cnvd - cnvd-2016-12887

cnvd-2016-12887

Vulnerability from cnvd

Title: Samba堆缓冲区溢出漏洞

Description:

Samba是Samba团队开发的一套可使UNIX系列的操作系统与微软Windows操作系统的SMB/CIFS网络协议做连结的自由软件。该软件支持共享打印机、互相传输资料文件等。

Samba 4.3.13之前的4.3.x版本、4.4.8之前的4.4.x版本和4.5.3之前的4.5.x版本存在堆缓冲区溢出漏洞，该漏洞源于程序未能正确的对用户提交的数据执行边界检测，导致程序复制数据的大小超出了分配的内存缓冲区空间。攻击者可利用该漏洞在受影响的应用程序上下文中执行任意代码，可能导致拒绝服务。

Severity: 中

Patch Name: Samba堆缓冲区溢出漏洞的补丁

Patch Description:

Formal description:

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： https://bugzilla.redhat.com/show_bug.cgi?id=1392702

Reference: http://www.securityfocus.com/bid/94970

Impacted products

Name
['Samba Samba 4.3.<4.3.13', 'Samba Samba 4.4.<4.4.8', 'Samba Samba 4.5.*<4.5.3']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "94970"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-2123"
    }
  },
  "description": "Samba\u662fSamba\u56e2\u961f\u5f00\u53d1\u7684\u4e00\u5957\u53ef\u4f7fUNIX\u7cfb\u5217\u7684\u64cd\u4f5c\u7cfb\u7edf\u4e0e\u5fae\u8f6fWindows\u64cd\u4f5c\u7cfb\u7edf\u7684SMB/CIFS\u7f51\u7edc\u534f\u8bae\u505a\u8fde\u7ed3\u7684\u81ea\u7531\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u652f\u6301\u5171\u4eab\u6253\u5370\u673a\u3001\u4e92\u76f8\u4f20\u8f93\u8d44\u6599\u6587\u4ef6\u7b49\u3002\r\n\r\nSamba 4.3.13\u4e4b\u524d\u76844.3.x\u7248\u672c\u30014.4.8\u4e4b\u524d\u76844.4.x\u7248\u672c\u548c4.5.3\u4e4b\u524d\u76844.5.x\u7248\u672c\u5b58\u5728\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u7684\u5bf9\u7528\u6237\u63d0\u4ea4\u7684\u6570\u636e\u6267\u884c\u8fb9\u754c\u68c0\u6d4b\uff0c\u5bfc\u81f4\u7a0b\u5e8f\u590d\u5236\u6570\u636e\u7684\u5927\u5c0f\u8d85\u51fa\u4e86\u5206\u914d\u7684\u5185\u5b58\u7f13\u51b2\u533a\u7a7a\u95f4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u53d7\u5f71\u54cd\u7684\u5e94\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u53ef\u80fd\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "discovererName": "Trend Micro\u0027s Zero Day Initiative and Frederic Besler.",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1392702",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-12887",
  "openTime": "2016-12-23",
  "patchDescription": "Samba\u662fSamba\u56e2\u961f\u5f00\u53d1\u7684\u4e00\u5957\u53ef\u4f7fUNIX\u7cfb\u5217\u7684\u64cd\u4f5c\u7cfb\u7edf\u4e0e\u5fae\u8f6fWindows\u64cd\u4f5c\u7cfb\u7edf\u7684SMB/CIFS\u7f51\u7edc\u534f\u8bae\u505a\u8fde\u7ed3\u7684\u81ea\u7531\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u652f\u6301\u5171\u4eab\u6253\u5370\u673a\u3001\u4e92\u76f8\u4f20\u8f93\u8d44\u6599\u6587\u4ef6\u7b49\u3002\r\n\r\nSamba 4.3.13\u4e4b\u524d\u76844.3.x\u7248\u672c\u30014.4.8\u4e4b\u524d\u76844.4.x\u7248\u672c\u548c4.5.3\u4e4b\u524d\u76844.5.x\u7248\u672c\u5b58\u5728\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u7684\u5bf9\u7528\u6237\u63d0\u4ea4\u7684\u6570\u636e\u6267\u884c\u8fb9\u754c\u68c0\u6d4b\uff0c\u5bfc\u81f4\u7a0b\u5e8f\u590d\u5236\u6570\u636e\u7684\u5927\u5c0f\u8d85\u51fa\u4e86\u5206\u914d\u7684\u5185\u5b58\u7f13\u51b2\u533a\u7a7a\u95f4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u53d7\u5f71\u54cd\u7684\u5e94\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u53ef\u80fd\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Samba\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Samba Samba 4.3.*\u003c4.3.13",
      "Samba Samba 4.4.*\u003c4.4.8",
      "Samba Samba 4.5.*\u003c4.5.3"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/94970",
  "serverity": "\u4e2d",
  "submitTime": "2016-12-21",
  "title": "Samba\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e"
}

CVE-2016-2123 (GCVE-0-2016-2123)

Vulnerability from cvelistv5

Published

2018-11-01 13:00

Modified

2024-08-05 23:17

Severity ?

8.1 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-122

Summary

A flaw was found in samba versions 4.0.0 to 4.5.2. The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects. This makes the defect a remote privilege escalation.

References

▼	URL	Tags
	https://www.samba.org/samba/security/CVE-2016-2123.html	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/94970	vdb-entry, x_refsource_BID
	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2123	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1037493	vdb-entry, x_refsource_SECTRACK

Impacted products

	Vendor	Product	Version
	[UNKNOWN]	samba	Version: versions 4.0.0 to 4.5.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T23:17:50.724Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.samba.org/samba/security/CVE-2016-2123.html"
          },
          {
            "name": "94970",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/94970"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2123"
          },
          {
            "name": "1037493",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1037493"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "samba",
          "vendor": "[UNKNOWN]",
          "versions": [
            {
              "status": "affected",
              "version": "versions 4.0.0 to 4.5.2"
            }
          ]
        }
      ],
      "datePublic": "2016-12-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in samba versions 4.0.0 to 4.5.2. The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects. This makes the defect a remote privilege escalation."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-11-02T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.samba.org/samba/security/CVE-2016-2123.html"
        },
        {
          "name": "94970",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/94970"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2123"
        },
        {
          "name": "1037493",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1037493"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-2123",
    "datePublished": "2018-11-01T13:00:00",
    "dateReserved": "2016-01-29T00:00:00",
    "dateUpdated": "2024-08-05T23:17:50.724Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted