ID CVE-2018-1139
Summary A flaw was found in the way samba before 4.7.9 and 4.8.4 allowed the use of weak NTLMv1 authentication even when NTLMv1 was explicitly disabled. A man-in-the-middle attacker could use this flaw to read the credential and other details passed between the samba server and client.
References
Vulnerable Configurations
  • cpe:2.3:a:samba:samba:4.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.8.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.8.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.8.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.8.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.8.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.8.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.8.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.8.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.0:rc5:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.0:rc5:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.0:rc6:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.0:rc6:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.4:*:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.4:*:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.5:*:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.6:*:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.6:*:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.7:*:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.7:*:*:*:*:*:*:*
  • cpe:2.3:a:samba:samba:4.7.8:*:*:*:*:*:*:*
    cpe:2.3:a:samba:samba:4.7.8:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
CVSS
Base: 4.3 (as of 29-08-2022 - 20:43)
Impact:
Exploitability:
CWE CWE-522
CAPEC
  • Use of Captured Tickets (Pass The Ticket)
    An adversary uses stolen Kerberos tickets to access systems that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.
  • Remote Services with Stolen Credentials
    This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
  • Use of Captured Hashes (Pass The Hash)
    An adversary uses stolen hash values for a user's credentials (username and password) to access systems managed under the same credential framwork that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols. When authenticating via LM or NTLM, the hashed credentials' associated plaintext credentials are not requried for successful authentication. Therefore, if an adversary can obtain the hashed credentials of a user, he can then pass these hash values to the server or service to authenticate without needing to brute-force the hashes to obtain their cleartext values. The adversary can then impersonate the user and laterally move within the network. This technique can be performed against any operating system which leverages the LM or NTLM protocols.
  • Session Sidejacking
    Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
  • Modify Existing Service
    When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.
  • Windows Admin Shares with Stolen Credentials
    Windows systems have hidden network shares that are only accessible to administrators and allow files to be written to the local computer. Example network shares include: C$, ADMIN$ and IPC$. Adversaries may use valid administrator credentials to remotely access a network share to transfer files and execute code. It is possible for adversaries to use NTLM hashes to access administrator shares on systems with certain configuration and patch levels.
  • Password Recovery Exploitation
    An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure. Most of them use only one security question . For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user. These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on "forgot password" and there is a good chance that the security question there will be to provide mother's maiden name. A weak password recovery scheme totally undermines the effectiveness of a strong password scheme.
  • Use of Known Domain Credentials
    An adversary uses stolen credentials (e.g., userid and password) to access systems managed under the same credential framework on a local network. Often, users are allowed to login to connected machines using the same password. Discovery of the password on one machine allows for lateral movement to those machines.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:N
redhat via4
advisories
  • bugzilla
    id 1614132
    title "
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment ctdb is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056001
          • comment ctdb is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258002
        • AND
          • comment ctdb-tests is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056003
