ID CVE-2016-2111
Summary The NETLOGON service in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2, when a domain controller is configured, allows remote attackers to spoof the computer name of a secure channel's endpoint, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic, a related issue to CVE-2015-0005.
References
Vulnerable Configurations
  • Samba 4.4.0
    cpe:2.3:a:samba:samba:4.4.0
  • Samba 4.3.6
    cpe:2.3:a:samba:samba:4.3.6
  • Samba 4.3.5
    cpe:2.3:a:samba:samba:4.3.5
  • Samba 4.3.4
    cpe:2.3:a:samba:samba:4.3.4
  • Samba 4.3.3
    cpe:2.3:a:samba:samba:4.3.3
  • Samba 4.3.2
    cpe:2.3:a:samba:samba:4.3.2
  • Samba 4.3.1
    cpe:2.3:a:samba:samba:4.3.1
  • Samba 4.3.0
    cpe:2.3:a:samba:samba:4.3.0
  • Samba 4.0.26
    cpe:2.3:a:samba:samba:4.0.26
  • Samba 4.0.25
    cpe:2.3:a:samba:samba:4.0.25
  • Samba 4.1.23
    cpe:2.3:a:samba:samba:4.1.23
  • Samba 4.2.9
    cpe:2.3:a:samba:samba:4.2.9
  • Samba 4.2.8
    cpe:2.3:a:samba:samba:4.2.8
  • Samba 4.2.7
    cpe:2.3:a:samba:samba:4.2.7
  • Samba 4.2.6
    cpe:2.3:a:samba:samba:4.2.6
  • Samba 4.2.5
    cpe:2.3:a:samba:samba:4.2.5
  • Samba 4.2.4
    cpe:2.3:a:samba:samba:4.2.4
  • Samba 4.2.3
    cpe:2.3:a:samba:samba:4.2.3
  • Samba 4.2.2
    cpe:2.3:a:samba:samba:4.2.2
  • Samba 4.2.1
    cpe:2.3:a:samba:samba:4.2.1
  • Samba 4.2.0 release candidate 4
    cpe:2.3:a:samba:samba:4.2.0:rc4
  • Samba 4.2.0 release candidate 3
    cpe:2.3:a:samba:samba:4.2.0:rc3
  • Samba 4.2.0 release candidate 2
    cpe:2.3:a:samba:samba:4.2.0:rc2
  • Samba 4.2.0 release candidate 1
    cpe:2.3:a:samba:samba:4.2.0:rc1
  • Samba 4.1.9
    cpe:2.3:a:samba:samba:4.1.9
  • Samba 4.1.8
    cpe:2.3:a:samba:samba:4.1.8
  • Samba 4.1.7
    cpe:2.3:a:samba:samba:4.1.7
  • Samba 4.1.6
    cpe:2.3:a:samba:samba:4.1.6
  • Samba 4.1.5
    cpe:2.3:a:samba:samba:4.1.5
  • Samba 4.1.4
    cpe:2.3:a:samba:samba:4.1.4
  • Samba 4.1.3
    cpe:2.3:a:samba:samba:4.1.3
  • Samba 4.1.22
    cpe:2.3:a:samba:samba:4.1.22
  • Samba 4.1.21
    cpe:2.3:a:samba:samba:4.1.21
  • Samba 4.1.20
    cpe:2.3:a:samba:samba:4.1.20
  • Samba 4.1.2
    cpe:2.3:a:samba:samba:4.1.2
  • Samba 4.1.19
    cpe:2.3:a:samba:samba:4.1.19
  • Samba 4.1.18
    cpe:2.3:a:samba:samba:4.1.18
  • Samba 4.1.17
    cpe:2.3:a:samba:samba:4.1.17
  • Samba 4.1.16
    cpe:2.3:a:samba:samba:4.1.16
  • Samba 4.1.15
    cpe:2.3:a:samba:samba:4.1.15
  • Samba 4.1.14
    cpe:2.3:a:samba:samba:4.1.14
  • Samba 4.1.13
    cpe:2.3:a:samba:samba:4.1.13
  • Samba 4.1.12
    cpe:2.3:a:samba:samba:4.1.12
  • Samba 4.1.11
    cpe:2.3:a:samba:samba:4.1.11
  • Samba 4.1.10
    cpe:2.3:a:samba:samba:4.1.10
  • Samba 4.1.1
    cpe:2.3:a:samba:samba:4.1.1
  • Samba 4.1.0
    cpe:2.3:a:samba:samba:4.1.0
  • Samba 4.0.9
    cpe:2.3:a:samba:samba:4.0.9
  • Samba 4.0.8
    cpe:2.3:a:samba:samba:4.0.8
  • Samba 4.0.7
    cpe:2.3:a:samba:samba:4.0.7
  • Samba 4.0.6
    cpe:2.3:a:samba:samba:4.0.6
  • Samba 4.0.5
    cpe:2.3:a:samba:samba:4.0.5
  • Samba 4.0.4
    cpe:2.3:a:samba:samba:4.0.4
  • Samba 4.0.3
    cpe:2.3:a:samba:samba:4.0.3
  • Samba 4.0.24
    cpe:2.3:a:samba:samba:4.0.24
  • Samba 4.0.23
    cpe:2.3:a:samba:samba:4.0.23
  • Samba 4.0.22
    cpe:2.3:a:samba:samba:4.0.22
  • Samba 4.0.21
    cpe:2.3:a:samba:samba:4.0.21
  • Samba 4.0.20
    cpe:2.3:a:samba:samba:4.0.20
  • Samba 4.0.2
    cpe:2.3:a:samba:samba:4.0.2
  • Samba 4.0.19
    cpe:2.3:a:samba:samba:4.0.19
  • Samba 4.0.18
    cpe:2.3:a:samba:samba:4.0.18
  • Samba 4.0.17
    cpe:2.3:a:samba:samba:4.0.17
  • Samba 4.0.16
    cpe:2.3:a:samba:samba:4.0.16
  • Samba 4.0.15
    cpe:2.3:a:samba:samba:4.0.15
  • Samba 4.0.14
    cpe:2.3:a:samba:samba:4.0.14
  • Samba 4.0.13
    cpe:2.3:a:samba:samba:4.0.13
  • Samba 4.0.12
    cpe:2.3:a:samba:samba:4.0.12
  • Samba 4.0.11
    cpe:2.3:a:samba:samba:4.0.11
  • Samba 4.0.10
    cpe:2.3:a:samba:samba:4.0.10
  • Samba 4.0.1
    cpe:2.3:a:samba:samba:4.0.1
  • Samba 4.0.0
    cpe:2.3:a:samba:samba:4.0.0
  • Samba 3.6.25
    cpe:2.3:a:samba:samba:3.6.25
  • Samba 3.6.9
    cpe:2.3:a:samba:samba:3.6.9
  • Samba 3.6.8
    cpe:2.3:a:samba:samba:3.6.8
  • Samba 3.6.7
    cpe:2.3:a:samba:samba:3.6.7
  • Samba 3.6.6
    cpe:2.3:a:samba:samba:3.6.6
  • Samba 3.6.5
    cpe:2.3:a:samba:samba:3.6.5
  • Samba 3.6.4
    cpe:2.3:a:samba:samba:3.6.4
  • Samba 3.6.3
    cpe:2.3:a:samba:samba:3.6.3
  • Samba 3.6.24
    cpe:2.3:a:samba:samba:3.6.24
  • Samba 3.6.23
    cpe:2.3:a:samba:samba:3.6.23
  • Samba 3.6.22
    cpe:2.3:a:samba:samba:3.6.22
  • Samba 3.6.21
    cpe:2.3:a:samba:samba:3.6.21
  • Samba 3.6.20
    cpe:2.3:a:samba:samba:3.6.20
  • Samba 3.6.2
    cpe:2.3:a:samba:samba:3.6.2
  • Samba 3.6.19
    cpe:2.3:a:samba:samba:3.6.19
  • Samba 3.6.18
    cpe:2.3:a:samba:samba:3.6.18
  • Samba 3.6.17
    cpe:2.3:a:samba:samba:3.6.17
  • Samba 3.6.16
    cpe:2.3:a:samba:samba:3.6.16
  • Samba 3.6.15
    cpe:2.3:a:samba:samba:3.6.15
  • Samba 3.6.14
    cpe:2.3:a:samba:samba:3.6.14
  • Samba 3.6.13
    cpe:2.3:a:samba:samba:3.6.13
  • Samba 3.6.12
    cpe:2.3:a:samba:samba:3.6.12
  • Samba 3.6.11
    cpe:2.3:a:samba:samba:3.6.11
  • Samba 3.6.10
    cpe:2.3:a:samba:samba:3.6.10
  • Samba 3.6.1
    cpe:2.3:a:samba:samba:3.6.1
  • Samba 3.6.0
    cpe:2.3:a:samba:samba:3.6.0
  • Samba 3.5.9
    cpe:2.3:a:samba:samba:3.5.9
  • Samba 3.5.8
    cpe:2.3:a:samba:samba:3.5.8
  • Samba 3.5.7
    cpe:2.3:a:samba:samba:3.5.7
  • Samba 3.5.6
    cpe:2.3:a:samba:samba:3.5.6
  • Samba 3.5.5
    cpe:2.3:a:samba:samba:3.5.5
  • Samba 3.5.4
    cpe:2.3:a:samba:samba:3.5.4
  • Samba 3.5.3
    cpe:2.3:a:samba:samba:3.5.3
  • Samba 3.5.22
    cpe:2.3:a:samba:samba:3.5.22
  • Samba 3.5.21
    cpe:2.3:a:samba:samba:3.5.21
  • Samba 3.5.20
    cpe:2.3:a:samba:samba:3.5.20
  • Samba 3.5.2
    cpe:2.3:a:samba:samba:3.5.2
  • Samba 3.5.19
    cpe:2.3:a:samba:samba:3.5.19
  • Samba 3.5.18
    cpe:2.3:a:samba:samba:3.5.18
  • Samba 3.5.17
    cpe:2.3:a:samba:samba:3.5.17
  • Samba 3.5.16
    cpe:2.3:a:samba:samba:3.5.16
  • Samba 3.5.15
    cpe:2.3:a:samba:samba:3.5.15
  • Samba 3.5.14
    cpe:2.3:a:samba:samba:3.5.14
  • Samba 3.5.13
    cpe:2.3:a:samba:samba:3.5.13
  • Samba 3.5.12
    cpe:2.3:a:samba:samba:3.5.12
  • Samba 3.5.11
    cpe:2.3:a:samba:samba:3.5.11
  • Samba 3.5.10
    cpe:2.3:a:samba:samba:3.5.10
  • Samba 3.5.1
    cpe:2.3:a:samba:samba:3.5.1
  • Samba 3.5.0
    cpe:2.3:a:samba:samba:3.5.0
  • Samba 3.4.9
    cpe:2.3:a:samba:samba:3.4.9
  • Samba 3.4.8
    cpe:2.3:a:samba:samba:3.4.8
  • Samba 3.4.7
    cpe:2.3:a:samba:samba:3.4.7
  • Samba 3.4.6
    cpe:2.3:a:samba:samba:3.4.6
  • Samba 3.4.5
    cpe:2.3:a:samba:samba:3.4.5
  • Samba 3.4.4
    cpe:2.3:a:samba:samba:3.4.4
  • Samba 3.4.3
    cpe:2.3:a:samba:samba:3.4.3
  • Samba 3.4.2
    cpe:2.3:a:samba:samba:3.4.2
  • Samba 3.4.17
    cpe:2.3:a:samba:samba:3.4.17
  • Samba 3.4.16
    cpe:2.3:a:samba:samba:3.4.16
  • Samba 3.4.15
    cpe:2.3:a:samba:samba:3.4.15
  • Samba 3.4.14
    cpe:2.3:a:samba:samba:3.4.14
  • Samba 3.4.13
    cpe:2.3:a:samba:samba:3.4.13
  • Samba 3.4.12
    cpe:2.3:a:samba:samba:3.4.12
  • Samba 3.4.11
    cpe:2.3:a:samba:samba:3.4.11
  • Samba 3.4.10
    cpe:2.3:a:samba:samba:3.4.10
  • Samba 3.4.1
    cpe:2.3:a:samba:samba:3.4.1
  • Samba 3.4.0
    cpe:2.3:a:samba:samba:3.4.0
  • Samba 3.3.9
    cpe:2.3:a:samba:samba:3.3.9
  • Samba 3.3.8
    cpe:2.3:a:samba:samba:3.3.8
  • Samba 3.3.7
    cpe:2.3:a:samba:samba:3.3.7
  • Samba 3.3.6
    cpe:2.3:a:samba:samba:3.3.6
  • Samba 3.3.5
    cpe:2.3:a:samba:samba:3.3.5
  • Samba 3.3.4
    cpe:2.3:a:samba:samba:3.3.4
  • Samba 3.3.3
    cpe:2.3:a:samba:samba:3.3.3
  • Samba 3.3.2
    cpe:2.3:a:samba:samba:3.3.2
  • Samba 3.3.16
    cpe:2.3:a:samba:samba:3.3.16
  • Samba 3.3.15
    cpe:2.3:a:samba:samba:3.3.15
  • Samba 3.3.14
    cpe:2.3:a:samba:samba:3.3.14
  • Samba 3.3.13
    cpe:2.3:a:samba:samba:3.3.13
  • Samba 3.3.12
    cpe:2.3:a:samba:samba:3.3.12
  • Samba 3.3.11
    cpe:2.3:a:samba:samba:3.3.11
  • Samba 3.3.10
    cpe:2.3:a:samba:samba:3.3.10
  • Samba 3.3.1
    cpe:2.3:a:samba:samba:3.3.1
  • Samba 3.3.0
    cpe:2.3:a:samba:samba:3.3.0
  • Samba 3.2.9
    cpe:2.3:a:samba:samba:3.2.9
  • Samba 3.2.8
    cpe:2.3:a:samba:samba:3.2.8
  • Samba 3.2.7
    cpe:2.3:a:samba:samba:3.2.7
  • Samba 3.2.6
    cpe:2.3:a:samba:samba:3.2.6
  • Samba 3.2.5
    cpe:2.3:a:samba:samba:3.2.5
  • Samba 3.2.4
    cpe:2.3:a:samba:samba:3.2.4
  • Samba 3.2.3
    cpe:2.3:a:samba:samba:3.2.3
  • Samba 3.2.2
    cpe:2.3:a:samba:samba:3.2.2
  • Samba 3.2.15
    cpe:2.3:a:samba:samba:3.2.15
  • Samba 3.2.14
    cpe:2.3:a:samba:samba:3.2.14
  • Samba 3.2.13
    cpe:2.3:a:samba:samba:3.2.13
  • Samba 3.2.12
    cpe:2.3:a:samba:samba:3.2.12
  • Samba 3.2.11
    cpe:2.3:a:samba:samba:3.2.11
  • Samba 3.2.10
    cpe:2.3:a:samba:samba:3.2.10
  • Samba 3.2.1
    cpe:2.3:a:samba:samba:3.2.1
  • Samba 3.2.0
    cpe:2.3:a:samba:samba:3.2.0
  • Samba 3.0.9
    cpe:2.3:a:samba:samba:3.0.9
