VuXML ID | Description |
1c5f3fd7-54bf-11ed-8d1e-005056a311d1 | samba -- buffer overflow in Heimdal unwrap_des3()
The Samba Team reports:
The DES (for Samba 4.11 and earlier) and Triple-DES decryption
routines in the Heimdal GSSAPI library allow a length-limited write
buffer overflow on malloc() allocated memory when presented with a
maliciously small packet.
Discovery 2022-08-02 Entry 2022-10-25 samba412
< 4.12.16
samba413
< 4.13.17_4
samba416
< 4.16.6
CVE-2022-3437
https://www.samba.org/samba/security/CVE-2022-3437.html
|
441e1e1a-27a5-11ee-a156-080027f5fec9 | samba -- multiple vulnerabilities
The Samba Team reports:
- CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion DoS Vulnerability
-
When parsing Spotlight mdssvc RPC packets, one encoded
data structure is a key-value style dictionary where
keys are character strings and values can be any of
the supported types in the mdssvc protocol. Due to a
lack of type checking in callers of the function
dalloc_value_for_key(), which returns the object
associated with a key, a caller may trigger a crash in
talloc_get_size() when talloc detects that the passed in
pointer is not a valid talloc pointer. As RPC worker
processes are shared among multiple client connections,
a malicious client can crash the worker process
affecting all other clients that are also served by this
worker.
- CVE-2022-2127: Out-Of-Bounds read in winbind AUTH_CRAP
-
When doing NTLM authentication, the client sends replies
to cryptographic challenges back to the server. These
replies have variable length. Winbind did not properly
bounds-check the lan manager response length, which
despite the lan manager version no longer being used is
still part of the protocol. If the system is running
Samba's ntlm_auth as authentication backend for services
like Squid (or a very unusual configuration with
FreeRADIUS), the vulnarebility is remotely exploitable.
If not so configured, or to exploit this vulnerability
locally, the user must have access to the privileged
winbindd UNIX domain socket (a subdirectory with name
'winbindd_privileged' under "state directory", as set in
the smb.conf). This access is normally only given so
special system services like Squid or FreeRADIUS, use
this feature.
- CVE-2023-34968: Spotlight server-side Share Path Disclosure
-
As part of the Spotlight protocol, the initial request
returns a path associated with the sharename targeted by
the RPC request. Samba returns the real server-side
share path at this point, as well as returning the
absolute server-side path of results in search queries
by clients. Known server side paths could be used to
mount subsequent more serious security attacks or could
disclose confidential information that is part of the
path. To mitigate the issue, Samba will replace the
real server-side path with a fake path constructed from
the sharename.
- CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop DoS Vulnerability
-
When parsing Spotlight mdssvc RPC packets sent by the
client, the core unmarshalling function sl_unpack_loop()
did not validate a field in the network packet that
contains the count of elements in an array-like
structure. By passing 0 as the count value, the attacked
function will run in an endless loop consuming 100% CPU.
This bug only affects servers where Spotlight is
explicitly enabled globally or on individual shares with
"spotlight = yes".
- CVE-2023-3347: SMB2 packet signing not enforced
-
SMB2 packet signing is not enforced if an admin
configured "server signing = required" or for SMB2
connections to Domain Controllers where SMB2 packet
signing is mandatory. SMB2 packet signing is a
mechanism that ensures the integrity and authenticity of
data exchanged between a client and a server using the
SMB2 protocol. It provides protection against certain
types of attacks, such as man-in-the-middle attacks,
where an attacker intercepts network traffic and
modifies the SMB2 messages. Both client and server of
an SMB2 connection can require that signing is being
used. The server-side setting in Samba to configure
signing to be required is "server signing = required".
Note that on an Samba AD DCs this is also the default
for all SMB2 connections. Unless the client requires
signing which would result in signing being used on the
SMB2 connection, sensitive data might have been modified
by an attacker. Clients connecting to IPC$ on an AD DC
will require signed connections being used, so the
integrity of these connections was not affected.