          • comment ctdb-tests is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258006
        • AND
          • comment libsmbclient is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056005
          • comment libsmbclient is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258008
        • AND
          • comment libsmbclient-devel is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056007
          • comment libsmbclient-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258010
        • AND
          • comment libwbclient is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056009
          • comment libwbclient is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258012
        • AND
          • comment libwbclient-devel is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056011
          • comment libwbclient-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258014
        • AND
          • comment samba is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056013
          • comment samba is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258016
        • AND
          • comment samba-client is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056015
          • comment samba-client is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258018
        • AND
          • comment samba-client-libs is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056017
          • comment samba-client-libs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258020
        • AND
          • comment samba-common is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056019
          • comment samba-common is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258022
        • AND
          • comment samba-common-libs is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056021
          • comment samba-common-libs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258024
        • AND
          • comment samba-common-tools is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056023
          • comment samba-common-tools is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258026
        • AND
          • comment samba-dc is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056025
          • comment samba-dc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258028
        • AND
          • comment samba-dc-libs is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056027
          • comment samba-dc-libs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258030
        • AND
          • comment samba-devel is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056029
          • comment samba-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258032
        • AND
          • comment samba-krb5-printing is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056031
          • comment samba-krb5-printing is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20171265032
        • AND
          • comment samba-libs is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056033
          • comment samba-libs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258034
        • AND
          • comment samba-pidl is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056035
          • comment samba-pidl is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258036
        • AND
          • comment samba-python is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056037
          • comment samba-python is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258038
        • AND
          • comment samba-python-test is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056039
          • comment samba-python-test is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20183056040
        • AND
          • comment samba-test is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056041
          • comment samba-test is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258040
        • AND
          • comment samba-test-libs is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056043
          • comment samba-test-libs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258044
        • AND
          • comment samba-vfs-glusterfs is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056045
          • comment samba-vfs-glusterfs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258046
        • AND
          • comment samba-winbind is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056047
          • comment samba-winbind is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258048
        • AND
          • comment samba-winbind-clients is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056049