  • Samba 3.0.8
    cpe:2.3:a:samba:samba:3.0.8
  • Samba 3.0.7
    cpe:2.3:a:samba:samba:3.0.7
  • Samba 3.0.6
    cpe:2.3:a:samba:samba:3.0.6
  • Samba 3.0.5
    cpe:2.3:a:samba:samba:3.0.5
  • Samba 3.0.4 release candidate 1
    cpe:2.3:a:samba:samba:3.0.4:rc1
  • Samba 3.0.4
    cpe:2.3:a:samba:samba:3.0.4
  • Samba 3.0.37
    cpe:2.3:a:samba:samba:3.0.37
  • Samba 3.0.36
    cpe:2.3:a:samba:samba:3.0.36
  • Samba 3.0.35
    cpe:2.3:a:samba:samba:3.0.35
  • Samba 3.0.34
    cpe:2.3:a:samba:samba:3.0.34
  • Samba 3.0.33
    cpe:2.3:a:samba:samba:3.0.33
  • Samba 3.0.32
    cpe:2.3:a:samba:samba:3.0.32
  • Samba 3.0.31
    cpe:2.3:a:samba:samba:3.0.31
  • Samba 3.0.30
    cpe:2.3:a:samba:samba:3.0.30
  • Samba 3.0.3
    cpe:2.3:a:samba:samba:3.0.3
  • Samba 3.0.2a
    cpe:2.3:a:samba:samba:3.0.2a
  • Samba 3.0.29
    cpe:2.3:a:samba:samba:3.0.29
  • Samba 3.0.28a
    cpe:2.3:a:samba:samba:3.0.28:a
  • Samba 3.0.28
    cpe:2.3:a:samba:samba:3.0.28
  • Samba 3.0.27a
    cpe:2.3:a:samba:samba:3.0.27:a
  • Samba 3.0.27
    cpe:2.3:a:samba:samba:3.0.27
  • Samba 3.0.26a
    cpe:2.3:a:samba:samba:3.0.26a
  • Samba 3.0.26a
    cpe:2.3:a:samba:samba:3.0.26:a
  • Samba 3.0.26
    cpe:2.3:a:samba:samba:3.0.26
  • Samba 3.0.25c
    cpe:2.3:a:samba:samba:3.0.25c
  • Samba 3.0.25b
    cpe:2.3:a:samba:samba:3.0.25b
  • Samba 3.0.25a
    cpe:2.3:a:samba:samba:3.0.25a
  • Samba 3.0.25 release candidate 3
    cpe:2.3:a:samba:samba:3.0.25:rc3
  • Samba 3.0.25 release candiate 2
    cpe:2.3:a:samba:samba:3.0.25:rc2
  • Samba 3.0.25 release candidate 1
    cpe:2.3:a:samba:samba:3.0.25:rc1
  • Samba 3.0.25 pre2
    cpe:2.3:a:samba:samba:3.0.25:pre2
  • Samba 3.0.25 pre1
    cpe:2.3:a:samba:samba:3.0.25:pre1
  • Samba 3.0.25c
    cpe:2.3:a:samba:samba:3.0.25:c
  • Samba 3.0.25b
    cpe:2.3:a:samba:samba:3.0.25:b
  • Samba 3.0.25a
    cpe:2.3:a:samba:samba:3.0.25:a
  • Samba 3.0.25
    cpe:2.3:a:samba:samba:3.0.25
  • Samba 3.0.24
    cpe:2.3:a:samba:samba:3.0.24
  • Samba 3.0.23d
    cpe:2.3:a:samba:samba:3.0.23d
  • Samba 3.0.23c
    cpe:2.3:a:samba:samba:3.0.23c
  • Samba 3.0.23b
    cpe:2.3:a:samba:samba:3.0.23b
  • Samba 3.0.23a
    cpe:2.3:a:samba:samba:3.0.23a
  • Samba 3.0.23d
    cpe:2.3:a:samba:samba:3.0.23:d
  • Samba 3.0.23c
    cpe:2.3:a:samba:samba:3.0.23:c
  • Samba 3.0.23b
    cpe:2.3:a:samba:samba:3.0.23:b
  • Samba 3.0.23a
    cpe:2.3:a:samba:samba:3.0.23:a
  • Samba 3.0.23
    cpe:2.3:a:samba:samba:3.0.23
  • Samba 3.0.22
    cpe:2.3:a:samba:samba:3.0.22
  • Samba 3.0.21c
    cpe:2.3:a:samba:samba:3.0.21c
  • Samba 3.0.21b
    cpe:2.3:a:samba:samba:3.0.21b
  • Samba 3.0.21a
    cpe:2.3:a:samba:samba:3.0.21a
  • Samba 3.0.21c
    cpe:2.3:a:samba:samba:3.0.21:c
  • Samba 3.0.21b
    cpe:2.3:a:samba:samba:3.0.21:b
  • Samba 3.0.21a
    cpe:2.3:a:samba:samba:3.0.21:a
  • Samba 3.0.21
    cpe:2.3:a:samba:samba:3.0.21
  • Samba 3.0.20b
    cpe:2.3:a:samba:samba:3.0.20b
  • Samba 3.0.20a
    cpe:2.3:a:samba:samba:3.0.20a
  • Samba 3.0.20b
    cpe:2.3:a:samba:samba:3.0.20:b
  • Samba 3.0.20a
    cpe:2.3:a:samba:samba:3.0.20:a
  • Samba 3.0.20
    cpe:2.3:a:samba:samba:3.0.20
  • Samba 3.0.2a
    cpe:2.3:a:samba:samba:3.0.2:a
  • Samba 3.0.2
    cpe:2.3:a:samba:samba:3.0.2
  • Samba 3.0.19
    cpe:2.3:a:samba:samba:3.0.19
  • Samba 3.0.18
    cpe:2.3:a:samba:samba:3.0.18
  • Samba 3.0.17
    cpe:2.3:a:samba:samba:3.0.17
  • Samba 3.0.16
    cpe:2.3:a:samba:samba:3.0.16
  • Samba 3.0.15
    cpe:2.3:a:samba:samba:3.0.15
  • Samba 3.0.14a
    cpe:2.3:a:samba:samba:3.0.14a
  • Samba 3.0.14a
    cpe:2.3:a:samba:samba:3.0.14:a
  • Samba 3.0.14
    cpe:2.3:a:samba:samba:3.0.14
  • Samba 3.0.13
    cpe:2.3:a:samba:samba:3.0.13
  • Samba 3.0.12
    cpe:2.3:a:samba:samba:3.0.12
  • Samba 3.0.11
    cpe:2.3:a:samba:samba:3.0.11
  • Samba 3.0.10
    cpe:2.3:a:samba:samba:3.0.10
  • Samba 3.0.1
    cpe:2.3:a:samba:samba:3.0.1
  • Samba 3.0.0
    cpe:2.3:a:samba:samba:3.0.0
  • Canonical Ubuntu Linux 15.10
    cpe:2.3:o:canonical:ubuntu_linux:15.10
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
CVSS
Base: 4.3 (as of 24-08-2016 - 11:04)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
ADJACENT_NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-383FCE04E2.NASL
    description Security fix for CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, CVE-2016-2115, CVE-2016-2118 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2016-12-05
    plugin id 90646
    published 2016-04-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90646
    title Fedora 24 : samba-4.4.2-1.fc24 (2016-383fce04e2) (Badlock)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-BE53260726.NASL
    description Security fix for CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, CVE-2016-2115, CVE-2016-2118 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2016-12-05
    plugin id 90519
    published 2016-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90519
    title Fedora 23 : samba-4.3.8-0.fc23 (2016-be53260726) (Badlock)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160412_SAMBA3X_ON_SL5_X.NASL
    description Security Fix(es) : - Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Scientific Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. - A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) - Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) - It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) - It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) - It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115)
    last seen 2018-09-01
    modified 2016-10-19
    plugin id 90501
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90501
    title Scientific Linux Security Update : samba3x on SL5.x i386/x86_64 (Badlock)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-490.NASL
    description This update fixes these security vulnerabilities : - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks (bsc#936862). - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication (bsc#973031). - CVE-2016-2111: Domain controller netlogon member computer could have been spoofed (bsc#973032). - CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM attack (bsc#973033). - CVE-2016-2113: TLS certificate validation were missing (bsc#973034). - CVE-2016-2114: 'server signing = mandatory' not enforced (bsc#973035). - CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks (bsc#973036). - CVE-2016-2118: 'Badlock' DCERPC impersonation of authenticated account were possible (bsc#971965). The openSUSE 13.1 update also upgrades to samba 4.2.4 as 4.1.x versions are no longer supported by upstream. As a side effect, libpdb0 package was replaced by libsamba-passdb0.
    last seen 2018-09-01
    modified 2016-12-07
    plugin id 90609
    published 2016-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90609
    title openSUSE Security Update : samba (openSUSE-2016-490) (Badlock)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-462.NASL
    description samba was updated to version 4.2.4 to fix 14 security issues. These security issues were fixed : - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks (bsc#936862). - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication (bsc#973031). - CVE-2016-2111: Domain controller netlogon member computer could have been spoofed (bsc#973032). - CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM attack (bsc#973033). - CVE-2016-2113: TLS certificate validation were missing (bsc#973034). - CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks (bsc#973036). - CVE-2016-2118: 'Badlock' DCERPC impersonation of authenticated account were possible (bsc#971965). - CVE-2015-3223: Malicious request can cause Samba LDAP server to hang, spinning using CPU (boo#958581). - CVE-2015-5330: Remote read memory exploit in LDB (boo#958586). - CVE-2015-5252: Insufficient symlink verification (file access outside the share)(boo#958582). - CVE-2015-5296: No man in the middle protection when forcing smb encryption on the client side (boo#958584). - CVE-2015-5299: Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2) (boo#958583). - CVE-2015-8467: Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts (boo#958585). - CVE-2015-7560: Getting and setting Windows ACLs on symlinks can change permissions on link target (boo#968222). These non-security issues were fixed : - Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (boo#974629). - Align fsrvp feature sources with upstream version. - Obsolete libsmbsharemodes0 from samba-libs and libsmbsharemodes-devel from samba-core-devel; (boo#973832). - s3:utils/smbget: Fix recursive download; (bso#6482). - s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). - docs: Add example for domain logins to smbspool man page; (bso#11643). - s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). - loadparm: Fix memory leak issue; (bso#11708). - lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). - ctdb-scripts: Drop use of 'smbcontrol winbindd ip-dropped ...'; (bso#11719). - s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). - param: Fix str_list_v3 to accept ';' again; (bso#11732). - Real memeory leak(buildup) issue in loadparm; (bso#11740). - Obsolete libsmbclient from libsmbclient0 and libpdb-devel from libsamba-passdb-devel while not providing it; (boo#972197). - Upgrade on-disk FSRVP server state to new version; (boo#924519). - Only obsolete but do not provide gplv2/3 package names; (boo#968973). - Enable clustering (CTDB) support; (boo#966271). - s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (boo#964023). - vfs_fruit: Fix renaming directories with open files; (bso#11065). - Fix MacOS finder error 36 when copying folder to Samba; (bso#11347). - s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). - Fix copying files with vfs_fruit when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). - s3:libsmb: Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). - Reduce the memory footprint of empty string options; (bso#11625). - lib/async_req: Do not install async_connect_send_test; (bso#11639). - docs: Fix typos in man vfs_gpfs; (bso#11641). - smbd: make 'hide dot files' option work with 'store dos attributes = yes'; (bso#11645). - smbcacls: Fix uninitialized variable; (bso#11682). - s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). - Changing log level of two entries to from 1 to 3; (bso#9912). - vfs_gpfs: Re-enable share modes; (bso#11243). - wafsamba: Also build libraries with RELRO protection; (bso#11346). - ctdb: Strip trailing spaces from nodes file; (bso#11365). - s3-smbd: Fix old DOS client doing wildcard delete - gives a attribute type of zero; (bso#11452). - nss_wins: Do not run into use after free issues when we access memory allocated on the globals and the global being reinitialized; (bso#11563). - async_req: Fix non-blocking connect(); (bso#11564). - auth: gensec: Fix a memory leak; (bso#11565). - lib: util: Make non-critical message a warning; (bso#11566). - Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (boo#949022). - smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). - ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). - manpage: Correct small typo error; (bso#11584). - s3: smbd: If EA's are turned off on a share don't allow an SMB2 create containing them; (bso#11589). - Backport some valgrind fixes from upstream master; (bso#11597). - s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). - docs: Fix some typos in the idmap config section of man 5 smb.conf; (bso#11619). - Remove redundant configure options while adding with-relro. - s3: smbd: Fix our access-based enumeration on 'hide unreadable' to match Windows; (bso#10252). - smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). - kerberos: Make sure we only use prompter type when available; (bso#11038). - s3:ctdbd_conn: Make sure we destroy tevent_fd before closing the socket; (bso#11316). - dcerpc.idl: accept invalid dcerpc_bind_nak pdus; (bso#11327). - Fix a deadlock in tdb; (bso#11381). - s3: smbd: Fix mkdir race condition; (bso#11486). - pam_winbind: Fix a segfault if initialization fails; (bso#11502). - s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). - s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). - net: Fix a crash with 'net ads keytab create'; (bso#11528). - s3: smbd: Fix a crash in unix_convert() and a NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). - vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). - vfs_commit: Set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). - Fix bug in smbstatus where the lease info is not printed; (bso#11549). - s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). - Relocate the tmpfiles.d directory to the client package; (boo#947552). - Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (boo#942716). - Package /var/lib/samba/private/sock with 0700 permissions; (boo#946051). - auth/credentials: If credentials have principal set, they are not anonymous anymore; (bso#11265). - Fix stream names with colon with 'fruit:encoding = native'; (bso#11278). - s4:rpc_server/netlogon: Fix for NetApp; (bso#11291). - lib: Fix rundown of open_socket_out(); (bso#11316). - s3:lib: Fix some corner cases of open_socket_out_cleanup(); (bso#11316). - vfs:fruit: Implement copyfile style copy_chunk; (bso#11317). - ctdb-daemon: Return correct sequence number for CONTROL_GET_DB_SEQNUM; (bso#11398). - ctdb-scripts: Support monitoring of interestingly named VLANs on bonds; (bso#11399). - ctdb-daemon: Improve error handling for running event scripts; (bso#11431). - ctdb-daemon: Check if updates are in flight when releasing all IPs; (bso#11432). - ctdb-build: Fix building of PCP PMDA module; (bso#11435). - Backport dcesrv_netr_DsRGetDCNameEx2 fixes; (bso#11454). - vfs_fruit: Handling of empty resource fork; (bso#11467). - Avoid quoting problems in user's DNs; (bso#11488). - s3-auth: Fix 'map to guest = Bad uid'; (bso#9862). - s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). - s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). - winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). - Logon via MS Remote Desktop hangs; (bso#11061). - s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). - tevent: Add a note to tevent_add_fd(); (bso#11141). - s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). - s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). - smbd: Fix a use-after-free; (bso#11218); (boo#919309). - s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). - s3:smb2: Add padding to last command in compound requests; (bso#11277). - Add IPv6 support to ADS client side LDAP connects; (bso#11281). - Add IPv6 support for determining FQDN during ADS join; (bso#11282). - s3: IPv6 enabled DNS connections for ADS client; (bso#11283). - Fix invalid write in ctdb_lock_context_destructor; (bso#11293). - Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). - vfs_fruit: Add option 'veto_appledouble'; (bso#11305). - tstream: Make socketpair nonblocking; (bso#11312). - idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). - Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). - tevent_fd needs to be destroyed before closing the fd; (bso#11316). - Build fails on Solaris 11 with '‘PTHREAD_MUTEX_ROBUST’ undeclared'; (bso#11319). - smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). - Change sharesec output back to previous format; (bso#11324). - Robust mutex support broken in 1.3.5; (bso#11326). - Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (boo#912457). - s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). - tevent: Fix CID 1035381 Unchecked return value; (bso#11330). - tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). - s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). - s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). - pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). - winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). - vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). - docs: Overhaul the description of 'smb encrypt' to include SMB3 encryption; (bso#11366). - s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). - ncacn_http: Fix GNUism; (bso#11371). - Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (boo#912457). - Order winbind.service Before and Want nss-user-lookup target. - s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). - gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). - s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). - s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). - s3: smbd: Incorrect file size returned in the response of 'FILE_SUPERSEDE Create'; (bso#11240). - Mangled names do not work with acl_xattr; (bso#11249). - nmbd rewrites browse.dat when not required; (bso#11254). - vfs_fruit: add option 'nfs_aces' that controls the NFS ACEs stuff; (bso#11213). - s3:smbd: Add missing tevent_req_nterror; (bso#11224). - vfs: kernel_flock and named streams; (bso#11243). - vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). - s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). - ctdb: check for talloc_asprintf() failure; (bso#11201). - spoolss: purge the printer name cache on name change; (bso#11210); (boo#901813). - CTDB statd-callout does not scale; (bso#11204). - vfs_fruit: also map characters below 0x20; (bso#11221). - ctdb: Coverity fix for CID 1291643; (bso#11201). - Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). - Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). - ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). - ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). - SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). - s3:winbindd: make sure we remove pending io requests before closing client - 'sharesec' output no longer matches input format; (bso#11237). - waf: Fix systemd