. Once alternative ghost encodings emerge through testing, the attacker can move from lab-based API testing to testing real-world service implementations.
  • Accessing/Intercepting/Modifying HTTP Cookies
    This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form of this attack involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the attacker to impersonate the remote user/session. The third form is when the cookie's content is modified by the attacker before it is sent back to the server. Here the attacker seeks to convince the target server to operate on this falsified information.
  • Embedding Scripts in HTTP Query Strings
    A variant of cross-site scripting called "reflected" cross-site scripting, the HTTP Query Strings attack consists of passing a malicious script inside an otherwise valid HTTP request query string. This is of significant concern for sites that rely on dynamic, user-generated content such as bulletin boards, news sites, blogs, and web enabled administration GUIs. The malicious script may steal session data, browse history, probe files, or otherwise execute attacks on the client side. Once the attacker has prepared the malicious HTTP query it is sent to a victim user (perhaps by email, IM, or posted on an online forum), who clicks on a normal looking link that contains a poison query string. This technique can be made more effective through the use of services like http://tinyurl.com/, which makes very small URLs that will redirect to very large, complex ones. The victim will not know what he is really clicking on.
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Exploiting Multiple Input Interpretation Layers
    An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Signature Spoof
    An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • Embedding NULL Bytes
    An attacker embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).
  • Postfix, Null Terminate, and Backslash
    If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an attacker to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used.
  • Simple Script Injection
    An attacker embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • SQL Injection
    This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker:
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
  • Blind SQL Injection
    Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The attacker can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the attacker determines how and where the target is vulnerable to SQL Injection. For example, an attacker may try entering something like "username' AND 1=1; --" in an input field. If the result is the same as when the attacker entered "username" in the field, then the attacker knows that the application is vulnerable to SQL Injection. The attacker can then ask yes/no questions from the database server to extract information from it. For example, the attacker can extract table names from a database using the following types of queries: If the above query executes properly, then the attacker knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the attacker knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the attacker can determine all table names in the database. Subsequently, the attacker may execute an actual attack and send something like:
  • Using Unicode Encoding to Bypass Validation Logic
    An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.
  • URL Encoding
    This attack targets the encoding of the URL. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The attacker could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an attacker may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section).
  • User-Controlled Filename
    An attack of this type involves an attacker inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
  • Using Escaped Slashes in Alternate Encoding
    This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Using UTF-8 Encoding to Bypass Validation Logic
    This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.
  • Web Logs Tampering
    Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
  • XPath Injection
    An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that he normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database. In order to successfully inject XML and retrieve information from a database, an attacker:
  • AJAX Fingerprinting
    This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. In many XSS attacks the attacker must get a "hole in one" and successfully exploit the vulnerability on the victim side the first time, once the client is redirected the attacker has many chances to engage in follow on probes, but there is only one first chance. In a widely used web application this is not a major problem because 1 in a 1,000 is good enough in a widely used application. A common first step for an attacker is to footprint the environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on.
  • Embedding Script (XSS) in HTTP Headers
    An attack of this type exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.
  • OS Command Injection
    In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
  • XSS in IMG Tags
    Image tags are an often overlooked, but convenient, means for a Cross Site Scripting attack. The attacker can inject script contents into an image (IMG) tag in order to steal information from a victim's browser and execute malicious scripts.
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0011.NASL
    description Updated samba packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher of the Samba Team and Sernet.de as the original reporters of CVE-2015-5296, partha@exablox.com as the original reporter of CVE-2015-5299, Jan 'Yenya' Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University as the original reporters of CVE-2015-5252. All samba users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87784
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87784
    title CentOS 6 : samba (CESA-2016:0011)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201612-47.NASL
    description The remote host is affected by the vulnerability described in GLSA-201612-47 (Samba: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in samba. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with root privileges, cause a Denial of Service condition, conduct a man-in-the-middle attack, obtain sensitive information, or bypass file permissions. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2016-12-27
    plugin id 96127
    published 2016-12-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96127
    title GLSA-201612-47 : Samba: Multiple vulnerabilities (Badlock)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0011.NASL
    description Updated samba packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher of the Samba Team and Sernet.de as the original reporters of CVE-2015-5296, partha@exablox.com as the original reporter of CVE-2015-5299, Jan 'Yenya' Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University as the original reporters of CVE-2015-5252. All samba users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87811
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87811
    title RHEL 6 : samba (RHSA-2016:0011)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-462.NASL
    description samba was updated to version 4.2.4 to fix 14 security issues. These security issues were fixed : - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks (bsc#936862). - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication (bsc#973031). - CVE-2016-2111: Domain controller netlogon member computer could have been spoofed (bsc#973032). - CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM attack (bsc#973033). - CVE-2016-2113: TLS certificate validation were missing (bsc#973034). - CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks (bsc#973036). - CVE-2016-2118: 'Badlock' DCERPC impersonation of authenticated account were possible (bsc#971965). - CVE-2015-3223: Malicious request can cause Samba LDAP server to hang, spinning using CPU (boo#958581). - CVE-2015-5330: Remote read memory exploit in LDB (boo#958586). - CVE-2015-5252: Insufficient symlink verification (file access outside the share)(boo#958582). - CVE-2015-5296: No man in the middle protection when forcing smb encryption on the client side (boo#958584). - CVE-2015-5299: Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2) (boo#958583). - CVE-2015-8467: Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts (boo#958585). - CVE-2015-7560: Getting and setting Windows ACLs on symlinks can change permissions on link target (boo#968222). These non-security issues were fixed : - Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (boo#974629). - Align fsrvp feature sources with upstream version. - Obsolete libsmbsharemodes0 from samba-libs and libsmbsharemodes-devel from samba-core-devel; (boo#973832). - s3:utils/smbget: Fix recursive download; (bso#6482). - s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). - docs: Add example for domain logins to smbspool man page; (bso#11643). - s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). - loadparm: Fix memory leak issue; (bso#11708). - lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). - ctdb-scripts: Drop use of 'smbcontrol winbindd ip-dropped ...'; (bso#11719). - s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). - param: Fix str_list_v3 to accept ';' again; (bso#11732). - Real memeory leak(buildup) issue in loadparm; (bso#11740). - Obsolete libsmbclient from libsmbclient0 and libpdb-devel from libsamba-passdb-devel while not providing it; (boo#972197). - Upgrade on-disk FSRVP server state to new version; (boo#924519). - Only obsolete but do not provide gplv2/3 package names; (boo#968973). - Enable clustering (CTDB) support; (boo#966271). - s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (boo#964023). - vfs_fruit: Fix renaming directories with open files; (bso#11065). - Fix MacOS finder error 36 when copying folder to Samba; (bso#11347). - s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). - Fix copying files with vfs_fruit when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). - s3:libsmb: Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). - Reduce the memory footprint of empty string options; (bso#11625). - lib/async_req: Do not install async_connect_send_test; (bso#11639). - docs: Fix typos in man vfs_gpfs; (bso#11641). - smbd: make 'hide dot files' option work with 'store dos attributes = yes'; (bso#11645). - smbcacls: Fix uninitialized variable; (bso#11682). - s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). - Changing log level of two entries to from 1 to 3; (bso#9912). - vfs_gpfs: Re-enable share modes; (bso#11243). - wafsamba: Also build libraries with RELRO protection; (bso#11346). - ctdb: Strip trailing spaces from nodes file; (bso#11365). - s3-smbd: Fix old DOS client doing wildcard delete - gives a attribute type of zero; (bso#11452). - nss_wins: Do not run into use after free issues when we access memory allocated on the globals and the global being reinitialized; (bso#11563). - async_req: Fix non-blocking connect(); (bso#11564). - auth: gensec: Fix a memory leak; (bso#11565). - lib: util: Make non-critical message a warning; (bso#11566). - Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (boo#949022). - smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). - ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). - manpage: Correct small typo error; (bso#11584). - s3: smbd: If EA's are turned off on a share don't allow an SMB2 create containing them; (bso#11589). - Backport some valgrind fixes from upstream master; (bso#11597). - s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). - docs: Fix some typos in the idmap config section of man 5 smb.conf; (bso#11619). - Remove redundant configure options while adding with-relro. - s3: smbd: Fix our access-based enumeration on 'hide unreadable' to match Windows; (bso#10252). - smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). - kerberos: Make sure we only use prompter type when available; (bso#11038). - s3:ctdbd_conn: Make sure we destroy tevent_fd before closing the socket; (bso#11316). - dcerpc.idl: accept invalid dcerpc_bind_nak pdus; (bso#11327). - Fix a deadlock in tdb; (bso#11381). - s3: smbd: Fix mkdir race condition; (bso#11486). - pam_winbind: Fix a segfault if initialization fails; (bso#11502). - s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). - s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). - net: Fix a crash with 'net ads keytab create'; (bso#11528). - s3: smbd: Fix