Vulnerabilities > CVE-2013-4408 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Samba
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Heap-based buffer overflow in the dcerpc_read_ncacn_packet_done function in librpc/rpc/dcerpc_util.c in winbindd in Samba 3.x before 3.6.22, 4.0.x before 4.0.13, and 4.1.x before 4.1.3 allows remote AD domain controllers to execute arbitrary code via an invalid fragment length in a DCE-RPC packet.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-1806.NASL description Updated samba3x and samba packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A heap-based buffer overflow flaw was found in the DCE-RPC client code in Samba. A specially crafted DCE-RPC packet could cause various Samba programs to crash or, possibly, execute arbitrary code when parsed. A malicious or compromised Active Directory Domain Controller could use this flaw to compromise the winbindd daemon running with root privileges. (CVE-2013-4408) A flaw was found in the way Samba performed ACL checks on alternate file and directory data streams. An attacker able to access a CIFS share with alternate stream support enabled could access alternate data streams regardless of the underlying file or directory ACL permissions. (CVE-2013-4475) Red Hat would like to thank the Samba project for reporting CVE-2013-4408. Upstream acknowledges Stefan Metzmacher and Michael Adam of SerNet as the original reporters of this issue. All users of Samba are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 71293 published 2013-12-10 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71293 title RHEL 5 / 6 : samba and samba3x (RHSA-2013:1806) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2013:1806. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(71293); script_version("1.27"); script_cvs_date("Date: 2019/10/24 15:35:37"); script_cve_id("CVE-2013-4408", "CVE-2013-4475"); script_bugtraq_id(63646, 64191); script_xref(name:"RHSA", value:"2013:1806"); script_name(english:"RHEL 5 / 6 : samba and samba3x (RHSA-2013:1806)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated samba3x and samba packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A heap-based buffer overflow flaw was found in the DCE-RPC client code in Samba. A specially crafted DCE-RPC packet could cause various Samba programs to crash or, possibly, execute arbitrary code when parsed. A malicious or compromised Active Directory Domain Controller could use this flaw to compromise the winbindd daemon running with root privileges. (CVE-2013-4408) A flaw was found in the way Samba performed ACL checks on alternate file and directory data streams. An attacker able to access a CIFS share with alternate stream support enabled could access alternate data streams regardless of the underlying file or directory ACL permissions. (CVE-2013-4475) Red Hat would like to thank the Samba project for reporting CVE-2013-4408. Upstream acknowledges Stefan Metzmacher and Michael Adam of SerNet as the original reporters of this issue. All users of Samba are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically." ); # http://www.samba.org/samba/security/CVE-2013-4408 script_set_attribute( attribute:"see_also", value:"https://www.samba.org/samba/security/CVE-2013-4408" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2013:1806" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2013-4408" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2013-4475" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libsmbclient"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libsmbclient-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-domainjoin-gui"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-swat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-winbind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-winbind-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-winbind-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-winbind-krb5-locator"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba3x"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba3x-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba3x-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba3x-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba3x-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba3x-domainjoin-gui"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba3x-swat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba3x-winbind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba3x-winbind-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.5"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/11/13"); script_set_attribute(attribute:"patch_publication_date", value:"2013/12/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/10"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(5|6)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x / 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2013:1806"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"samba3x-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"samba3x-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"samba3x-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"samba3x-client-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"samba3x-client-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"samba3x-client-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"samba3x-common-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"samba3x-common-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"samba3x-common-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", reference:"samba3x-debuginfo-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"samba3x-doc-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"samba3x-doc-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"samba3x-doc-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"samba3x-domainjoin-gui-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"samba3x-domainjoin-gui-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"samba3x-domainjoin-gui-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"samba3x-swat-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"samba3x-swat-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"samba3x-swat-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", reference:"samba3x-winbind-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL5", reference:"samba3x-winbind-devel-3.6.6-0.138.el5_10")) flag++; if (rpm_check(release:"RHEL6", reference:"libsmbclient-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", reference:"libsmbclient-devel-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"samba-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"samba-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"samba-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"samba-client-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"samba-client-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"samba-client-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", reference:"samba-common-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", reference:"samba-debuginfo-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"samba-doc-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"samba-doc-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"samba-doc-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"samba-domainjoin-gui-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"samba-domainjoin-gui-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"samba-domainjoin-gui-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"samba-swat-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"samba-swat-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"samba-swat-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"samba-winbind-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"samba-winbind-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"samba-winbind-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", reference:"samba-winbind-clients-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", reference:"samba-winbind-devel-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"samba-winbind-krb5-locator-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"samba-winbind-krb5-locator-3.6.9-167.el6_5")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"samba-winbind-krb5-locator-3.6.9-167.el6_5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libsmbclient / libsmbclient-devel / samba / samba-client / etc"); } }
NASL family Scientific Linux Local Security Checks NASL id SL_20131210_SAMBA4_ON_SL6_X.NASL description A heap-based buffer overflow flaw was found in the DCE-RPC client code in Samba. A specially crafted DCE-RPC packet could cause various Samba programs to crash or, possibly, execute arbitrary code when parsed. A malicious or compromised Active Directory Domain Controller could use this flaw to compromise the winbindd daemon running with root privileges. (CVE-2013-4408) After installing this update, the smb service will be restarted automatically. last seen 2020-03-18 modified 2013-12-11 plugin id 71340 published 2013-12-11 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71340 title Scientific Linux Security Update : samba4 on SL6.x i386/x86_64 (20131210) NASL family SuSE Local Security Checks NASL id SUSE_11_CIFS-MOUNT-131213.NASL description This update fixes the following security issues with samba : - DCERPC frag_len not checked. (CVE-2013-4408). (bnc#844720) - winbind pam security problem. (CVE-2012-6150). (bnc#853347) - No access check verification on stream files (CVE-2013-4475). And fixes the following non-security issues :. (bnc#848101) - libsmbclient0 package description contains comments. (bnc#853021) - rpcclient adddriver and setdrive do not set all needed registry entries. (bnc#817880) - Client trying to delete print job fails: Samba returns: WERR_INVALID_PRINTER_NAME. (bnc#838472) - various upstream fixes. (bnc#854520 and bnc#849226) last seen 2020-06-05 modified 2014-01-07 plugin id 71833 published 2014-01-07 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71833 title SuSE 11.2 / 11.3 Security Update : Samba (SAT Patch Numbers 8655 / 8656) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-1805.NASL description From Red Hat Security Advisory 2013:1805 : Updated samba4 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A heap-based buffer overflow flaw was found in the DCE-RPC client code in Samba. A specially crafted DCE-RPC packet could cause various Samba programs to crash or, possibly, execute arbitrary code when parsed. A malicious or compromised Active Directory Domain Controller could use this flaw to compromise the winbindd daemon running with root privileges. (CVE-2013-4408) Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Stefan Metzmacher and Michael Adam of SerNet as the original reporters of this issue. All users of Samba are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the smb service will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 71288 published 2013-12-10 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71288 title Oracle Linux 6 : samba4 (ELSA-2013-1805) NASL family Scientific Linux Local Security Checks NASL id SL_20131210_SAMBA_AND_SAMBA3X_ON_SL5_X.NASL description A heap-based buffer overflow flaw was found in the DCE-RPC client code in Samba. A specially crafted DCE-RPC packet could cause various Samba programs to crash or, possibly, execute arbitrary code when parsed. A malicious or compromised Active Directory Domain Controller could use this flaw to compromise the winbindd daemon running with root privileges. (CVE-2013-4408) A flaw was found in the way Samba performed ACL checks on alternate file and directory data streams. An attacker able to access a CIFS share with alternate stream support enabled could access alternate data streams regardless of the underlying file or directory ACL permissions. (CVE-2013-4475) After installing this update, the smb service will be restarted automatically. last seen 2020-03-18 modified 2013-12-11 plugin id 71341 published 2013-12-11 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71341 title Scientific Linux Security Update : samba and samba3x on SL5.x, SL6.x i386/x86_64 (20131210) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0009.NASL description Updated samba packages that fix two security issues are now available for Red Hat Storage. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A heap-based buffer overflow flaw was found in the DCE-RPC client code in Samba. A specially crafted DCE-RPC packet could cause various Samba programs to crash or, possibly, execute arbitrary code when parsed. A malicious or compromised Active Directory Domain Controller could use this flaw to compromise the winbindd daemon running with root privileges. (CVE-2013-4408) A flaw was found in the way Samba performed ACL checks on alternate file and directory data streams. An attacker able to access a CIFS share with alternate stream support enabled could access alternate data streams regardless of the underlying file or directory ACL permissions. (CVE-2013-4475) Red Hat would like to thank the Samba project for reporting CVE-2013-4408. Upstream acknowledges Stefan Metzmacher and Michael Adam of SerNet as the original reporters of this issue. All users of Red Hat Storage are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 78991 published 2014-11-08 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78991 title RHEL 6 : Storage Server (RHSA-2014:0009) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_613E45D1615411E39B62000C292E4FD8.NASL description The Samba project reports : These are security releases in order to address CVE-2013-4408 (DCE-RPC fragment length field is incorrectly checked) and CVE-2012-6150 (pam_winbind login without require_membership_of restrictions). last seen 2020-06-01 modified 2020-06-02 plugin id 71285 published 2013-12-10 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71285 title FreeBSD : samba -- multiple vulnerabilities (613e45d1-6154-11e3-9b62-000c292e4fd8) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2014-013-04.NASL description New samba packages are available for Slackware 14.1, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 71932 published 2014-01-14 reporter This script is Copyright (C) 2014 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71932 title Slackware 14.1 / current : samba (SSA:2014-013-04) NASL family SuSE Local Security Checks NASL id SUSE_SU-2014-0723-1.NASL description This is a LTSS roll-up update for the Samba Server suite fixing multiple security issues and bugs. Security issues fixed : - CVE-2013-4496: Password lockout was not enforced for SAMR password changes, leading to brute force possibility. - CVE-2013-4408: DCE-RPC fragment length field is incorrectly checked. - CVE-2013-4124: Samba was affected by a denial of service attack on authenticated or guest connections. - CVE-2013-0214: The SWAT webadministration was affected by a cross site scripting attack (XSS). - CVE-2013-0213: The SWAT webadministration could possibly be used in clickjacking attacks. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-20 plugin id 83623 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83623 title SUSE SLES11 Security Update : Samba (SUSE-SU-2014:0723-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2812.NASL description Two security issues were found in Samba, a SMB/CIFS file, print, and login server : - CVE-2013-4408 It was discovered that multiple buffer overflows in the processing of DCE-RPC packets may lead to the execution of arbitrary code. - CVE-2013-4475 Hemanth Thummala discovered that ACLs were not checked when opening files with alternate data streams. This issue is only exploitable if the VFS modules vfs_streams_depot and/or vfs_streams_xattr are used. last seen 2020-03-17 modified 2013-12-10 plugin id 71275 published 2013-12-10 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71275 title Debian DSA-2812-1 : samba - several vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-490.NASL description This update fixes these security vulnerabilities : - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks (bsc#936862). - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication (bsc#973031). - CVE-2016-2111: Domain controller netlogon member computer could have been spoofed (bsc#973032). - CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM attack (bsc#973033). - CVE-2016-2113: TLS certificate validation were missing (bsc#973034). - CVE-2016-2114: last seen 2020-06-05 modified 2016-04-21 plugin id 90609 published 2016-04-21 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90609 title openSUSE Security Update : samba (openSUSE-2016-490) (Badlock) NASL family Fedora Local Security Checks NASL id FEDORA_2013-23177.NASL description Fix NULL pointer derreference in winbind debug message. Update to version 4.1.3 which fixes two security bugs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-12-24 plugin id 71620 published 2013-12-24 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71620 title Fedora 20 : samba-4.1.3-2.fc20 (2013-23177) NASL family Misc. NASL id SAMBA_4_1_3.NASL description According to its banner, the version of Samba running on the remote host is 3.3.x equal or later than 3.3.10, 3.4.x, 3.5.x, 3.6.x prior to 3.6.22, 4.0.x prior to 4.0.13 or 4.1.x prior to 4.1.3. It is, therefore, potentially affected by multiple vulnerabilities : - A security bypass vulnerability exists in the last seen 2020-06-01 modified 2020-06-02 plugin id 71377 published 2013-12-12 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71377 title Samba 3.x < 3.6.22 / 4.0.x < 4.0.13 / 4.1.x < 4.1.3 Multiple Vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-1806.NASL description Updated samba3x and samba packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A heap-based buffer overflow flaw was found in the DCE-RPC client code in Samba. A specially crafted DCE-RPC packet could cause various Samba programs to crash or, possibly, execute arbitrary code when parsed. A malicious or compromised Active Directory Domain Controller could use this flaw to compromise the winbindd daemon running with root privileges. (CVE-2013-4408) A flaw was found in the way Samba performed ACL checks on alternate file and directory data streams. An attacker able to access a CIFS share with alternate stream support enabled could access alternate data streams regardless of the underlying file or directory ACL permissions. (CVE-2013-4475) Red Hat would like to thank the Samba project for reporting CVE-2013-4408. Upstream acknowledges Stefan Metzmacher and Michael Adam of SerNet as the original reporters of this issue. All users of Samba are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 71274 published 2013-12-10 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71274 title CentOS 5 / 6 : samba / samba3x (CESA-2013:1806) NASL family Fedora Local Security Checks NASL id FEDORA_2014-7672.NASL