detection; (bso#11200). - CTDB: Fix portability issues; (bso#11202). - CTDB: Fix some IPv6-related issues; (bso#11203). - CTDB statd-callout does not scale; (bso#11204). - 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). - libads: record service ticket endtime for sealed ldap connections; - lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033). - Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). - s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). - build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). - waf: Fix the build on openbsd; (bso#10476). - s3: client: 'client use spnego principal = yes' code checks wrong name; - spoolss: Retrieve published printer GUID if not in registry; (bso#11018). - vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). - backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). - replace: Remove superfluous check for gcrypt header; (bso#11135). - Backport subunit changes; (bso#11137). - libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). - s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). - talloc: Version 2.1.2; (bso#11144). - Update libwbclient version to 0.12; (bso#11149). - brlock: Use 0 instead of empty initializer list; (bso#11153). - s4:auth/gensec_gssapi: Let gensec_gssapi_update() return - backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). - Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). - Prevent samba package updates from disabling samba kerberos printing. - Add sparse file support for samba; (fate#318424). - Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root. - smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). - pam_winbind: fix warn_pwd_expire implementation; (bso#9056). - nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). - Make 'profiles' work again; (bso#9629). - s3:smb2_server: protect against integer wrap with 'smb2 max credits = 65535'; (bso#9702). - Make validate_ldb of String(Generalized-Time) accept millisecond format '.000Z'; (bso#9810). - Use -R linker flag on Solaris, not -rpath; (bso#10112). - vfs: Add glusterfs manpage; (bso#10240). - Make 'smbclient' use cached creds; (bso#10279). - pdb: Fix build issues with shared modules; (bso#10355). - s4-dns: Add support for BIND 9.10; (bso#10620). - idmap: Return the correct id type to *id_to_sid methods; (bso#10720). - printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). - Don't build vfs_snapper on FreeBSD; (bso#10834). - nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). - idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). - s3: smb2cli: query info return length check was reversed; (bso#10848). - s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). - lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). - winbind3: Fix pwent variable substitution; (bso#10852). - Improve samba-regedit; (bso#10859). - registry: Don't leave dangling transactions; (bso#10860). - Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). - build: Do not install 'texpect' binary anymore; (bso#10862). - Fix testparm to show hidden share defaults; (bso#10864). - libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). - Integrate CTDB into top-level Samba build; (bso#10892). - samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). - s3-nmbd: Fix netbios name truncation; (bso#10896). - spoolss: Fix handling of bad EnumJobs levels; (bso#10898). - Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). - Fix print job enumeration; (bso#10905); (boo#898031). - samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). - Add support for SMB2 leases; (bso#10911). - btrfs: Don't leak opened directory handle; (bso#10918). - s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). - s3:smbd: Fix file corruption using 'write cache size != 0'; (bso#10921). - pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). - s3-keytab: fix keytab array NULL termination; (bso#10933). - s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). - Cleanup add_string_to_array and usage; (bso#10942). - dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). - Fix RootDSE search with extended dn control; (bso#10949). - Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). - libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). - s3-smbclient: Return success if we listed the shares; (bso#10960). - s3-smbstatus: Fix exit code of profile output; (bso#10961). - socket_wrapper: Add missing prototype check for eventfd; (bso#10965). - libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). - vfs_streams_xattr: Check stream type; (bso#10971). - s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). - vfs_fruit: Add support for AAPL; (bso#10983). - Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). - dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). - Fix IPv6 support in CTDB; (bso#10996). - ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). - vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). - s3-util: Fix authentication with long hostnames; (bso#11008). - ctdb-build: Fix build without xsltproc; (bso#11014). - packaging: Include CTDB man pages in the tarball; (bso#11014). - pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). - Make Sharepoint search show user documents; (bso#11022). - nss_wrapper: check for nss.h; (bso#11026). - Enable mutexes in gencache_notrans.tdb; (bso#11032). - tdb_wrap: Make mutexes easier to use; (bso#11032). - lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). - winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). - s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). - vfs_fruit: Fix base_fsp name conversion; (bso#11039). - vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). - Fix authentication using Kerberos (not AD); (bso#11044). - net: Fix sam addgroupmem; (bso#11051). - vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (boo#913238). - cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). - utils: Fix 'net time' segfault; (bso#11058). - libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). - s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). - vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). - vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). - vfs_glusterfs: Implement AIO support; (bso#11069). - s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). - s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (boo#917376). - vfs: Add a brief vfs_ceph manpage; (bso#11088). - s3: smbclient: Allinfo leaves the file handle open; (bso#11094). - Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). - debug: Set close-on-exec for the main log file FD; (bso#11100). - s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). - s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). - doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). - snprintf: Try to support %j; (bso#11119). - ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). - doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127). - Fix usage of freed memory on server exit; (bso#11218); (boo#919309). - Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rebase File Server Remote VSS Protocol (FSRVP) server against 4.2.0rc1; (fate#313346).
    last seen 2018-09-01
    modified 2016-12-07
    plugin id 90558
    published 2016-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90558
    title openSUSE Security Update : samba (openSUSE-2016-462) (Badlock)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160412_SAMBA_ON_SL5_X.NASL
    description Security Fix(es) : - A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) - Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) - It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) - It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) - It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115)
    last seen 2018-09-01
    modified 2016-10-19
    plugin id 90503
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90503
    title Scientific Linux Security Update : samba on SL5.x i386/x86_64 (Badlock)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-106-02.NASL
    description New samba packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
    last seen 2018-09-01
    modified 2016-10-19
    plugin id 90548
    published 2016-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90548
    title Slackware 14.0 / 14.1 / current : samba (SSA:2016-106-02) (Badlock)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201612-47.NASL
    description The remote host is affected by the vulnerability described in GLSA-201612-47 (Samba: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in samba. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with root privileges, cause a Denial of Service condition, conduct a man-in-the-middle attack, obtain sensitive information, or bypass file permissions. Workaround : There is no known workaround at this time.
    last seen 2018-09-01
    modified 2016-12-27
    plugin id 96127
    published 2016-12-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96127
    title GLSA-201612-47 : Samba: Multiple vulnerabilities (Badlock)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-686.NASL
    description Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. (CVE-2016-2113) It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. (CVE-2016-2114) It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115)
    last seen 2018-09-01
    modified 2018-04-18
    plugin id 90514
    published 2016-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90514
    title Amazon Linux AMI : samba (ALAS-2016-686) (Badlock)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0611.NASL
    description An update for samba is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 13 April 2016] This advisory previously did not list the CVE-2016-2110 issue as addressed by this update. However, this issue did affect samba on Red Hat Enterprise Linux 6, and is addressed by this update. No changes have been made to the packages. Samba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es) : * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 90449
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90449
    title CentOS 6 : samba (CESA-2016:0611) (Badlock)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0612.NASL
    description An update for samba4 and samba is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7, respectively. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Samba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba (4.2.10). Refer to the Release Notes listed in the References section for a complete list of changes. Security Fix(es) : * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. (CVE-2016-2113) * It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. (CVE-2016-2114) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, and CVE-2016-2115.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 90450
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90450
    title CentOS 6 / 7 : ipa / libldb / libtalloc / libtdb / libtevent / openchange / samba / samba4 (CESA-2016:0612) (Badlock)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-453.NASL
    description samba was updated to fix seven security issues. These security issues were fixed : - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks (bsc#936862). - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication (bsc#973031). - CVE-2016-2111: Domain controller netlogon member computer could have been spoofed (bsc#973032). - CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM attack (bsc#973033). - CVE-2016-2113: TLS certificate validation were missing (bsc#973034). - CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks (bsc#973036). - CVE-2016-2118: 'Badlock' DCERPC impersonation of authenticated account were possible (bsc#971965). These non-security issues were fixed : - bsc#974629: Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call. - bsc#973832: Obsolete libsmbsharemodes0 from samba-libs and libsmbsharemodes-devel from samba-core-devel. - bsc#972197: Obsolete libsmbclient from libsmbclient0 and libpdb-devel from libsamba-passdb-devel while not providing it. - Getting and setting Windows ACLs on symlinks can change permissions on link - bsc#924519: Upgrade on-disk FSRVP server state to new version. - bsc#968973: Only obsolete but do not provide gplv2/3 package names. - bso#6482: s3:utils/smbget: Fix recursive download. - bso#10489: s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support. - bso#11643: docs: Add example for domain logins to smbspool man page. - bso#11690: s3-client: Add a KRB5 wrapper for smbspool. - bso#11708: loadparm: Fix memory leak issue. - bso#11714: lib/tsocket: Work around sockets not supporting FIONREAD. - bso#11719: ctdb-scripts: Drop use of 'smbcontrol winbindd ip-dropped ...'. - bso#11727: s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file. - bso#11732: param: Fix str_list_v3 to accept ';' again. - bso#11740: Real memeory leak(buildup) issue in loadparm. This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2018-09-01
    modified 2016-10-13
    plugin id 90522
    published 2016-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90522
    title openSUSE Security Update : samba (openSUSE-2016-453) (Badlock)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0614.NASL
    description An update for samba is now available for Red Hat Gluster Storage 3.1 for RHEL 6 and Red Hat Gluster Storage 3.1 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Samba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba (4.2.10). Refer to the Release Notes listed in the References section for a complete list of changes. Security Fix(es) : * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Gluster Storage do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. (CVE-2016-2113) * It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. (CVE-2016-2114) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, and CVE-2016-2115.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 90530
    published 2016-04-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90530
    title RHEL 6 / 7 : Storage Server (RHSA-2016:0614) (Badlock)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160412_SAMBA_AND_SAMBA4_ON_SL6_X.NASL
    description Security Fix(es) : - Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Scientific Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. - A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) - Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) - It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) - It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) - It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. (CVE-2016-2113) - It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. (CVE-2016-2114) - It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115)
    last seen 2018-09-01
    modified 2016-10-19
    plugin id 90502
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90502
    title Scientific Linux Security Update : samba and samba4 on SL6.x, SL7.x i386/x86_64 (Badlock)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0611.NASL
    description From Red Hat Security Advisory 2016:0611 : An update for samba is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 13 April 2016] This advisory previously did not list the CVE-2016-2110 issue as addressed by this update. However, this issue did affect samba on Red Hat Enterprise Linux 6, and is addressed by this update. No changes have been made to the packages. Samba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es) : * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.
    last seen 2018-09-02
    modified 2018-07-24
    plugin id 90486
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90486
    title Oracle Linux 6 : samba (ELSA-2016-0611) (Badlock)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1014.NASL
    description According to the versions of the samba packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC).(CVE-2015-5370) - A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. - As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) - Several flaws were found in Samba's implementation of NTLMSSP authentication. An nauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection.(CVE-2016-2110) - It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) - It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections.(CVE-2016-2112) - It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate.(CVE-2016-2113) - It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. (CVE-2016-2114) - It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client.(CVE-2016-2115) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-15
    modified 2018-11-14
    plugin id 99777
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99777
    title EulerOS 2.0 SP1 : samba (EulerOS-SA-2016-1014)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0623.NASL
    description An update for samba is now available for Red Hat Enterprise Linux 5.6 Long Life and Red Hat Enterprise Linux 5.9 Long Life. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 13 April 2016] This advisory previously incorrectly listed the CVE-2015-5370 issue as addressed by this update. However, this issue did not affect the samba packages on Red Hat Enterprise Linux 5.6 and 5.9 Long Life. No changes have been made to the packages. [Updated 14 April 2016] This advisory previously incorrectly listed the CVE-2016-2112 issue as addressed by this update. However, this issue did not affect the samba packages on Red Hat Enterprise Linux 5.6 and 5.9 Long Life. The CVE-2016-2115 was also incorrectly listed as addressed by this update. This issue does affect the samba packages on Red Hat Enterprise Linux 5.6 and 5.9 Long Life. Customers are advised to use the 'client signing = required' configuration option in the smb.conf file to mitigate CVE-2016-2115. No changes have been made to the packages. Samba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es) : * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118 and CVE-2016-2110.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 90499
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90499
    title RHEL 5 : samba (RHSA-2016:0623) (Badlock)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0613.NASL
    description From Red Hat Security Advisory 2016:0613 : An update for samba3x is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix(es) : * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.
    last seen 2018-09-01
    modified 2018-07-24
    plugin id 90488
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90488
    title Oracle Linux 5 : samba3x (ELSA-2016-0613) (Badlock)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-48B3761BAA.NASL
    description Security fix for CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, CVE-2016-2115, CVE-2016-2118 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2016-12-05
    plugin id 90516
    published 2016-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90516
    title Fedora 22 : samba-4.2.11-0.fc22 (2016-48b3761baa) (Badlock)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0621.NASL
    description From Red Hat Security Advisory 2016:0621 : An update for samba is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 14 April 2016] This advisory previously incorrectly listed the CVE-2016-2112 issue as addressed by this update. However, this issue did not affect the samba packages on Red Hat Enterprise Linux 5. The CVE-2016-2115 was also incorrectly listed as addressed by this update. This issue does affect the samba packages on Red Hat Enterprise Linux 5. Customers are advised to use the 'client signing = required' configuration option in the smb.conf file to mitigate CVE-2016-2115. No changes have been made to the packages. Samba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es) : * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118 and CVE-2016-2110.
    last seen 2018-09-02
    modified 2018-07-24
    plugin id 90489
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90489
    title Oracle Linux 5 : samba (ELSA-2016-0621) (Badlock)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2950-1.NASL
    description Jouni Knuutinen discovered that Samba contained multiple flaws in the DCE/RPC implementation. A remote attacker could use this issue to perform a denial of service, downgrade secure connections by performing a man in the middle attack, or possibly execute arbitrary code. (CVE-2015-5370) Stefan Metzmacher discovered that Samba contained multiple flaws in the NTLMSSP authentication implementation. A remote attacker could use this issue to downgrade connections to plain text by performing a man in the middle attack. (CVE-2016-2110) Alberto Solino discovered that a Samba domain controller would establish a secure connection to a server with a spoofed computer name. A remote attacker could use this issue to obtain sensitive information. (CVE-2016-2111) Stefan Metzmacher discovered that the Samba LDAP implementation did not enforce integrity protection. A remote attacker could use this issue to hijack LDAP connections by performing a man in the middle attack. (CVE-2016-2112) Stefan Metzmacher discovered that Samba did not validate TLS certificates. A remote attacker could use this issue to spoof a Samba server. (CVE-2016-2113) Stefan Metzmacher discovered that Samba did not enforce SMB signing even if configured to. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2114) Stefan Metzmacher discovered that Samba did not enable integrity protection for IPC traffic. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2115) Stefan Metzmacher discovered that Samba incorrectly handled the MS-SAMR and MS-LSAD protocols. A remote attacker could use this flaw with a man in the middle attack to impersonate users and obtain sensitive information from the Security Account Manager database. This flaw is known as Badlock. (CVE-2016-2118) Samba has been updated to 4.3.8 in Ubuntu 14.04 LTS and Ubuntu 15.10. Ubuntu 12.04 LTS has been updated to 3.6.25 with backported security fixes. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Configuration changes may be required in certain environments. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 90588