a crash in unix_convert() and a NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). - vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). - vfs_commit: Set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). - Fix bug in smbstatus where the lease info is not printed; (bso#11549). - s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). - Relocate the tmpfiles.d directory to the client package; (boo#947552). - Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (boo#942716). - Package /var/lib/samba/private/sock with 0700 permissions; (boo#946051). - auth/credentials: If credentials have principal set, they are not anonymous anymore; (bso#11265). - Fix stream names with colon with 'fruit:encoding = native'; (bso#11278). - s4:rpc_server/netlogon: Fix for NetApp; (bso#11291). - lib: Fix rundown of open_socket_out(); (bso#11316). - s3:lib: Fix some corner cases of open_socket_out_cleanup(); (bso#11316). - vfs:fruit: Implement copyfile style copy_chunk; (bso#11317). - ctdb-daemon: Return correct sequence number for CONTROL_GET_DB_SEQNUM; (bso#11398). - ctdb-scripts: Support monitoring of interestingly named VLANs on bonds; (bso#11399). - ctdb-daemon: Improve error handling for running event scripts; (bso#11431). - ctdb-daemon: Check if updates are in flight when releasing all IPs; (bso#11432). - ctdb-build: Fix building of PCP PMDA module; (bso#11435). - Backport dcesrv_netr_DsRGetDCNameEx2 fixes; (bso#11454). - vfs_fruit: Handling of empty resource fork; (bso#11467). - Avoid quoting problems in user's DNs; (bso#11488). - s3-auth: Fix 'map to guest = Bad uid'; (bso#9862). - s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). - s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). - winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). - Logon via MS Remote Desktop hangs; (bso#11061). - s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). - tevent: Add a note to tevent_add_fd(); (bso#11141). - s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). - s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). - smbd: Fix a use-after-free; (bso#11218); (boo#919309). - s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). - s3:smb2: Add padding to last command in compound requests; (bso#11277). - Add IPv6 support to ADS client side LDAP connects; (bso#11281). - Add IPv6 support for determining FQDN during ADS join; (bso#11282). - s3: IPv6 enabled DNS connections for ADS client; (bso#11283). - Fix invalid write in ctdb_lock_context_destructor; (bso#11293). - Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). - vfs_fruit: Add option 'veto_appledouble'; (bso#11305). - tstream: Make socketpair nonblocking; (bso#11312). - idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). - Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). - tevent_fd needs to be destroyed before closing the fd; (bso#11316). - Build fails on Solaris 11 with '‘PTHREAD_MUTEX_ROBUST’ undeclared'; (bso#11319). - smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). - Change sharesec output back to previous format; (bso#11324). - Robust mutex support broken in 1.3.5; (bso#11326). - Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (boo#912457). - s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). - tevent: Fix CID 1035381 Unchecked return value; (bso#11330). - tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). - s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). - s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). - pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). - winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). - vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). - docs: Overhaul the description of 'smb encrypt' to include SMB3 encryption; (bso#11366). - s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). - ncacn_http: Fix GNUism; (bso#11371). - Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (boo#912457). - Order winbind.service Before and Want nss-user-lookup target. - s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). - gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). - s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). - s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). - s3: smbd: Incorrect file size returned in the response of 'FILE_SUPERSEDE Create'; (bso#11240). - Mangled names do not work with acl_xattr; (bso#11249). - nmbd rewrites browse.dat when not required; (bso#11254). - vfs_fruit: add option 'nfs_aces' that controls the NFS ACEs stuff; (bso#11213). - s3:smbd: Add missing tevent_req_nterror; (bso#11224). - vfs: kernel_flock and named streams; (bso#11243). - vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). - s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). - ctdb: check for talloc_asprintf() failure; (bso#11201). - spoolss: purge the printer name cache on name change; (bso#11210); (boo#901813). - CTDB statd-callout does not scale; (bso#11204). - vfs_fruit: also map characters below 0x20; (bso#11221). - ctdb: Coverity fix for CID 1291643; (bso#11201). - Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). - Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). - ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). - ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). - SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). - s3:winbindd: make sure we remove pending io requests before closing client - 'sharesec' output no longer matches input format; (bso#11237). - waf: Fix systemd detection; (bso#11200). - CTDB: Fix portability issues; (bso#11202). - CTDB: Fix some IPv6-related issues; (bso#11203). - CTDB statd-callout does not scale; (bso#11204). - 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). - libads: record service ticket endtime for sealed ldap connections; - lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033). - Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). - s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). - build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). - waf: Fix the build on openbsd; (bso#10476). - s3: client: 'client use spnego principal = yes' code checks wrong name; - spoolss: Retrieve published printer GUID if not in registry; (bso#11018). - vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). - backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). - replace: Remove superfluous check for gcrypt header; (bso#11135). - Backport subunit changes; (bso#11137). - libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). - s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). - talloc: Version 2.1.2; (bso#11144). - Update libwbclient version to 0.12; (bso#11149). - brlock: Use 0 instead of empty initializer list; (bso#11153). - s4:auth/gensec_gssapi: Let gensec_gssapi_update() return - backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). - Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). - Prevent samba package updates from disabling samba kerberos printing. - Add sparse file support for samba; (fate#318424). - Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root. - smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). - pam_winbind: fix warn_pwd_expire implementation; (bso#9056). - nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). - Make 'profiles' work again; (bso#9629). - s3:smb2_server: protect against integer wrap with 'smb2 max credits = 65535'; (bso#9702). - Make validate_ldb of String(Generalized-Time) accept millisecond format '.000Z'; (bso#9810). - Use -R linker flag on Solaris, not -rpath; (bso#10112). - vfs: Add glusterfs manpage; (bso#10240). - Make 'smbclient' use cached creds; (bso#10279). - pdb: Fix build issues with shared modules; (bso#10355). - s4-dns: Add support for BIND 9.10; (bso#10620). - idmap: Return the correct id type to *id_to_sid methods; (bso#10720). - printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). - Don't build vfs_snapper on FreeBSD; (bso#10834). - nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). - idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). - s3: smb2cli: query info return length check was reversed; (bso#10848). - s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). - lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). - winbind3: Fix pwent variable substitution; (bso#10852). - Improve samba-regedit; (bso#10859). - registry: Don't leave dangling transactions; (bso#10860). - Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). - build: Do not install 'texpect' binary anymore; (bso#10862). - Fix testparm to show hidden share defaults; (bso#10864). - libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). - Integrate CTDB into top-level Samba build; (bso#10892). - samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). - s3-nmbd: Fix netbios name truncation; (bso#10896). - spoolss: Fix handling of bad EnumJobs levels; (bso#10898). - Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). - Fix print job enumeration; (bso#10905); (boo#898031). - samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). - Add support for SMB2 leases; (bso#10911). - btrfs: Don't leak opened directory handle; (bso#10918). - s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). - s3:smbd: Fix file corruption using 'write cache size != 0'; (bso#10921). - pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). - s3-keytab: fix keytab array NULL termination; (bso#10933). - s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). - Cleanup add_string_to_array and usage; (bso#10942). - dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). - Fix RootDSE search with extended dn control; (bso#10949). - Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). - libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). - s3-smbclient: Return success if we listed the shares; (bso#10960). - s3-smbstatus: Fix exit code of profile output; (bso#10961). - socket_wrapper: Add missing prototype check for eventfd; (bso#10965). - libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). - vfs_streams_xattr: Check stream type; (bso#10971). - s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). - vfs_fruit: Add support for AAPL; (bso#10983). - Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). - dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). - Fix IPv6 support in CTDB; (bso#10996). - ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). - vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). - s3-util: Fix authentication with long hostnames; (bso#11008). - ctdb-build: Fix build without xsltproc; (bso#11014). - packaging: Include CTDB man pages in the tarball; (bso#11014). - pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). - Make Sharepoint search show user documents; (bso#11022). - nss_wrapper: check for nss.h; (bso#11026). - Enable mutexes in gencache_notrans.tdb; (bso#11032). - tdb_wrap: Make mutexes easier to use; (bso#11032). - lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). - winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). - s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). - vfs_fruit: Fix base_fsp name conversion; (bso#11039). - vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). - Fix authentication using Kerberos (not AD); (bso#11044). - net: Fix sam addgroupmem; (bso#11051). - vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (boo#913238). - cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). - utils: Fix 'net time' segfault; (bso#11058). - libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). - s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). - vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). - vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). - vfs_glusterfs: Implement AIO support; (bso#11069). - s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). - s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (boo#917376). - vfs: Add a brief vfs_ceph manpage; (bso#11088). - s3: smbclient: Allinfo leaves the file handle open; (bso#11094). - Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). - debug: Set close-on-exec for the main log file FD; (bso#11100). - s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). - s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). - doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). - snprintf: Try to support %j; (bso#11119). - ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). - doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127). - Fix usage of freed memory on server exit; (bso#11218); (boo#919309). - Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rebase File Server Remote VSS Protocol (FSRVP) server against 4.2.0rc1; (fate#313346).