Discovery 2023-07-19 Entry 2023-08-05 samba416
< 4.16.11
samba413
< 4.13.17_6
CVE-2023-34967
CVE-2022-2127
CVE-2023-34968
CVE-2023-34966
CVE-2023-3347
https://www.samba.org/samba/security/CVE-2023-34967.html
https://www.samba.org/samba/security/CVE-2022-2127.html
https://www.samba.org/samba/security/CVE-2023-34968.html
https://www.samba.org/samba/security/CVE-2023-34966.html
https://www.samba.org/samba/security/CVE-2023-3347.html
|
f9140ad4-4920-11ed-a07e-080027f5fec9 | samba -- Multiple vulnerabilities
The Samba Team reports:
- CVE-2022-2031
-
The KDC and the kpasswd service share a single account
and set of keys, allowing them to decrypt each other's
tickets. A user who has been requested to change their
password can exploit this to obtain and use tickets to
other services.
- CVE-2022-32744
-
The KDC accepts kpasswd requests encrypted with any key
known to it. By encrypting forged kpasswd requests with
its own key, a user can change the passwords of other
users, enabling full domain takeover.
- CVE-2022-32745
-
Samba AD users can cause the server to access
uninitialised data with an LDAP add or modify request,
usually resulting in a segmentation fault.
- CVE-2022-32746
-
The AD DC database audit logging module can be made to
access LDAP message values that have been freed by a
preceding database module, resulting in a
use-after-free. This is only possible when modifying
certain privileged attributes, such as
userAccountControl.
- CVE-2022-32742
-
SMB1 Client with write access to a share can cause
server memory contents to be written into a file or
printer.
Discovery 2022-07-27 Entry 2022-10-11 samba412
< 4.12.16
samba413
< 4.13.17_2
CVE-2022-2031
CVE-2022-32744
CVE-2022-32745
CVE-2022-32746
CVE-2022-32742
https://lists.samba.org/archive/samba-announce/2022/000609.html
https://www.samba.org/samba/security/CVE-2022-2031.html
https://www.samba.org/samba/security/CVE-2022-32744.html
https://www.samba.org/samba/security/CVE-2022-32745.html
https://www.samba.org/samba/security/CVE-2022-32746.html
https://www.samba.org/samba/security/CVE-2022-32742.html
|
8579074c-839f-11ec-a3b2-005056a311d1 | samba -- Multiple Vulnerabilities
The Samba Team reports:
- CVE-2021-43566: Malicious client using an SMB1 or NFS race to allow
a directory to be created in an area of the server file system not
exported under the share definition.
- CVE-2021-44141: Information leak via symlinks of existance of files
or directories outside of the exported share.
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability
in VFS module vfs_fruit allows code execution.
- CVE-2022-0336: Samba AD users with permission to write to
an account can impersonate arbitrary services.
Discovery 2022-01-31 Entry 2022-02-01 samba413
< 4.13.17
samba414
< 4.14.12
samba415
< 4.15.5
CVE-2021-43566
CVE-2021-44141
CVE-2021-44142
CVE-2022-0336
https://www.samba.org/samba/security/CVE-2021-43566.html
https://www.samba.org/samba/security/CVE-2021-44141.html
https://www.samba.org/samba/security/CVE-2021-44142.html
https://www.samba.org/samba/security/CVE-2022-0336.html
|
646923b0-41c7-11ec-a3b2-005056a311d1 | samba -- Multiple Vulnerabilities
The Samba Team reports:
- CVE-2020-25717: A user in an AD Domain could become root on domain
members.
- CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos
tickets issued by an RODC.
- CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC
in Kerberos tickets.
- CVE-2020-25721: Kerberos acceptors need easy access to stable
AD identifiers (eg objectSid).
- CVE-2020-25722: Samba AD DC did not do sufficient access and
conformance checking of data stored.
- CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
authentication.
- CVE-2021-3738: Use after free in Samba AD DC RPC server.
- CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
Discovery 2021-11-10 Entry 2021-11-10 samba413
< 4.13.14
samba414
< 4.14.10
samba415
< 4.15.2
CVE-2020-25717
CVE-2020-25718
CVE-2020-25719
CVE-2020-25721
CVE-2020-25722
CVE-2016-2124
CVE-2021-3738
CVE-2021-23192
https://www.samba.org/samba/security/CVE-2020-25717.html
https://www.samba.org/samba/security/CVE-2020-25718.html
https://www.samba.org/samba/security/CVE-2020-25719.html
https://www.samba.org/samba/security/CVE-2020-25721.html
https://www.samba.org/samba/security/CVE-2020-25722.html
https://www.samba.org/samba/security/CVE-2016-2124.html
https://www.samba.org/samba/security/CVE-2021-3738.html
https://www.samba.org/samba/security/CVE-2021-23192.html
|