    published 2016-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90588
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : samba vulnerabilities (USN-2950-1) (Badlock)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0620.NASL
    description An update for samba4 is now available for Red Hat Enterprise Linux 6.2 Advanced Update Support, Red Hat Enterprise Linux 6.4 Advanced Update Support, Red Hat Enterprise Linux 6.5 Advanced Update Support, and Red Hat Enterprise Linux 6.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. The following packages have been upgraded to a newer upstream version: Samba (4.2.10). Refer to the Release Notes listed in the References section for a complete list of changes. Security Fix(es) : * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. (CVE-2016-2113) * It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. (CVE-2016-2114) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, and CVE-2016-2115.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 90497
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90497
    title RHEL 6 : samba4 (RHSA-2016:0620) (Badlock)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1024-1.NASL
    description samba was updated to fix seven security issues. These security issues were fixed : - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks (bsc#936862). - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication (bsc#973031). - CVE-2016-2111: Domain controller netlogon member computer could have been spoofed (bsc#973032). - CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM attack (bsc#973033). - CVE-2016-2113: TLS certificate validation were missing (bsc#973034). - CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks (bsc#973036). - CVE-2016-2118: 'Badlock' DCERPC impersonation of authenticated account were possible (bsc#971965). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-30
    modified 2018-11-29
    plugin id 90534
    published 2016-04-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90534
    title SUSE SLED12 / SLES12 Security Update : samba (SUSE-SU-2016:1024-1) (Badlock)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3548.NASL
    description Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues : - CVE-2015-5370 Jouni Knuutinen from Synopsys discovered flaws in the Samba DCE-RPC code which can lead to denial of service (crashes and high cpu consumption) and man-in-the-middle attacks. - CVE-2016-2110 Stefan Metzmacher of SerNet and the Samba Team discovered that the feature negotiation of NTLMSSP does not protect against downgrade attacks. - CVE-2016-2111 When Samba is configured as domain controller, it allows remote attackers to spoof the computer name of a secure channel's endpoint, and obtain sensitive session information. This flaw corresponds to the same vulnerability as CVE-2015-0005 for Windows, discovered by Alberto Solino from Core Security. - CVE-2016-2112 Stefan Metzmacher of SerNet and the Samba Team discovered that a man-in-the-middle attacker can downgrade LDAP connections to avoid integrity protection. - CVE-2016-2113 Stefan Metzmacher of SerNet and the Samba Team discovered that man-in-the-middle attacks are possible for client triggered LDAP connections and ncacn_http connections. - CVE-2016-2114 Stefan Metzmacher of SerNet and the Samba Team discovered that Samba does not enforce required smb signing even if explicitly configured. - CVE-2016-2115 Stefan Metzmacher of SerNet and the Samba Team discovered that SMB connections for IPC traffic are not integrity-protected. - CVE-2016-2118 Stefan Metzmacher of SerNet and the Samba Team discovered that a man-in-the-middle attacker can intercept any DCERPC traffic between a client and a server in order to impersonate the client and obtain the same privileges as the authenticated user account.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 90515
    published 2016-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90515
    title Debian DSA-3548-1 : samba - security update (Badlock)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1028-1.NASL
    description samba was updated to fix seven security issues. These security issues were fixed : - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks (bsc#936862). - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication (bsc#973031). - CVE-2016-2111: Domain controller netlogon member computer could have been spoofed (bsc#973032). - CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM attack (bsc#973033). - CVE-2016-2113: TLS certificate validation were missing (bsc#973034). - CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks (bsc#973036). - CVE-2016-2118: 'Badlock' DCERPC impersonation of authenticated account were possible (bsc#971965). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-30
    modified 2018-11-29
    plugin id 90536
    published 2016-04-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90536
    title SUSE SLES11 Security Update : samba (SUSE-SU-2016:1028-1) (Badlock)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0613.NASL
    description An update for samba3x is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix(es) : * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 90493
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90493
    title RHEL 5 : samba3x (RHSA-2016:0613) (Badlock)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160412_SAMBA_ON_SL6_X.NASL
    description Security Fix(es) : - Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Scientific Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. - A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) - It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) - It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) - It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115)
    last seen 2018-09-01
    modified 2016-10-19
    plugin id 90504
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90504
    title Scientific Linux Security Update : samba on SL6.x i386/x86_64 (Badlock)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0624.NASL
    description An update for samba3x is now available for Red Hat Enterprise Linux 5.6 Long Life and Red Hat Enterprise Linux 5.9 Long Life. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix(es) : * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 90500
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90500
    title RHEL 5 : samba3x (RHSA-2016:0624) (Badlock)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0619.NASL
    description An update for samba is now available for Red Hat Enterprise Linux 6.2 Advanced Update Support, Red Hat Enterprise Linux 6.4 Advanced Update Support, Red Hat Enterprise Linux 6.5 Advanced Update Support, and Red Hat Enterprise Linux 6.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Samba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es) : * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 90496
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90496
    title RHEL 6 : samba (RHSA-2016:0619) (Badlock)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_A636FC2600D911E6B704000C292E4FD8.NASL
    description Samba team reports : [CVE-2015-5370] Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks. [CVE-2016-2110] The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. [CVE-2016-2111] When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel's endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic. [CVE-2016-2112] A man in the middle is able to downgrade LDAP connections to no integrity protection. [CVE-2016-2113] Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://). [CVE-2016-2114] Due to a bug Samba doesn't enforce required smb signing, even if explicitly configured. [CVE-2016-2115] The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection. [CVE-2016-2118] a.k.a. BADLOCK. A man in the middle can intercept any DCERPC traffic between a client and a server in order to impersonate the client and get the same privileges as the authenticated user account. This is most problematic against active directory domain controllers.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 90474
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90474
    title FreeBSD : samba -- multiple vulnerabilities (a636fc26-00d9-11e6-b704-000c292e4fd8) (Badlock)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1023-1.NASL
    description samba was updated to fix seven security issues. These security issues were fixed : - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks (bsc#936862). - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication (bsc#973031). - CVE-2016-2111: Domain controller netlogon member computer could have been spoofed (bsc#973032). - CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM attack (bsc#973033). - CVE-2016-2113: TLS certificate validation were missing (bsc#973034). - CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks (bsc#973036). - CVE-2016-2118: 'Badlock' DCERPC impersonation of authenticated account were possible (bsc#971965). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-30
    modified 2018-11-29
    plugin id 90533
    published 2016-04-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90533
    title SUSE SLES11 Security Update : samba (SUSE-SU-2016:1023-1) (Badlock)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0612.NASL
    description From Red Hat Security Advisory 2016:0612 : An update for samba4 and samba is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7, respectively. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Samba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba (4.2.10). Refer to the Release Notes listed in the References section for a complete list of changes. Security Fix(es) : * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. (CVE-2016-2113) * It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. (CVE-2016-2114) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, and CVE-2016-2115.
    last seen 2018-09-01
    modified 2018-07-24
    plugin id 90487
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90487
    title Oracle Linux 6 / 7 : samba / samba4 (ELSA-2016-0612) (Badlock)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2950-5.NASL
    description USN-2950-1 fixed vulnerabilities in Samba. USN-2950-3 updated Samba to version 4.3.9, which introduced a regression when using the ntlm_auth tool. This update fixes the problem. Jouni Knuutinen discovered that Samba contained multiple flaws in the DCE/RPC implementation. A remote attacker could use this issue to perform a denial of service, downgrade secure connections by performing a man in the middle attack, or possibly execute arbitrary code. (CVE-2015-5370) Stefan Metzmacher discovered that Samba contained multiple flaws in the NTLMSSP authentication implementation. A remote attacker could use this issue to downgrade connections to plain text by performing a man in the middle attack. (CVE-2016-2110) Alberto Solino discovered that a Samba domain controller would establish a secure connection to a server with a spoofed computer name. A remote attacker could use this issue to obtain sensitive information. (CVE-2016-2111) Stefan Metzmacher discovered that the Samba LDAP implementation did not enforce integrity protection. A remote attacker could use this issue to hijack LDAP connections by performing a man in the middle attack. (CVE-2016-2112) Stefan Metzmacher discovered that Samba did not validate TLS certificates. A remote attacker could use this issue to spoof a Samba server. (CVE-2016-2113) Stefan Metzmacher discovered that Samba did not enforce SMB signing even if configured to. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2114) Stefan Metzmacher discovered that Samba did not enable integrity protection for IPC traffic. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2115) Stefan Metzmacher discovered that Samba incorrectly handled the MS-SAMR and MS-LSAD protocols. A remote attacker could use this flaw with a man in the middle attack to impersonate users and obtain sensitive information from the Security Account Manager database. This flaw is known as Badlock. (CVE-2016-2118) Samba has been updated to 4.3.8 in Ubuntu 14.04 LTS and Ubuntu 15.10. Ubuntu 12.04 LTS has been updated to 3.6.25 with backported security fixes. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Configuration changes may be required in certain environments. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 91333