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 90558
    published 2016-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90558
    title openSUSE Security Update : samba (openSUSE-2016-462) (Badlock)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0011.NASL
    description From Red Hat Security Advisory 2016:0011 : Updated samba packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher of the Samba Team and Sernet.de as the original reporters of CVE-2015-5296, partha@exablox.com as the original reporter of CVE-2015-5299, Jan 'Yenya' Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University as the original reporters of CVE-2015-5252. All samba users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 87798
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87798
    title Oracle Linux 6 : samba (ELSA-2016-0011)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160107_SAMBA_ON_SL6_X.NASL
    description A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 87843
    published 2016-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87843
    title Scientific Linux Security Update : samba on SL6.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0016.NASL
    description Updated samba packages that fix multiple security issues are now available for Red Hat Gluster Storage 3.1 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) Multiple buffer over-read flaws were found in the way Samba handled malformed inputs in certain encodings. An authenticated, remote attacker could possibly use these flaws to disclose portions of the server memory. (CVE-2015-5330) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher of the Samba Team and Sernet.de as the original reporters of CVE-2015-5296, partha@exablox.com as the original reporter of CVE-2015-5299, Jan 'Yenya' Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University as the original reporters of CVE-2015-5252 flaws, and Douglas Bagnall as the original reporter of CVE-2015-5330. All samba users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87856
    published 2016-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87856
    title RHEL 7 : Storage Server (RHSA-2016:0016)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-490.NASL
    description This update fixes these security vulnerabilities : - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks (bsc#936862). - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication (bsc#973031). - CVE-2016-2111: Domain controller netlogon member computer could have been spoofed (bsc#973032). - CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM attack (bsc#973033). - CVE-2016-2113: TLS certificate validation were missing (bsc#973034). - CVE-2016-2114: 'server signing = mandatory' not enforced (bsc#973035). - CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks (bsc#973036). - CVE-2016-2118: 'Badlock' DCERPC impersonation of authenticated account were possible (bsc#971965). The openSUSE 13.1 update also upgrades to samba 4.2.4 as 4.1.x versions are no longer supported by upstream. As a side effect, libpdb0 package was replaced by libsamba-passdb0.
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 90609
    published 2016-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90609
    title openSUSE Security Update : samba (openSUSE-2016-490) (Badlock)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-379.NASL
    description Several vulnerabilities were found in Samba, a SMB/CIFS implementation that provides a file, print, and login server. CVE-2015-5252 Jan 'Yenya' Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University, reported that samba wrongly verified symlinks, making it possible to access resources outside the shared path, under certain circumstances. CVE-2015-5296 Stefan Metzmacher of SerNet and the Samba Team discovered that samba did not ensure that signing was negotiated when a client established an encrypted connection against a samba server. CVE-2015-5299 Samba was vulnerable to a missing access control check in the VFS shadow_copy2 module, that could allow unauthorized users to access snapshots. For Debian 6 'Squeeze', this issue has been fixed in samba version 2:3.5.6~dfsg-3squeeze13. We recommend you to upgrade your samba packages. Learn more about the Debian Long Term Support (LTS) Project and how to apply these updates at: https://wiki.debian.org/LTS/ NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 87683
    published 2016-01-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87683
    title Debian DLA-379-1 : samba security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-0164-1.NASL
    description This update for Samba fixes the following security issues : - CVE-2015-5330: Remote read memory exploit in LDB (bnc#958586) - CVE-2015-5252: Insufficient symlink verification (file access outside the share) (bnc#958582) - CVE-2015-5296: No man in the middle protection when forcing smb encryption on the client side (bnc#958584) - CVE-2015-5299: Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2) (bnc#958583) Non-security issues fixed : - Prevent NULL pointer access in samlogon fallback when security credentials are null (bnc#949022) - Ensure samlogon fall-back requests are rerouted after kerberos failure (bnc#953382) - Ensure 'Your account is disabled' message is displayed when attempting to ssh into locked account (bnc#953382) - Address unrecoverable winbind failure: 'key length too large' (bnc#934299) - Take resource group sids into account when caching netsamlogon data (bnc#912457) - Fix lookup of groups with 'Local Domain' scope from Active Directory (bnc#948244) - dependency issue with samba-winbind (bnc#936909) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 88005
    published 2016-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88005
    title SUSE SLED11 / SLES11 Security Update : samba (SUSE-SU-2016:0164-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0006.NASL
    description Updated samba packages that fix multiple security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A denial of service flaw was found in the LDAP server provided by the AD DC in the Samba process daemon. A remote attacker could exploit this flaw by sending a specially crafted packet, which could cause the server to consume an excessive amount of memory and crash. (CVE-2015-7540) Multiple buffer over-read flaws were found in the way Samba handled malformed inputs in certain encodings. An authenticated, remote attacker could possibly use these flaws to disclose portions of the server memory. (CVE-2015-5330) A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher of the Samba Team and Sernet.de as the original reporters of CVE-2015-5296, partha@exablox.com as the original reporter of CVE-2015-5299, Jan 'Yenya' Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University as the original reporters of CVE-2015-5252 flaws, and Douglas Bagnall as the original reporter of CVE-2015-5330. All samba users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87779
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87779
    title CentOS 7 : samba (CESA-2016:0006)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0006.NASL
    description Updated samba packages that fix multiple security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A denial of service flaw was found in the LDAP server provided by the AD DC in the Samba process daemon. A remote attacker could exploit this flaw by sending a specially crafted packet, which could cause the server to consume an excessive amount of memory and crash. (CVE-2015-7540) Multiple buffer over-read flaws were found in the way Samba handled malformed inputs in certain encodings. An authenticated, remote attacker could possibly use these flaws to disclose portions of the server memory. (CVE-2015-5330) A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher of the Samba Team and Sernet.de as the original reporters of CVE-2015-5296, partha@exablox.com as the original reporter of CVE-2015-5299, Jan 'Yenya' Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University as the original reporters of CVE-2015-5252 flaws, and Douglas Bagnall as the original reporter of CVE-2015-5330. All samba users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87806
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87806
    title RHEL 7 : samba (RHSA-2016:0006)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-2304-1.NASL