          • comment samba-winbind-clients is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258050
        • AND
          • comment samba-winbind-krb5-locator is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056051
          • comment samba-winbind-krb5-locator is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258052
        • AND
          • comment samba-winbind-modules is earlier than 0:4.8.3-4.el7
            oval oval:com.redhat.rhsa:tst:20183056053
          • comment samba-winbind-modules is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152258054
    rhsa
    id RHSA-2018:3056
    released 2018-10-30
    severity Moderate
    title RHSA-2018:3056: samba security, bug fix, and enhancement update (Moderate)
  • rhsa
    id RHSA-2018:2612
  • rhsa
    id RHSA-2018:2613
rpms
  • ctdb-0:4.7.5-110.el6rhs
  • libsmbclient-0:4.7.5-110.el6rhs
  • libsmbclient-devel-0:4.7.5-110.el6rhs
  • libtalloc-0:2.1.11-1.el6rhs
  • libtalloc-debuginfo-0:2.1.11-1.el6rhs
  • libtalloc-devel-0:2.1.11-1.el6rhs
  • libtdb-0:1.3.15-4.el6rhs
  • libtdb-debuginfo-0:1.3.15-4.el6rhs
  • libtdb-devel-0:1.3.15-4.el6rhs
  • libtevent-0:0.9.35-1.el6rhs
  • libtevent-debuginfo-0:0.9.35-1.el6rhs
  • libtevent-devel-0:0.9.35-1.el6rhs
  • libwbclient-0:4.7.5-110.el6rhs
  • libwbclient-devel-0:4.7.5-110.el6rhs
  • pytalloc-0:2.1.11-1.el6rhs
  • pytalloc-devel-0:2.1.11-1.el6rhs
  • python-tdb-0:1.3.15-4.el6rhs
  • python-tevent-0:0.9.35-1.el6rhs
  • samba-0:4.7.5-110.el6rhs
  • samba-client-0:4.7.5-110.el6rhs
  • samba-client-libs-0:4.7.5-110.el6rhs
  • samba-common-0:4.7.5-110.el6rhs
  • samba-common-libs-0:4.7.5-110.el6rhs
  • samba-common-tools-0:4.7.5-110.el6rhs
  • samba-dc-0:4.7.5-110.el6rhs
  • samba-dc-libs-0:4.7.5-110.el6rhs
  • samba-debuginfo-0:4.7.5-110.el6rhs
  • samba-devel-0:4.7.5-110.el6rhs
  • samba-krb5-printing-0:4.7.5-110.el6rhs
  • samba-libs-0:4.7.5-110.el6rhs
  • samba-pidl-0:4.7.5-110.el6rhs
  • samba-python-0:4.7.5-110.el6rhs
  • samba-vfs-glusterfs-0:4.7.5-110.el6rhs
  • samba-winbind-0:4.7.5-110.el6rhs
  • samba-winbind-clients-0:4.7.5-110.el6rhs
  • samba-winbind-krb5-locator-0:4.7.5-110.el6rhs
  • samba-winbind-modules-0:4.7.5-110.el6rhs
  • tdb-tools-0:1.3.15-4.el6rhs
  • ctdb-0:4.7.5-110.el7rhgs
  • libsmbclient-0:4.7.5-110.el7rhgs
  • libsmbclient-devel-0:4.7.5-110.el7rhgs
  • libtalloc-0:2.1.11-1.el7rhgs
  • libtalloc-debuginfo-0:2.1.11-1.el7rhgs
  • libtalloc-devel-0:2.1.11-1.el7rhgs
  • libtdb-0:1.3.15-4.el7rhgs
  • libtdb-debuginfo-0:1.3.15-4.el7rhgs
  • libtdb-devel-0:1.3.15-4.el7rhgs
  • libtevent-0:0.9.35-1.el7rhgs
  • libtevent-debuginfo-0:0.9.35-1.el7rhgs
  • libtevent-devel-0:0.9.35-1.el7rhgs
  • libwbclient-0:4.7.5-110.el7rhgs
  • libwbclient-devel-0:4.7.5-110.el7rhgs
  • pytalloc-0:2.1.11-1.el7rhgs
  • pytalloc-devel-0:2.1.11-1.el7rhgs
  • python-tdb-0:1.3.15-4.el7rhgs
  • python-tevent-0:0.9.35-1.el7rhgs
  • samba-0:4.7.5-110.el7rhgs
  • samba-client-0:4.7.5-110.el7rhgs
  • samba-client-libs-0:4.7.5-110.el7rhgs
  • samba-common-0:4.7.5-110.el7rhgs
  • samba-common-libs-0:4.7.5-110.el7rhgs
  • samba-common-tools-0:4.7.5-110.el7rhgs
  • samba-dc-0:4.7.5-110.el7rhgs
  • samba-dc-libs-0:4.7.5-110.el7rhgs
  • samba-debuginfo-0:4.7.5-110.el7rhgs
  • samba-devel-0:4.7.5-110.el7rhgs
  • samba-krb5-printing-0:4.7.5-110.el7rhgs
  • samba-libs-0:4.7.5-110.el7rhgs
  • samba-pidl-0:4.7.5-110.el7rhgs
  • samba-python-0:4.7.5-110.el7rhgs
  • samba-vfs-glusterfs-0:4.7.5-110.el7rhgs
  • samba-winbind-0:4.7.5-110.el7rhgs
  • samba-winbind-clients-0:4.7.5-110.el7rhgs
  • samba-winbind-krb5-locator-0:4.7.5-110.el7rhgs
  • samba-winbind-modules-0:4.7.5-110.el7rhgs
  • tdb-tools-0:1.3.15-4.el7rhgs
  • ctdb-0:4.8.3-4.el7
  • ctdb-tests-0:4.8.3-4.el7
  • libsmbclient-0:4.8.3-4.el7
  • libsmbclient-devel-0:4.8.3-4.el7
  • libwbclient-0:4.8.3-4.el7
  • libwbclient-devel-0:4.8.3-4.el7
  • samba-0:4.8.3-4.el7
  • samba-client-0:4.8.3-4.el7
  • samba-client-libs-0:4.8.3-4.el7
  • samba-common-0:4.8.3-4.el7
  • samba-common-libs-0:4.8.3-4.el7
  • samba-common-tools-0:4.8.3-4.el7
  • samba-dc-0:4.8.3-4.el7
  • samba-dc-libs-0:4.8.3-4.el7
  • samba-debuginfo-0:4.8.3-4.el7
  • samba-devel-0:4.8.3-4.el7
  • samba-krb5-printing-0:4.8.3-4.el7
  • samba-libs-0:4.8.3-4.el7
  • samba-pidl-0:4.8.3-4.el7
  • samba-python-0:4.8.3-4.el7
  • samba-python-test-0:4.8.3-4.el7
  • samba-test-0:4.8.3-4.el7
  • samba-test-libs-0:4.8.3-4.el7
  • samba-vfs-glusterfs-0:4.8.3-4.el7
  • samba-winbind-0:4.8.3-4.el7
  • samba-winbind-clients-0:4.8.3-4.el7
  • samba-winbind-krb5-locator-0:4.8.3-4.el7
  • samba-winbind-modules-0:4.8.3-4.el7
refmap via4
bid 105084
confirm
gentoo GLSA-202003-52
ubuntu USN-3738-1
Last major update 29-08-2022 - 20:43
Published 22-08-2018 - 14:29
Last modified 29-08-2022 - 20:43
Back to Top