    published 2016-05-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91333
    title Ubuntu 14.04 LTS / 15.10 / 16.04 LTS : samba regression (USN-2950-5) (Badlock)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0613.NASL
    description An update for samba3x is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix(es) : * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 90451
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90451
    title CentOS 5 : samba3x (CESA-2016:0613) (Badlock)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0612.NASL
    description An update for samba4 and samba is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7, respectively. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Samba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba (4.2.10). Refer to the Release Notes listed in the References section for a complete list of changes. Security Fix(es) : * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. (CVE-2016-2113) * It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. (CVE-2016-2114) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, and CVE-2016-2115.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 90492
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90492
    title RHEL 6 / 7 : samba and samba4 (RHSA-2016:0612) (Badlock)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0621.NASL
    description An update for samba is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 14 April 2016] This advisory previously incorrectly listed the CVE-2016-2112 issue as addressed by this update. However, this issue did not affect the samba packages on Red Hat Enterprise Linux 5. The CVE-2016-2115 was also incorrectly listed as addressed by this update. This issue does affect the samba packages on Red Hat Enterprise Linux 5. Customers are advised to use the 'client signing = required' configuration option in the smb.conf file to mitigate CVE-2016-2115. No changes have been made to the packages. Samba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es) : * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118 and CVE-2016-2110.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 90452
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90452
    title CentOS 5 : samba (CESA-2016:0621) (Badlock)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0611.NASL
    description An update for samba is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 13 April 2016] This advisory previously did not list the CVE-2016-2110 issue as addressed by this update. However, this issue did affect samba on Red Hat Enterprise Linux 6, and is addressed by this update. No changes have been made to the packages. Samba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es) : * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 90491
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90491
    title RHEL 6 : samba (RHSA-2016:0611) (Badlock)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2950-2.NASL
    description USN-2950-1 fixed vulnerabilities in Samba. The updated Samba packages introduced a compatibility issue with NTLM authentication in libsoup. This update fixes the problem. We apologize for the inconvenience. Jouni Knuutinen discovered that Samba contained multiple flaws in the DCE/RPC implementation. A remote attacker could use this issue to perform a denial of service, downgrade secure connections by performing a man in the middle attack, or possibly execute arbitrary code. (CVE-2015-5370) Stefan Metzmacher discovered that Samba contained multiple flaws in the NTLMSSP authentication implementation. A remote attacker could use this issue to downgrade connections to plain text by performing a man in the middle attack. (CVE-2016-2110) Alberto Solino discovered that a Samba domain controller would establish a secure connection to a server with a spoofed computer name. A remote attacker could use this issue to obtain sensitive information. (CVE-2016-2111) Stefan Metzmacher discovered that the Samba LDAP implementation did not enforce integrity protection. A remote attacker could use this issue to hijack LDAP connections by performing a man in the middle attack. (CVE-2016-2112) Stefan Metzmacher discovered that Samba did not validate TLS certificates. A remote attacker could use this issue to spoof a Samba server. (CVE-2016-2113) Stefan Metzmacher discovered that Samba did not enforce SMB signing even if configured to. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2114) Stefan Metzmacher discovered that Samba did not enable integrity protection for IPC traffic. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2115) Stefan Metzmacher discovered that Samba incorrectly handled the MS-SAMR and MS-LSAD protocols. A remote attacker could use this flaw with a man in the middle attack to impersonate users and obtain sensitive information from the Security Account Manager database. This flaw is known as Badlock. (CVE-2016-2118) Samba has been updated to 4.3.8 in Ubuntu 14.04 LTS and Ubuntu 15.10. Ubuntu 12.04 LTS has been updated to 3.6.25 with backported security fixes. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Configuration changes may be required in certain environments. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 90824
    published 2016-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90824
    title Ubuntu 14.04 LTS / 15.10 / 16.04 LTS : libsoup2.4 update (USN-2950-2) (Badlock)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0618.NASL
    description An update for samba is now available for Red Hat Enterprise Linux 7.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Samba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba (4.2.10). Refer to the Release Notes listed in the References section for a complete list of changes. Security Fix(es) : * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370) Note: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements. * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) * It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112) * It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. (CVE-2016-2113) * It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. (CVE-2016-2114) * It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, and CVE-2016-2115.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 90495
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90495
    title RHEL 7 : samba (RHSA-2016:0618) (Badlock)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0621.NASL
    description An update for samba is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 14 April 2016] This advisory previously incorrectly listed the CVE-2016-2112 issue as addressed by this update. However, this issue did not affect the samba packages on Red Hat Enterprise Linux 5. The CVE-2016-2115 was also incorrectly listed as addressed by this update. This issue does affect the samba packages on Red Hat Enterprise Linux 5. Customers are advised to use the 'client signing = required' configuration option in the smb.conf file to mitigate CVE-2016-2115. No changes have been made to the packages. Samba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es) : * A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118) * Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110) * It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111) Red Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118 and CVE-2016-2110.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 90498
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90498
    title RHEL 5 : samba (RHSA-2016:0621) (Badlock)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1105-1.NASL
    description Samba was updated to fix three security issues. These security issues were fixed : CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication (bso#11688, bsc#973031). CVE-2016-2111: Domain controller netlogon member computer could have been spoofed (bso#11749, bsc#973032). CVE-2015-5252: Insufficient symlink verification (allowed file access outside the share) (bso#11395, bnc#958582). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-30
    modified 2018-11-29
    plugin id 90623
    published 2016-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90623
    title SUSE SLES10 Security Update : samba (SUSE-SU-2016:1105-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1022-1.NASL
    description Samba was updated to the 4.2.x codestream, bringing some new features and security fixes (bsc#973832, FATE#320709). These security issues were fixed : - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks (bsc#936862). - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication (bsc#973031). - CVE-2016-2111: Domain controller netlogon member computer could have been spoofed (bsc#973032). - CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM attack (bsc#973033). - CVE-2016-2113: TLS certificate validation were missing (bsc#973034). - CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks (bsc#973036). - CVE-2016-2118: 'Badlock' DCERPC impersonation of authenticated account were possible (bsc#971965). Also the following fixes were done : - Upgrade on-disk FSRVP server state to new version; (bsc#924519). - Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629). - Align fsrvp feature sources with upstream version. - Obsolete libsmbsharemodes0 from samba-libs and libsmbsharemodes-devel from samba-core-devel; (bsc#973832). - s3:utils/smbget: Fix recursive download; (bso#6482). - s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). - docs: Add example for domain logins to smbspool man page; (bso#11643). - s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). - loadparm: Fix memory leak issue; (bso#11708). - lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). - ctdb-scripts: Drop use of 'smbcontrol winbindd ip-dropped ...'; (bso#11719). - s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). - param: Fix str_list_v3 to accept ';' again; (bso#11732). - Real memeory leak(buildup) issue in loadparm; (bso#11740). - Obsolete libsmbclient from libsmbclient0 and libpdb-devel from libsamba-passdb-devel while not providing it; (bsc#972197). - Getting and setting Windows ACLs on symlinks can change permissions on link - Only obsolete but do not provide gplv2/3 package names; (bsc#968973). - Enable clustering (CTDB) support; (bsc#966271). - s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023). - vfs_fruit: Fix renaming directories with open files; (bso#11065). - Fix MacOS finder error 36 when copying folder to Samba; (bso#11347). - s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). - Fix copying files with vfs_fruit when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). - s3:libsmb: Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). - Reduce the memory footprint of empty string options; (bso#11625). - lib/async_req: Do not install async_connect_send_test; (bso#11639). - docs: Fix typos in man vfs_gpfs; (bso#11641). - smbd: make 'hide dot files' option work with 'store dos attributes = yes'; (bso#11645). - smbcacls: Fix uninitialized variable; (bso#11682). - s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). - Changing log level of two entries to from 1 to 3; (bso#9912). - vfs_gpfs: Re-enable share modes; (bso#11243). - wafsamba: Also build libraries with RELRO protection; (bso#11346). - ctdb: Strip trailing spaces from nodes file; (bso#11365). - s3-smbd: Fix old DOS client doing wildcard delete - gives a attribute type of zero; (bso#11452). - nss_wins: Do not run into use after free issues when we access memory allocated on the globals and the global being reinitialized; (bso#11563). - async_req: Fix non-blocking connect(); (bso#11564). - auth: gensec: Fix a memory leak; (bso#11565). - lib: util: Make non-critical message a warning; (bso#11566). - Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bsc#949022). - smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). - ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). - manpage: Correct small typo error; (bso#11584). - s3: smbd: If EA's are turned off on a share don't allow an SMB2 create containing them; (bso#11589). - Backport some valgrind fixes from upstream master; (bso#11597). - s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). - docs: Fix some typos in the idmap config section of man 5 smb.conf; (bso#11619). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-30
    modified 2018-11-29
    plugin id 90532
    published 2016-04-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90532
    title SUSE SLED12 / SLES12 Security Update : samba (SUSE-SU-2016:1022-1) (Badlock)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2950-3.NASL