    description This update for ldb, samba, talloc, tdb, tevent fixes the following security issues : - ldb was updated to version 1.1.24. + Fix ldap \00 search expression attack dos; CVE-2015-3223; (bso#11325) + Fix remote read memory exploit in ldb; CVE-2015-5330; (bso#11599) + Move ldb_(un)pack_data into ldb_module.h for testing + Fix installation of _ldb_text.py + Fix propagation of ldb errors through tdb + Fix bug triggered by having an empty message in database during search - Move the ldb-cmdline library to the ldb-tools package as the packaged binaries depend on it. - Update the samba library distribution key file 'ldb.keyring'; (bso#945116). Samba was updated to fix these issues : - Malicious request can cause samba ldap server to hang, spinning using cpu; CVE-2015-3223; (bso#11325); (bsc#958581). - Remote read memory exploit in ldb; cve-2015-5330; (bso#11599); (bsc#958586). - Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bsc#958582). - No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bsc#958584). - Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bsc#958583). - Fix microsoft ms15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bsc#958585). - Changing log level of two entries to from 1 to 3; (bso#9912). - Vfs_gpfs: re-enable share modes; (bso#11243). - Wafsamba: also build libraries with relro protection; (bso#11346). - Ctdb: strip trailing spaces from nodes file; (bso#11365). - S3-smbd: fix old dos client doing wildcard delete - gives a attribute type of zero; (bso#11452). - Nss_wins: do not run into use after free issues when we access memory allocated on the globals and the global being reinitialized; (bso#11563). - Async_req: fix non-blocking connect(); (bso#11564). - Auth: gensec: fix a memory leak; (bso#11565). - Lib: util: make non-critical message a warning; (bso#11566). - Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bsc#949022). - Smbd: send smb2 oplock breaks unencrypted; (bso#11570). - Ctdb: open the ro tracking db with perms 0600 instead of 0000; (bso#11577). - Manpage: correct small typo error; (bso#11584). - S3: smbd: if ea's are turned off on a share don't allow an smb2 create containing them; (bso#11589). - Backport some valgrind fixes from upstream master; (bso#11597). - S3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). - Docs: fix some typos in the idmap config section of man 5 smb.conf; (bso#11619). - Cleanup and enhance the pidl sub package. - S3: smbd: fix our access-based enumeration on 'hide unreadable' to match Windows; (bso#10252). - Smbd: fix file name buflen and padding in notify repsonse; (bso#10634). - Kerberos: make sure we only use prompter type when available; (bso#11038). - S3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). - Dcerpc.idl: accept invalid dcerpc_bind_nak pdus; (bso#11327). - Fix a deadlock in tdb; (bso#11381). - S3: smbd: fix mkdir race condition; (bso#11486). - Pam_winbind: fix a segfault if initialization fails; (bso#11502). - S3: dfs: fix a crash when the dfs targets are disabled; (bso#11509). - S3: smbd: fix opening/creating :stream files on the root share directory; (bso#11522). - Net: fix a crash with 'net ads keytab create'; (bso#11528). - S3: smbd: fix a crash in unix_convert() and a NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). - Vfs_fruit: return value of ad_pack in vfs_fruit.c; (bso#11543). - Vfs_commit: set the fd on open before calling smb_vfs_fstat; (bso#11547). - Fix bug in smbstatus where the lease info is not printed; (bso#11549). - S3:smbstatus: add stream name to share_entry_forall(); (bso#11550). - Prevent NULL pointer access in samlogon fallback when security credentials are null; (bsc#949022). - Fix 100% cpu in winbindd when logging in with 'user must change password on next logon'; (bso#11038). talloc was updated to version 2.1.5; (bsc#954658) (bsc#951660). + Test that talloc magic differs between processes. + Increment minor version due to added talloc_test_get_magic. + Provide tests access to talloc_magic. + Test magic protection measures. tdb was updated to version 1.3.8; (bsc#954658). + First fix deadlock in the interaction between fcntl and mutex locking; (bso#11381) + Improved python3 bindings + Fix runtime detection for robust mutexes in the standalone build; (bso#11326). + Possible fix for the build with robust mutexes on solaris 11; (bso#11319). + Abi change: tdb_chainlock_read_nonblock() has been added, a nonblock variant of tdb_chainlock_read() + Do not build test binaries if it's not a standalone build + Fix cid 1034842 resource leak + Fix cid 1034841 resource leak + Don't let tdb_wrap_open() segfault with name==null + Toos: allow transactions with tdb_mutex_locking + Test: add tdb1-run-mutex-transaction1 test + Allow transactions on on tdb's with tdb_mutex_locking + Test: tdb_clear_if_first | tdb_mutex_locking, o_rdonly is a valid combination + Allow tdb_open_ex() with o_rdonly of tdb_feature_flag_mutex tdbs. + Fix a comment + Fix tdb_runtime_check_for_robust_mutexes() + Improve wording in a comment + Tdb.h needs bool type; obsoletes include_stdbool_bso10625.patch + Tdb_wrap: make mutexes easier to use + Tdb_wrap: only pull in samba-debug + Tdb_wrap: standalone compile without includes.h + Tdb_wrap: tdb_wrap.h doesn't need struct loadparm_context - Update to version 1.3.1. + Tools: fix a compiler warning + Defragment the freelist in tdb_allocate_from_freelist() + Add 'freelist_size' sub-command to tdbtool + Use tdb_freelist_merge_adjacent in tdb_freelist_size() + Add tdb_freelist_merge_adjacent() + Add utility function check_merge_ptr_with_left_record() + Simplify tdb_free() using check_merge_with_left_record() + Add utility function check_merge_with_left_record() + Improve comments for tdb_free(). + Factor merge_with_left_record() out of tdb_free() + Fix debug message in tdb_free() + Reduce indentation in tdb_free() for merging left + Increase readability of read_record_on_left() + Factor read_record_on_left() out of tdb_free() + Build: improve detection of srcdir. tevent was updated to 0.9.26; (bsc#954658). + New tevent_thread_proxy api + Minor build fixes + Fix compile error in solaris ports backend. + Fix access after free in tevent_common_check_signal(); (bso#11308). + Improve pytevent bindings. + Testsuite fixes. + Improve the documentation of the tevent_add_fd() assumtions. it must be talloc_free'ed before closing the fd! (bso##11141); (bso#11316). + Ignore unexpected signal events in the same way the epoll backend does. + Update the tevent_data.dox tutrial stuff to fix some errors, including white space problems. + Use tevent_req_simple_recv_unix in a few places. + Remove unused exit_code in tevent_select.c + Remove unused exit_code in tevent_poll.c + Build: improve detection of srcdir + Lib: tevent: make tevent_sig_increment atomic. + Update flags in tevent pkgconfig file Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 87526
    published 2015-12-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87526
    title SUSE SLED12 / SLES12 Security Update : ldb, samba, talloc, tdb, tevent (SUSE-SU-2015:2304-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-B36076D32E.NASL
    description Update to Samba 4.3.3 (security release) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 89376
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89376
    title Fedora 23 : samba-4.3.3-0.fc23 (2015-b36076d32e)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0010.NASL
    description Updated samba4 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A denial of service flaw was found in the LDAP server provided by the AD DC in the Samba process daemon. A remote attacker could exploit this flaw by sending a specially crafted packet, which could cause the server to consume an excessive amount of memory and crash. (CVE-2015-7540) Multiple buffer over-read flaws were found in the way Samba handled malformed inputs in certain encodings. An authenticated, remote attacker could possibly use these flaws to disclose portions of the server memory. (CVE-2015-5330) A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher of the Samba Team and Sernet.de as the original reporters of CVE-2015-5296, partha@exablox.com as the original reporter of CVE-2015-5299, Jan 'Yenya' Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University as the original reporters of CVE-2015-5252 flaws, and Douglas Bagnall as the original reporter of CVE-2015-5330. All samba4 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87783
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87783
    title CentOS 6 : samba4 (CESA-2016:0010)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-0032-1.NASL
    description This update for Samba fixes the following security issues : - CVE-2015-5330: Remote read memory exploit in LDB (bnc#958586). - CVE-2015-5252: Insufficient symlink verification (file access outside the share) (bnc#958582). - CVE-2015-5296: No man in the middle protection when forcing smb encryption on the client side (bnc#958584). - CVE-2015-5299: Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2) (bnc#958583). Non-security issues fixed : - Prevent NULL pointer access in samlogon fallback when security credentials are null (bnc#949022). - Address unrecoverable winbind failure: 'key length too large' (bnc#934299). - Take resource group sids into account when caching netsamlogon data (bnc#912457). - Use domain name if search by domain SID fails to send SIDHistory lookups to correct idmap backend (bnc#773464). - Remove deprecated base_rid example from idmap_rid manpage (bnc#913304). - Purge printer name cache on spoolss SetPrinter change (bnc#901813). - Fix lookup of groups with 'Local Domain' scope from Active Directory (bnc#948244). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 87863
    published 2016-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87863
    title SUSE SLES11 Security Update : samba (SUSE-SU-2016:0032-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2855-1.NASL
    description Thilo Uttendorfer discovered that the Samba LDAP server incorrectly handled certain packets. A remote attacker could use this issue to cause the LDAP server to stop responding, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10. (CVE-2015-3223) Jan Kasprzak discovered that Samba incorrectly handled certain symlinks. A remote attacker could use this issue to access files outside the exported share path. (CVE-2015-5252) Stefan Metzmacher discovered that Samba did not enforce signing when creating encrypted connections. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. (CVE-2015-5296) It was discovered that Samba incorrectly performed access control when using the VFS shadow_copy2 module. A remote attacker could use this issue to access snapshots, contrary to intended permissions. (CVE-2015-5299) Douglas Bagnall discovered that Samba incorrectly handled certain string lengths. A remote attacker could use this issue to possibly access sensitive information. (CVE-2015-5330) It was discovered that the Samba LDAP server incorrectly handled certain packets. A remote attacker could use this issue to cause the LDAP server to stop responding, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10. (CVE-2015-7540) Andrew Bartlett discovered that Samba incorrectly checked administrative privileges during creation of machine accounts. A remote attacker could possibly use this issue to bypass intended access restrictions in certain environments. This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10. (CVE-2015-8467). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 87755
    published 2016-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87755
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : samba vulnerabilities (USN-2855-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-945.NASL
    description This update for ldb, samba, talloc, tdb, tevent fixes the following issues : ldb was updated to 1.1.24. + Fix ldap \00 search expression attack dos; cve-2015-3223; (bso#11325) + Fix remote read memory exploit in ldb; cve-2015-5330; (bso#11599) + Move ldb_(un)pack_data into ldb_module.h for testing + Fix installation of _ldb_text.py + Fix propagation of ldb errors through tdb + Fix bug triggered by having an empty message in database during search + Test improvements + Improved python bindings + Validate_ldb of string(generalized-time) does not accept millisecond format '.000Z'; (bso#9810) + Fix logic in ldb_val_to_time() + Allow to register extended match rules + Fixes for segfaults in pyldb + Documentation fixes + Build system improvements + Fix a typo in the comment, ldb_flags_mod_xxx -> ldb_flag_mod_xxx + Fix check for third_party + Make the successful ldb_transaction_start() message clearer + Ldb-samba: fix a memory leak in ldif_canonicalise_objectcategory() + Ldb-samba: move pyldb-utils dependency to python_samba__ldb + Build: improve detection of srcdir Samba was updated to 4.1.22. + Malicious request can cause samba ldap server to hang, spinning using cpu; CVE-2015-3223; (bso#11325); (boo#958581). + Remote read memory exploit in ldb; cve-2015-5330; (bso#11599); (boo#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (boo#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (boo#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (boo#958583). + Fix microsoft ms15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (boo#958585). + Fix remote dos in samba (ad) ldap server; cve-2015-7540; (bso#9187); (boo#958580). + Ensure attempt to ssh into locked account triggers 'Your account is disabled.....' to the console; (boo#953382). + Prevent NULL pointer access in samlogon fallback when security credentials are null; (boo#949022). talloc was updated to 2.1.5; (boo#954658). + Minor build fixes + Point ld_library_path to the just-built libraries while calling make test. + Disable rpath-install and silent-rules while configure. + Update to 2.1.4; (boo#951660). + Test that talloc magic differs between processes. + Increment minor version due to added talloc_test_get_magic. + Provide tests access to talloc_magic. + Test magic protection measures. + Update the samba library distribution key file 'talloc.keyring'; (bso#945116). + Update to 2.1.3; (boo#939051). + Improved python3 bindings + Documentation fixes regarding talloc_reference() and talloc_unlink() tdb was updated to version 1.3.8; (boo#954658). + Fix broken build with --disable-python + Minor build fixes + Disable rpath-install and silent-rules while configure. + Update the samba library distribution key file 'tdb.keyring'; (bso#945116). + Update to version 1.3.7. + First fix deadlock in the interaction between fcntl and mutex locking; (bso#11381) + Improved python3 bindings + Update to version 1.3.6. + Fix runtime detection for robust mutexes in the standalone build; (bso#11326). + Possible fix for the build with robust mutexes on solaris 11; (bso#11319). + Update to version 1.3.5. + Abi change: tdb_chainlock_read_nonblock() has been added, a nonblock variant of tdb_chainlock_read() + Do not build test binaries if it's not a standalone build + Fix cid 1034842 resource leak + Fix cid 1034841 resource leak + Don't let tdb_wrap_open() segfault with name==null + Update to version 1.3.4. + Toos: allow transactions with tdb_mutex_locking + Test: add tdb1-run-mutex-transaction1 test + Allow transactions on on tdb's with tdb_mutex_locking + Update to version 1.3.3. + Test: tdb_clear_if_first | tdb_mutex_locking, o_rdonly is a valid combination + Update to version 1.3.2. + Allow tdb_open_ex() with o_rdonly of tdb_feature_flag_mutex tdbs. + Fix a comment + Fix tdb_runtime_check_for_robust_mutexes() + Improve wording in a comment + Tdb.h needs bool type; obsoletes include_stdbool_bso10625.patch + Tdb_wrap: make mutexes easier to use + Tdb_wrap: only pull in samba-debug + Tdb_wrap: standalone compile without includes.h + Tdb_wrap: tdb_wrap.h doesn't need struct loadparm_context - Update to version 1.3.1. + Tools: fix a compiler warning + Defragment the freelist in tdb_allocate_from_freelist() + Add 'freelist_size' sub-command to tdbtool + Use tdb_freelist_merge_adjacent in tdb_freelist_size() + Add tdb_freelist_merge_adjacent() + Add utility function check_merge_ptr_with_left_record() + Simplify tdb_free() using check_merge_with_left_record() + Add utility function check_merge_with_left_record() + Improve comments for tdb_free(). + Factor merge_with_left_record() out of tdb_free() + Fix debug message in tdb_free() + Reduce indentation in tdb_free() for merging left + Increase readability of read_record_on_left() + Factor read_record_on_left() out of tdb_free() + Build: improve detection of srcdir. tevent was update to version 0.9.26; (boo#954658). + New tevent_thread_proxy api + Minor build fixes + Update the samba library distribution key file 'tevent.keyring'; (bso#945116). + Update to 0.9.25. + Fix compile error in solaris ports backend. + Fix access after free in tevent_common_check_signal(); (bso#11308). + Improve pytevent bindings. + Testsuite fixes. + Improve the documentation of the tevent_add_fd() assumtions. it must be talloc_free'ed before closing the fd! (bso##11141); (bso#11316). + Update to 0.9.24. + Ignore unexpected signal events in the same way the epoll backend does. + Update to 0.9.23. + Update the tevent_data.dox tutrial stuff to fix some errors, including white space problems. + Use tevent_req_simple_recv_unix in a few places. + Update to 0.9.22. + Remove unused exit_code in tevent_select.c + Remove unused exit_code in tevent_poll.c + Build: improve detection of srcdir + Lib: tevent: make tevent_sig_increment atomic. + Update flags in tevent pkgconfig file + Utilize doxygen to generate the api documentation and package it.