    description USN-2950-1 fixed vulnerabilities in Samba. The fixes introduced in Samba 4.3.8 caused certain regressions and interoperability issues. This update resolves some of these issues by updating to Samba 4.3.9 in Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. Backported regression fixes were added to Samba 3.6.25 in Ubuntu 12.04 LTS. This advisory was inadvertently published as USN-2950-2 originally. Jouni Knuutinen discovered that Samba contained multiple flaws in the DCE/RPC implementation. A remote attacker could use this issue to perform a denial of service, downgrade secure connections by performing a man in the middle attack, or possibly execute arbitrary code. (CVE-2015-5370) Stefan Metzmacher discovered that Samba contained multiple flaws in the NTLMSSP authentication implementation. A remote attacker could use this issue to downgrade connections to plain text by performing a man in the middle attack. (CVE-2016-2110) Alberto Solino discovered that a Samba domain controller would establish a secure connection to a server with a spoofed computer name. A remote attacker could use this issue to obtain sensitive information. (CVE-2016-2111) Stefan Metzmacher discovered that the Samba LDAP implementation did not enforce integrity protection. A remote attacker could use this issue to hijack LDAP connections by performing a man in the middle attack. (CVE-2016-2112) Stefan Metzmacher discovered that Samba did not validate TLS certificates. A remote attacker could use this issue to spoof a Samba server. (CVE-2016-2113) Stefan Metzmacher discovered that Samba did not enforce SMB signing even if configured to. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2114) Stefan Metzmacher discovered that Samba did not enable integrity protection for IPC traffic. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2115) Stefan Metzmacher discovered that Samba incorrectly handled the MS-SAMR and MS-LSAD protocols. A remote attacker could use this flaw with a man in the middle attack to impersonate users and obtain sensitive information from the Security Account Manager database. This flaw is known as Badlock. (CVE-2016-2118) Samba has been updated to 4.3.8 in Ubuntu 14.04 LTS and Ubuntu 15.10. Ubuntu 12.04 LTS has been updated to 3.6.25 with backported security fixes. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Configuration changes may be required in certain environments. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 90915
    published 2016-05-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90915
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : samba regressions (USN-2950-3) (Badlock)
  • NASL family Misc.
    NASL id SAMBA_4_3_7.NASL
    description The version of Samba running on the remote host is 3.x or 4.2.x prior to 4.2.10, 4.3.x prior to 4.3.7, or 4.4.x prior to 4.4.1. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the DCE-RPC client when handling specially crafted DCE-RPC packets. A man-in-the-middle (MitM) attacker can exploit this to downgrade the connection security, cause a denial of service through resource exhaustion, or potentially execute arbitrary code. (CVE-2015-5370) - A flaw exists in the implementation of NTLMSSP authentication. A MitM attacker can exploit this to clear the NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL settings, take over the connections, cause traffic to be sent unencrypted, or have other unspecified impact. (CVE-2016-2110) - A flaw exists in NETLOGON due to a failure to properly establish a secure channel connection. A MitM attacker can exploit this to spoof the computer names of a secure channel's endpoints, potentially gaining session information. (CVE-2016-2111) - A flaw exists in the integrity protection mechanisms that allows a MitM attacker to downgrade a secure LDAP connection to an insecure version. (CVE-2016-2112) - A flaw exists due to improper validation of TLS certificates for the LDAP and HTTP protocols. A MitM attacker can exploit this, via a crafted certificate, to spoof a server, resulting in the disclosure or manipulation of the transmitted traffic. (CVE-2016-2113) - A flaw exists due to a failure to enforce the 'server signing = mandatory' option in smb.conf for clients using the SMB1 protocol. A MitM attacker can exploit this to conduct spoofing attacks. (CVE-2016-2114) - A flaw exists due to a failure to perform integrity checking for SMB client connections. A MitM attacker can exploit this to conduct spoofing attacks since the protection mechanisms for DCERPC communication sessions are inherited from the underlying SMB connection. (CVE-2016-2115) - A flaw, known as Badlock, exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) protocols due to improper authentication level negotiation over Remote Procedure Call (RPC) channels. A MitM attacker who is able to able to intercept the traffic between a client and a server hosting a SAM database can exploit this flaw to force a downgrade of the authentication level, which allows the execution of arbitrary Samba network calls in the context of the intercepted user, such as viewing or modifying sensitive security data in the Active Directory (AD) database or disabling critical services. (CVE-2016-2118)
    last seen 2018-11-17
    modified 2018-11-15
    plugin id 90508
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90508
    title Samba 3.x < 4.2.10 / 4.2.x < 4.2.10 / 4.3.x < 4.3.7 / 4.4.x < 4.4.1 Multiple Vulnerabilities (Badlock)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2950-4.NASL
    description USN-2950-1 fixed vulnerabilities in Samba. The backported fixes introduced in Ubuntu 12.04 LTS caused interoperability issues. This update fixes compatibility with certain NAS devices, and allows connecting to Samba 3.6 servers by relaxing the 'client ipc signing' parameter to 'auto'. We apologize for the inconvenience. Jouni Knuutinen discovered that Samba contained multiple flaws in the DCE/RPC implementation. A remote attacker could use this issue to perform a denial of service, downgrade secure connections by performing a man in the middle attack, or possibly execute arbitrary code. (CVE-2015-5370) Stefan Metzmacher discovered that Samba contained multiple flaws in the NTLMSSP authentication implementation. A remote attacker could use this issue to downgrade connections to plain text by performing a man in the middle attack. (CVE-2016-2110) Alberto Solino discovered that a Samba domain controller would establish a secure connection to a server with a spoofed computer name. A remote attacker could use this issue to obtain sensitive information. (CVE-2016-2111) Stefan Metzmacher discovered that the Samba LDAP implementation did not enforce integrity protection. A remote attacker could use this issue to hijack LDAP connections by performing a man in the middle attack. (CVE-2016-2112) Stefan Metzmacher discovered that Samba did not validate TLS certificates. A remote attacker could use this issue to spoof a Samba server. (CVE-2016-2113) Stefan Metzmacher discovered that Samba did not enforce SMB signing even if configured to. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2114) Stefan Metzmacher discovered that Samba did not enable integrity protection for IPC traffic. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2115) Stefan Metzmacher discovered that Samba incorrectly handled the MS-SAMR and MS-LSAD protocols. A remote attacker could use this flaw with a man in the middle attack to impersonate users and obtain sensitive information from the Security Account Manager database. This flaw is known as Badlock. (CVE-2016-2118) Samba has been updated to 4.3.8 in Ubuntu 14.04 LTS and Ubuntu 15.10. Ubuntu 12.04 LTS has been updated to 3.6.25 with backported security fixes. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Configuration changes may be required in certain environments. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 91256
    published 2016-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91256
    title Ubuntu 12.04 LTS : samba regressions (USN-2950-4) (Badlock)
redhat via4
advisories
  • rhsa
    id RHSA-2016:0611
  • rhsa
    id RHSA-2016:0612
  • rhsa
    id RHSA-2016:0613
  • rhsa
    id RHSA-2016:0614
  • rhsa
    id RHSA-2016:0618
  • rhsa
    id RHSA-2016:0619
  • rhsa
    id RHSA-2016:0620
  • rhsa
    id RHSA-2016:0621
  • rhsa
    id RHSA-2016:0623
  • rhsa
    id RHSA-2016:0624
  • rhsa
    id RHSA-2016:0625
rpms
  • libsmbclient-0:3.6.23-30.el6_7
  • libsmbclient-devel-0:3.6.23-30.el6_7
  • samba-0:3.6.23-30.el6_7
  • samba-client-0:3.6.23-30.el6_7
  • samba-common-0:3.6.23-30.el6_7
  • samba-doc-0:3.6.23-30.el6_7
  • samba-domainjoin-gui-0:3.6.23-30.el6_7
  • samba-glusterfs-0:3.6.23-30.el6_7
  • samba-swat-0:3.6.23-30.el6_7
  • samba-winbind-0:3.6.23-30.el6_7
  • samba-winbind-clients-0:3.6.23-30.el6_7
  • samba-winbind-devel-0:3.6.23-30.el6_7
  • samba-winbind-krb5-locator-0:3.6.23-30.el6_7
  • libtdb-0:1.3.8-1.el6_7
  • libtdb-devel-0:1.3.8-1.el6_7
  • python-tdb-0:1.3.8-1.el6_7
  • tdb-tools-0:1.3.8-1.el6_7
  • libtalloc-0:2.1.5-1.el6_7
  • libtalloc-devel-0:2.1.5-1.el6_7
  • pytalloc-0:2.1.5-1.el6_7
  • pytalloc-devel-0:2.1.5-1.el6_7
  • ldb-tools-0:1.1.25-2.el6_7
  • libldb-0:1.1.25-2.el6_7
  • libldb-devel-0:1.1.25-2.el6_7
  • pyldb-0:1.1.25-2.el6_7
  • pyldb-devel-0:1.1.25-2.el6_7
  • libtevent-0:0.9.26-2.el6_7
  • libtevent-devel-0:0.9.26-2.el6_7
  • python-tevent-0:0.9.26-2.el6_7
  • ipa-admintools-0:3.0.0-47.el6_7.2
  • ipa-client-0:3.0.0-47.el6_7.2
  • ipa-python-0:3.0.0-47.el6_7.2
  • ipa-server-0:3.0.0-47.el6_7.2
  • ipa-server-selinux-0:3.0.0-47.el6_7.2
  • ipa-server-trust-ad-0:3.0.0-47.el6_7.2
  • openchange-0:1.0-7.el6_7
  • openchange-client-0:1.0-7.el6_7
  • openchange-devel-0:1.0-7.el6_7
  • openchange-devel-docs-0:1.0-7.el6_7
  • samba4-0:4.2.10-6.el6_7
  • samba4-client-0:4.2.10-6.el6_7
  • samba4-common-0:4.2.10-6.el6_7
  • samba4-dc-0:4.2.10-6.el6_7
  • samba4-dc-libs-0:4.2.10-6.el6_7
  • samba4-devel-0:4.2.10-6.el6_7
  • samba4-libs-0:4.2.10-6.el6_7
  • samba4-pidl-0:4.2.10-6.el6_7
  • samba4-python-0:4.2.10-6.el6_7
  • samba4-test-0:4.2.10-6.el6_7
  • samba4-winbind-0:4.2.10-6.el6_7
  • samba4-winbind-clients-0:4.2.10-6.el6_7
  • samba4-winbind-krb5-locator-0:4.2.10-6.el6_7
  • libtalloc-0:2.1.5-1.el7_2
  • libtalloc-devel-0:2.1.5-1.el7_2
  • pytalloc-0:2.1.5-1.el7_2
  • pytalloc-devel-0:2.1.5-1.el7_2
  • libtdb-0:1.3.8-1.el7_2
  • libtdb-devel-0:1.3.8-1.el7_2
  • python-tdb-0:1.3.8-1.el7_2
  • tdb-tools-0:1.3.8-1.el7_2
  • libtevent-0:0.9.26-1.el7_2
  • libtevent-devel-0:0.9.26-1.el7_2
  • python-tevent-0:0.9.26-1.el7_2
  • ldb-tools-0:1.1.25-1.el7_2
  • libldb-0:1.1.25-1.el7_2
  • libldb-devel-0:1.1.25-1.el7_2
  • pyldb-0:1.1.25-1.el7_2
  • pyldb-devel-0:1.1.25-1.el7_2
  • ipa-admintools-0:4.2.0-15.el7_2.6.1
  • ipa-client-0:4.2.0-15.el7_2.6.1
  • ipa-python-0:4.2.0-15.el7_2.6.1
  • ipa-server-0:4.2.0-15.el7_2.6.1
  • ipa-server-dns-0:4.2.0-15.el7_2.6.1
  • ipa-server-trust-ad-0:4.2.0-15.el7_2.6.1
  • openchange-0:2.0-10.el7_2
  • openchange-client-0:2.0-10.el7_2
  • openchange-devel-0:2.0-10.el7_2
  • openchange-devel-docs-0:2.0-10.el7_2
  • ctdb-0:4.2.10-6.el7_2
  • ctdb-devel-0:4.2.10-6.el7_2
  • ctdb-tests-0:4.2.10-6.el7_2
  • libsmbclient-0:4.2.10-6.el7_2
  • libsmbclient-devel-0:4.2.10-6.el7_2
  • libwbclient-0:4.2.10-6.el7_2
  • libwbclient-devel-0:4.2.10-6.el7_2
  • samba-0:4.2.10-6.el7_2
  • samba-client-0:4.2.10-6.el7_2
  • samba-client-libs-0:4.2.10-6.el7_2
  • samba-common-0:4.2.10-6.el7_2
  • samba-common-libs-0:4.2.10-6.el7_2
  • samba-common-tools-0:4.2.10-6.el7_2
  • samba-dc-0:4.2.10-6.el7_2
  • samba-dc-libs-0:4.2.10-6.el7_2
  • samba-devel-0:4.2.10-6.el7_2
  • samba-libs-0:4.2.10-6.el7_2
  • samba-pidl-0:4.2.10-6.el7_2
  • samba-python-0:4.2.10-6.el7_2
  • samba-test-0:4.2.10-6.el7_2
  • samba-test-devel-0:4.2.10-6.el7_2
  • samba-test-libs-0:4.2.10-6.el7_2
  • samba-vfs-glusterfs-0:4.2.10-6.el7_2
  • samba-winbind-0:4.2.10-6.el7_2
  • samba-winbind-clients-0:4.2.10-6.el7_2
  • samba-winbind-krb5-locator-0:4.2.10-6.el7_2
  • samba-winbind-modules-0:4.2.10-6.el7_2
  • samba3x-0:3.6.23-12.el5_11
  • samba3x-client-0:3.6.23-12.el5_11
  • samba3x-common-0:3.6.23-12.el5_11
  • samba3x-doc-0:3.6.23-12.el5_11
  • samba3x-domainjoin-gui-0:3.6.23-12.el5_11
  • samba3x-swat-0:3.6.23-12.el5_11
  • samba3x-winbind-0:3.6.23-12.el5_11
  • samba3x-winbind-devel-0:3.6.23-12.el5_11
  • libsmbclient-0:3.0.33-3.41.el5_11
  • libsmbclient-devel-0:3.0.33-3.41.el5_11
  • samba-0:3.0.33-3.41.el5_11
  • samba-client-0:3.0.33-3.41.el5_11
  • samba-common-0:3.0.33-3.41.el5_11
  • samba-swat-0:3.0.33-3.41.el5_11
refmap via4
confirm
debian DSA-3548
fedora
  • FEDORA-2016-383fce04e2
  • FEDORA-2016-48b3761baa
  • FEDORA-2016-be53260726
gentoo GLSA-201612-47
misc http://badlock.org/
sectrack 1035533
slackware SSA:2016-106-02
suse
  • SUSE-SU-2016:1022
  • SUSE-SU-2016:1023
  • SUSE-SU-2016:1024
  • SUSE-SU-2016:1028
  • SUSE-SU-2016:1105
  • openSUSE-SU-2016:1025
  • openSUSE-SU-2016:1064
  • openSUSE-SU-2016:1106
  • openSUSE-SU-2016:1107
ubuntu
  • USN-2950-1
  • USN-2950-2
  • USN-2950-3
  • USN-2950-4
  • USN-2950-5
Last major update 30-12-2016 - 21:59
Published 24-04-2016 - 20:59
Back to Top