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 87622
    published 2015-12-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87622
    title openSUSE Security Update : samba / ldb / talloc / etc (openSUSE-2015-945)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-2305-1.NASL
    description This update for ldb, samba, talloc, tdb, tevent fixes the following security issues and bugs : The Samba LDB was updated to version 1.1.24 : - Fix ldap \00 search expression attack dos; CVE-2015-3223; (bso#11325) - Fix remote read memory exploit in ldb; CVE-2015-5330; (bso#11599) - Move ldb_(un)pack_data into ldb_module.h for testing - Fix installation of _ldb_text.py - Fix propagation of ldb errors through tdb - Fix bug triggered by having an empty message in database during search Samba was updated to fix these issues : - Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). - Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). - Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). - No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). - Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). - Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585). - Changing log level of two entries to from 1 to 3; (bso#9912). - vfs_gpfs: Re-enable share modes; (bso#11243). - wafsamba: Also build libraries with RELRO protection; (bso#11346). - ctdb: Strip trailing spaces from nodes file; (bso#11365). - s3-smbd: Fix old DOS client doing wildcard delete - gives a attribute type of zero; (bso#11452). - nss_wins: Do not run into use after free issues when we access memory allocated on the globals and the global being reinitialized; (bso#11563). - async_req: Fix non-blocking connect(); (bso#11564). - auth: gensec: Fix a memory leak; (bso#11565). - lib: util: Make non-critical message a warning; (bso#11566). - Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). - smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). - ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). - manpage: Correct small typo error; (bso#11584). - s3: smbd: If EA's are turned off on a share don't allow an SMB2 create containing them; (bso#11589). - Backport some valgrind fixes from upstream master; (bso#11597). - s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). - docs: Fix some typos in the idmap config section of man 5 smb.conf; (bso#11619). - Cleanup and enhance the pidl sub package. - s3: smbd: Fix our access-based enumeration on 'hide unreadable' to match Windows; (bso#10252). - smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). - kerberos: Make sure we only use prompter type when available; (bso#11038). - s3:ctdbd_conn: Make sure we destroy tevent_fd before closing the socket; (bso#11316). - dcerpc.idl: accept invalid dcerpc_bind_nak pdus; (bso#11327). - Fix a deadlock in tdb; (bso#11381). - s3: smbd: Fix mkdir race condition; (bso#11486). - pam_winbind: Fix a segfault if initialization fails; (bso#11502). - s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). - s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). - net: Fix a crash with 'net ads keytab create'; (bso#11528). - s3: smbd: Fix a crash in unix_convert() and a NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). - vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). - vfs_commit: Set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). - Fix bug in smbstatus where the lease info is not printed; (bso#11549). - s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). - Prevent NULL pointer access in samlogon fallback when security credentials are null; (bnc#949022). - Fix 100% CPU in winbindd when logging in with 'user must change password on next logon'; (bso#11038). talloc was updated to version 2.1.5; (bsc#954658) (bsc#951660). - Test that talloc magic differs between processes. - Increment minor version due to added talloc_test_get_magic. - Provide tests access to talloc_magic. - Test magic protection measures. tdb was updated to version 1.3.8; (bsc#954658). - Improved python3 bindings tevent was updated to 0.9.26; (bsc#954658). - New tevent_thread_proxy api - Minor build fixes Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 87527
    published 2015-12-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87527
    title SUSE SLED12 / SLES12 Security Update : ldb, samba, talloc, tdb, tevent (SUSE-SU-2015:2305-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-0E0879CC8A.NASL
    description Update to Samba 4.2.7 (security release) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 89144
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89144
    title Fedora 22 : samba-4.2.7-0.fc22 (2015-0e0879cc8a)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0010.NASL
    description Updated samba4 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A denial of service flaw was found in the LDAP server provided by the AD DC in the Samba process daemon. A remote attacker could exploit this flaw by sending a specially crafted packet, which could cause the server to consume an excessive amount of memory and crash. (CVE-2015-7540) Multiple buffer over-read flaws were found in the way Samba handled malformed inputs in certain encodings. An authenticated, remote attacker could possibly use these flaws to disclose portions of the server memory. (CVE-2015-5330) A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher of the Samba Team and Sernet.de as the original reporters of CVE-2015-5296, partha@exablox.com as the original reporter of CVE-2015-5299, Jan 'Yenya' Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University as the original reporters of CVE-2015-5252 flaws, and Douglas Bagnall as the original reporter of CVE-2015-5330. All samba4 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87810
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87810
    title RHEL 6 : samba4 (RHSA-2016:0010)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0006.NASL
    description From Red Hat Security Advisory 2016:0006 : Updated samba packages that fix multiple security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A denial of service flaw was found in the LDAP server provided by the AD DC in the Samba process daemon. A remote attacker could exploit this flaw by sending a specially crafted packet, which could cause the server to consume an excessive amount of memory and crash. (CVE-2015-7540) Multiple buffer over-read flaws were found in the way Samba handled malformed inputs in certain encodings. An authenticated, remote attacker could possibly use these flaws to disclose portions of the server memory. (CVE-2015-5330) A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher of the Samba Team and Sernet.de as the original reporters of CVE-2015-5296, partha@exablox.com as the original reporter of CVE-2015-5299, Jan 'Yenya' Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University as the original reporters of CVE-2015-5252 flaws, and Douglas Bagnall as the original reporter of CVE-2015-5330. All samba users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 87793
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87793
    title Oracle Linux 7 : samba (ELSA-2016-0006)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-634.NASL
    description A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. A memory-read flaw was found in the way the libldb library processed LDB DN records with a null byte. An authenticated, remote attacker could use this flaw to read heap-memory pages from the server. A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 87968
    published 2016-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87968
    title Amazon Linux AMI : samba (ALAS-2016-634)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0010.NASL
    description From Red Hat Security Advisory 2016:0010 : Updated samba4 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A denial of service flaw was found in the LDAP server provided by the AD DC in the Samba process daemon. A remote attacker could exploit this flaw by sending a specially crafted packet, which could cause the server to consume an excessive amount of memory and crash. (CVE-2015-7540) Multiple buffer over-read flaws were found in the way Samba handled malformed inputs in certain encodings. An authenticated, remote attacker could possibly use these flaws to disclose portions of the server memory. (CVE-2015-5330) A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher of the Samba Team and Sernet.de as the original reporters of CVE-2015-5296, partha@exablox.com as the original reporter of CVE-2015-5299, Jan 'Yenya' Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University as the original reporters of CVE-2015-5252 flaws, and Douglas Bagnall as the original reporter of CVE-2015-5330. All samba4 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 87797
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87797
    title Oracle Linux 6 : samba4 (ELSA-2016-0010)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160107_SAMBA_ON_SL7_X.NASL
    description A denial of service flaw was found in the LDAP server provided by the AD DC in the Samba process daemon. A remote attacker could exploit this flaw by sending a specially crafted packet, which could cause the server to consume an excessive amount of memory and crash. (CVE-2015-7540) Multiple buffer over-read flaws were found in the way Samba handled malformed inputs in certain encodings. An authenticated, remote attacker could possibly use these flaws to disclose portions of the server memory. (CVE-2015-5330) A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 87844
    published 2016-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87844
    title Scientific Linux Security Update : samba on SL7.x x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2855-2.NASL
    description USN-2855-1 fixed vulnerabilities in Samba. The upstream fix for CVE-2015-5252 introduced a regression in certain specific environments. This update fixes the problem. Thilo Uttendorfer discovered that the Samba LDAP server incorrectly handled certain packets. A remote attacker could use this issue to cause the LDAP server to stop responding, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10. (CVE-2015-3223) Jan Kasprzak discovered that Samba incorrectly handled certain symlinks. A remote attacker could use this issue to access files outside the exported share path. (CVE-2015-5252) Stefan Metzmacher discovered that Samba did not enforce signing when creating encrypted connections. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. (CVE-2015-5296) It was discovered that Samba incorrectly performed access control when using the VFS shadow_copy2 module. A remote attacker could use this issue to access snapshots, contrary to intended permissions. (CVE-2015-5299) Douglas Bagnall discovered that Samba incorrectly handled certain string lengths. A remote attacker could use this issue to possibly access sensitive information. (CVE-2015-5330) It was discovered that the Samba LDAP server incorrectly handled certain packets. A remote attacker could use this issue to cause the LDAP server to stop responding, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10. (CVE-2015-7540) Andrew Bartlett discovered that Samba incorrectly checked administrative privileges during creation of machine accounts. A remote attacker could possibly use this issue to bypass intended access restrictions in certain environments. This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10. (CVE-2015-8467). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 88804
    published 2016-02-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88804
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : samba regression (USN-2855-2)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0015.NASL
    description Updated samba packages that fix multiple security issues are now available for Red Hat Gluster Storage 3.1 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) Multiple buffer over-read flaws were found in the way Samba handled malformed inputs in certain encodings. An authenticated, remote attacker could possibly use these flaws to disclose portions of the server memory. (CVE-2015-5330) A denial of service flaw was found in the LDAP server provided by the AD DC in the Samba process daemon. A remote attacker could exploit this flaw by sending a specially crafted packet, which could cause the server to consume an excessive amount of memory and crash. (CVE-2015-7540) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher of the Samba Team and Sernet.de as the original reporters of CVE-2015-5296, partha@exablox.com as the original reporter of CVE-2015-5299, Jan 'Yenya' Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University as the original reporters of CVE-2015-5252 flaws, and Douglas Bagnall as the original reporter of CVE-2015-5330. All samba users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 90077
    published 2016-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90077
    title RHEL 6 : Storage Server (RHSA-2016:0015)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3433.NASL
    description Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues : - CVE-2015-3223 Thilo Uttendorfer of Linux Information Systems AG discovered that a malicious request can cause the Samba LDAP server to hang, spinning using CPU. A remote attacker can take advantage of this flaw to mount a denial of service. - CVE-2015-5252 Jan 'Yenya' Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University discovered that insufficient symlink verification could allow data access outside an exported share path. - CVE-2015-5296 Stefan Metzmacher of SerNet discovered that Samba does not ensure that signing is negotiated when creating an encrypted client connection to a server. This allows a man-in-the-middle attacker to downgrade the connection and connect using the supplied credentials as an unsigned, unencrypted connection. - CVE-2015-5299 It was discovered that a missing access control check in the VFS shadow_copy2 module could allow unauthorized users to access snapshots. - CVE-2015-5330 Douglas Bagnall of Catalyst discovered that the Samba LDAP server is vulnerable to a remote memory read attack. A remote attacker can obtain sensitive information from daemon heap memory by sending crafted packets and then either read an error message, or a database value. - CVE-2015-7540 It was discovered that a malicious client can send packets that cause the LDAP server provided by the AD DC in the samba daemon process to consume unlimited memory and be terminated. - CVE-2015-8467 Andrew Bartlett of the Samba Team and Catalyst discovered that a Samba server deployed as an AD DC can expose Windows DCs in the same domain to a denial of service via the creation of multiple machine accounts. This issue is related to the MS15-096 / CVE-2015-2535 security issue in Windows.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87684
    published 2016-01-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87684
    title Debian DSA-3433-1 : samba - security update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-943.NASL
    description This update for ldb, samba, talloc, tdb, tevent fixes the following security issues and bugs : The Samba LDB was updated to version 1.1.24 : - Fix ldap \00 search expression attack dos; CVE-2015-3223; (bso#11325) - Fix remote read memory exploit in ldb; CVE-2015-5330; (bso#11599) - Move ldb_(un)pack_data into ldb_module.h for testing - Fix installation of _ldb_text.py - Fix propagation of ldb errors through tdb - Fix bug triggered by having an empty message in database during search Samba was updated to fix these issues : - Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). - Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). - Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). - No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). - Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). - Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585). - Changing log level of two entries to from 1 to 3; (bso#9912). - vfs_gpfs: Re-enable share modes; (bso#11243). - wafsamba: Also build libraries with RELRO protection; (bso#11346). - ctdb: Strip trailing spaces from nodes file; (bso#11365). - s3-smbd: Fix old DOS client doing wildcard delete - gives a attribute type of zero; (bso#11452). - nss_wins: Do not run into use after free issues when we access memory allocated on the globals and the global being reinitialized; (bso#11563). - async_req: Fix non-blocking connect(); (bso#11564). - auth: gensec: Fix a memory leak; (bso#11565). - lib: util: Make non-critical message a warning; (bso#11566). - Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). - smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). - ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). - manpage: Correct small typo error; (bso#11584). - s3: smbd: If EA's are turned off on a share don't allow an SMB2 create containing them; (bso#11589). - Backport some valgrind fixes from upstream master; (bso#11597). - s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). - docs: Fix some typos in the idmap config section of man 5 smb.conf; (bso#11619). - Cleanup and enhance the pidl sub package. - s3: smbd: Fix our access-based enumeration on 'hide unreadable' to match Windows; (bso#10252). - smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). - kerberos: Make sure we only use prompter type when available; (bso#11038). - s3:ctdbd_conn: Make sure we destroy tevent_fd before closing the socket; (bso#11316). - dcerpc.idl: accept invalid dcerpc_bind_nak pdus; (bso#11327). - Fix a deadlock in tdb; (bso#11381). - s3: smbd: Fix mkdir race condition; (bso#11486). - pam_winbind: Fix a segfault if initialization fails; (bso#11502). - s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). - s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). - net: Fix a crash with 'net ads keytab create'; (bso#11528). - s3: smbd: Fix a crash in unix_convert() and a NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). - vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). - vfs_commit: Set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). - Fix bug in smbstatus where the lease info is not printed; (bso#11549). - s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). - Prevent NULL pointer access in samlogon fallback when security credentials are null; (bnc#949022). - Fix 100% CPU in winbindd when logging in with 'user must change password on next logon'; (bso#11038). talloc was updated to version 2.1.5; (bsc#954658) (bsc#951660). - Test that talloc magic differs between processes. - Increment minor version due to added talloc_test_get_magic. - Provide tests access to talloc_magic. - Test magic protection measures. tdb was updated to version 1.3.8; (bsc#954658). - Improved python3 bindings tevent was updated to 0.9.26; (bsc#954658). - New tevent_thread_proxy api - Minor build fixes This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 87621
    published 2015-12-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87621
    title openSUSE Security Update : ldb / samba / talloc / etc (openSUSE-2015-943)
  • NASL family Misc.
    NASL id SAMBA_4_3_3.NASL
    description According to its banner, the version of Samba running on the remote host is 4.2.x prior to 4.2.7 or 4.3.x prior to 4.3.3. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists in the ldb_wildcard_compare() function in file ldb_match.c due to mishandling certain zero values. An unauthenticated, remote attacker can exploit this, via crafted LDAP requests, to exhaust CPU resources. (CVE-2015-3223) - A security bypass vulnerability exists in the check_reduced_name_with_privilege() function and the check_reduced_name() function within file smbd/vfs.c that allows users to follow symlinks that point to resources in another directory that shares a common path prefix. An unauthenticated, remote attacker can exploit this, via a symlink that points outside of a share, to bypass file access restrictions. (CVE-2015-5252) - A flaw exists due to a failure to ensure that signing is negotiated when creating encrypted connections between the client and server. A man-in-the-middle attacker can exploit this, by modifying the client-server data stream, to downgrade the security of the connection, thus allowing communications to be monitored or manipulated. (CVE-2015-5296) - A security bypass vulnerability exists in the shadow_copy2_get_shadow_copy_data() function in file modules/vfs_shadow_copy2.c due to a failure to verify that DIRECTORY_LIST access rights has been granted when accessing snapshots. An unauthenticated, remote attacker can exploit this to access snapshots by visiting a shadow copy directory. (CVE-2015-5299) - A flaw exists in the LDAP server due to improper handling of string lengths in LDAP requests. An unauthenticated, remote attacker can exploit this to gain sensitive information from the daemon heap memory by sending crafted packets and then reading an error message or a database value. (CVE-2015-5330) - The samldb_check_user_account_control_acl() function in file dsdb/samdb/ldb_modules/samldb.c fails to properly check for administrative privileges during the creation of machine accounts. An authenticated, remote attacker can exploit this to bypass intended access restrictions by making use of a domain that has both a Samba DC and Windows DC. (CVE-2015-8467) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 87769
    published 2016-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87769
    title Samba 4.2.x < 4.2.7 / 4.3.x < 4.3.3 Multiple Vulnerabilities
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160107_SAMBA4_ON_SL6_X.NASL
    description A denial of service flaw was found in the LDAP server provided by the AD DC in the Samba process daemon. A remote attacker could exploit this flaw by sending a specially crafted packet, which could cause the server to consume an excessive amount of memory and crash. (CVE-2015-7540) Multiple buffer over-read flaws were found in the way Samba handled malformed inputs in certain encodings. An authenticated, remote attacker could possibly use these flaws to disclose portions of the server memory. (CVE-2015-5330) A man-in-the-middle vulnerability was found in the way 'connection signing' was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. (CVE-2015-5296) A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. (CVE-2015-5299) An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path. (CVE-2015-5252) After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 87842
    published 2016-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87842
    title Scientific Linux Security Update : samba4 on SL6.x i386/x86_64
  • NASL family Misc.
    NASL id SAMBA_4_1_22.NASL
    description According to its banner, the version of Samba running on the remote host is 4.x prior to 4.1.22. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists in the ldb_wildcard_compare() function in file ldb_match.c due to mishandling certain zero values. An unauthenticated, remote attacker can exploit this, via crafted LDAP requests, to exhaust CPU resources. (CVE-2015-3223) - A security bypass vulnerability exists in the check_reduced_name_with_privilege() function and the check_reduced_name() function within file smbd/vfs.c that allows users to follow symlinks that point to resources in another directory that shares a common path prefix. An unauthenticated, remote attacker can exploit this, via a symlink that points outside of a share, to bypass file access restrictions. (CVE-2015-5252) - A flaw exists due to a failure to ensure that signing is negotiated when creating encrypted connections between the client and server. A man-in-the-middle attacker can exploit this, by modifying the client-server data stream, to downgrade the security of the connection, thus allowing communications to be monitored or manipulated. (CVE-2015-5296) - A security bypass vulnerability exists in the shadow_copy2_get_shadow_copy_data() function in file modules/vfs_shadow_copy2.c due to a failure to verify that DIRECTORY_LIST access rights has been granted when accessing snapshots. An unauthenticated, remote attacker can exploit this to access snapshots by visiting a shadow copy directory. (CVE-2015-5299) - A flaw exists in the LDAP server due to improper handling of string lengths in LDAP requests. An unauthenticated, remote attacker can exploit this to gain sensitive information from the daemon heap memory by sending crafted packets and then reading an error message or a database value. (CVE-2015-5330) - A denial of service vulnerability exists in the LDAP server due to a failure to check return values when allocating ASN.1 memory. An unauthenticated, remote attacker can exploit this, via crafted packets, to cause the daemon to crash through memory consumption. (CVE-2015-7540) - The samldb_check_user_account_control_acl() function in file dsdb/samdb/ldb_modules/samldb.c fails to properly check for administrative privileges during the creation of machine accounts. An authenticated, remote attacker can exploit this to bypass intended access restrictions by making use of a domain that has both a Samba DC and Windows DC. (CVE-2015-8467) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 87768
    published 2016-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87768
    title Samba 4.x < 4.1.22 Multiple Vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_EF434839A6A411E58275000C292E4FD8.NASL
    description Samba team reports : [CVE-2015-3223] Malicious request can cause Samba LDAP server to hang, spinning using CPU. [CVE-2015-5330] Malicious request can cause Samba LDAP server to return uninitialized memory that should not be part of the reply. [CVE-2015-5296] Requesting encryption should also request signing when setting up the connection to protect against man-in-the-middle attacks. [CVE-2015-5299] A missing access control check in the VFS shadow_copy2 module could allow unauthorized users to access snapshots. [CVE-2015-7540] Malicious request can cause Samba LDAP server to return crash. [CVE-2015-8467] Samba can expose Windows DCs to MS15-096 Denial of service via the creation of multiple machine accounts(The Microsoft issue is CVE-2015-2535). [CVE-2015-5252] Insufficient symlink verification could allow data access outside share path.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87514
    published 2015-12-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87514
    title FreeBSD : samba -- multiple vulnerabilities (ef434839-a6a4-11e5-8275-000c292e4fd8)
redhat via4
rpms
  • ctdb-0:4.2.3-11.el7_2
  • ctdb-devel-0:4.2.3-11.el7_2
  • ctdb-tests-0:4.2.3-11.el7_2
  • libsmbclient-0:4.2.3-11.el7_2
  • libsmbclient-devel-0:4.2.3-11.el7_2
  • libwbclient-0:4.2.3-11.el7_2
  • libwbclient-devel-0:4.2.3-11.el7_2
  • samba-0:4.2.3-11.el7_2
  • samba-client-0:4.2.3-11.el7_2
  • samba-client-libs-0:4.2.3-11.el7_2
  • samba-common-0:4.2.3-11.el7_2
  • samba-common-libs-0:4.2.3-11.el7_2
  • samba-common-tools-0:4.2.3-11.el7_2
  • samba-dc-0:4.2.3-11.el7_2
  • samba-dc-libs-0:4.2.3-11.el7_2
  • samba-devel-0:4.2.3-11.el7_2
  • samba-libs-0:4.2.3-11.el7_2
  • samba-pidl-0:4.2.3-11.el7_2
  • samba-python-0:4.2.3-11.el7_2
  • samba-test-0:4.2.3-11.el7_2
  • samba-test-devel-0:4.2.3-11.el7_2
  • samba-test-libs-0:4.2.3-11.el7_2
  • samba-vfs-glusterfs-0:4.2.3-11.el7_2
  • samba-winbind-0:4.2.3-11.el7_2
  • samba-winbind-clients-0:4.2.3-11.el7_2
  • samba-winbind-krb5-locator-0:4.2.3-11.el7_2
  • samba-winbind-modules-0:4.2.3-11.el7_2
  • samba4-0:4.0.0-67.el6_7.rc4
  • samba4-client-0:4.0.0-67.el6_7.rc4
  • samba4-common-0:4.0.0-67.el6_7.rc4
  • samba4-dc-0:4.0.0-67.el6_7.rc4
  • samba4-dc-libs-0:4.0.0-67.el6_7.rc4
  • samba4-devel-0:4.0.0-67.el6_7.rc4
  • samba4-libs-0:4.0.0-67.el6_7.rc4
  • samba4-pidl-0:4.0.0-67.el6_7.rc4
  • samba4-python-0:4.0.0-67.el6_7.rc4
  • samba4-swat-0:4.0.0-67.el6_7.rc4
  • samba4-test-0:4.0.0-67.el6_7.rc4
  • samba4-winbind-0:4.0.0-67.el6_7.rc4
  • samba4-winbind-clients-0:4.0.0-67.el6_7.rc4
  • samba4-winbind-krb5-locator-0:4.0.0-67.el6_7.rc4
  • libsmbclient-0:3.6.23-24.el6_7
  • libsmbclient-devel-0:3.6.23-24.el6_7
  • samba-0:3.6.23-24.el6_7
  • samba-client-0:3.6.23-24.el6_7
  • samba-common-0:3.6.23-24.el6_7
  • samba-doc-0:3.6.23-24.el6_7
  • samba-domainjoin-gui-0:3.6.23-24.el6_7
  • samba-glusterfs-0:3.6.23-24.el6_7
  • samba-swat-0:3.6.23-24.el6_7
  • samba-winbind-0:3.6.23-24.el6_7
  • samba-winbind-clients-0:3.6.23-24.el6_7
  • samba-winbind-devel-0:3.6.23-24.el6_7
  • samba-winbind-krb5-locator-0:3.6.23-24.el6_7
refmap via4
bid 79732
confirm
debian DSA-3433
fedora
  • FEDORA-2015-0e0879cc8a
  • FEDORA-2015-b36076d32e
gentoo GLSA-201612-47
sectrack 1034493
suse
  • SUSE-SU-2015:2304
  • SUSE-SU-2015:2305
  • SUSE-SU-2016:0032
  • SUSE-SU-2016:0164
  • openSUSE-SU-2015:2354
  • openSUSE-SU-2015:2356
  • openSUSE-SU-2016:1064
  • openSUSE-SU-2016:1106
  • openSUSE-SU-2016:1107
ubuntu
  • USN-2855-1
  • USN-2855-2
Last major update 30-12-2016 - 21:59
Published 29-12-2015 - 17:59
Last modified 30-10-2018 - 12:25
Back to Top