description Update to Samba 4.1.9. Update to Samba 4.1.8 (CVE-2014-0178 samba: Uninitialized memory exposure) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-06-26 plugin id 76223 published 2014-06-26 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76223 title Fedora 20 : samba-4.1.9-3.fc20 (2014-7672) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-1806.NASL description From Red Hat Security Advisory 2013:1806 : Updated samba3x and samba packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A heap-based buffer overflow flaw was found in the DCE-RPC client code in Samba. A specially crafted DCE-RPC packet could cause various Samba programs to crash or, possibly, execute arbitrary code when parsed. A malicious or compromised Active Directory Domain Controller could use this flaw to compromise the winbindd daemon running with root privileges. (CVE-2013-4408) A flaw was found in the way Samba performed ACL checks on alternate file and directory data streams. An attacker able to access a CIFS share with alternate stream support enabled could access alternate data streams regardless of the underlying file or directory ACL permissions. (CVE-2013-4475) Red Hat would like to thank the Samba project for reporting CVE-2013-4408. Upstream acknowledges Stefan Metzmacher and Michael Adam of SerNet as the original reporters of this issue. All users of Samba are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 71289 published 2013-12-10 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71289 title Oracle Linux 5 / 6 : samba / samba3x (ELSA-2013-1806) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201502-15.NASL description The remote host is affected by the vulnerability described in GLSA-201502-15 (Samba: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Samba. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker may be able to execute arbitrary code, cause a Denial of Service condition, bypass intended file restrictions, or obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 81536 published 2015-02-26 reporter This script is Copyright (C) 2015-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81536 title GLSA-201502-15 : Samba: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2013-23085.NASL description This updates Samba to version 4.0.13, which fixes two security bugs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-12-16 plugin id 71447 published 2013-12-16 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71447 title Fedora 19 : samba-4.0.13-1.fc19 (2013-23085) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-299.NASL description Multiple vulnerabilities has been discovered and corrected in samba : The winbind_name_list_to_sid_string_list function in nsswitch/pam_winbind.c in Samba through 4.1.2 handles invalid require_membership_of group names by accepting authentication by any user, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging an administrator last seen 2020-06-01 modified 2020-06-02 plugin id 71606 published 2013-12-23 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71606 title Mandriva Linux Security Advisory : samba (MDVSA-2013:299) NASL family Fedora Local Security Checks NASL id FEDORA_2014-9132.NASL description Update to Samba 4.0.21. CVE-2014-3560. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-08-20 plugin id 77268 published 2014-08-20 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77268 title Fedora 19 : samba-4.0.21-1.fc19 (2014-9132) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-996.NASL description - Update to 4.1.3. + DCE-RPC fragment length field is incorrectly checked; CVE-2013-4408; (bnc#844720). + pam_winbind login without require_membership_of restrictions; CVE-2012-6150; (bnc#853347). - Make use of the full gpg pub key file name including the key ID. - Add transparent file compression support; (fate#316266). + Implement FSCTL_GET_COMPRESSION and FSCTL_SET_COMPRESSION handlers. + Add FILE_ATTRIBUTE_COMPRESSED and FILE_NO_COMPRESSION support. + Extend vfs_btrfs VFS module to utilize get/set compression hooks. - Add support for FSCTL_SRV_COPYCHUNK_WRITE; (fate#314770). - Remove bogus libsmbclient0 package description and cleanup the libsmbclient line from baselibs.conf; (bnc#853021). - BuildRequire systemd on post-12.2 systems. - Update to 4.1.2. + s4-dns: dlz_bind9: Create dns-HOSTNAME account disabled; (bso#9091). + dfs_server: Use dsdb_search_one to catch 0 results as well as NO_SUCH_OBJECT errors; (bso#10052). + Missing talloc_free can leak stackframe in error path; (bso#10187). + Fix memset used with constant zero length parameter; (bso#10190). + s4:dsdb/rootdse: report last seen 2020-06-05 modified 2014-06-13 plugin id 75242 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75242 title openSUSE Security Update : samba (openSUSE-SU-2013:1921-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-1805.NASL description Updated samba4 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A heap-based buffer overflow flaw was found in the DCE-RPC client code in Samba. A specially crafted DCE-RPC packet could cause various Samba programs to crash or, possibly, execute arbitrary code when parsed. A malicious or compromised Active Directory Domain Controller could use this flaw to compromise the winbindd daemon running with root privileges. (CVE-2013-4408) Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Stefan Metzmacher and Michael Adam of SerNet as the original reporters of this issue. All users of Samba are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the smb service will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 71273 published 2013-12-10 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71273 title CentOS 6 : samba4 (CESA-2013:1805) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-229.NASL description Samba was updated to fix security issues and bugs : Security issues fixed : - Password lockout was not enforced for SAMR password changes, this allowed brute-force attacks on passwords. CVE-2013-4496; (bnc#849224). - The DCE-RPC fragment length field is incorrectly checked, which could expose samba clients to buffer overflow exploits caused by malicious servers; CVE-2013-4408; (bnc#844720). - The pam_winbind login without require_membership_of restrictions could allow fallbacks to local users even if they were not intended to be allowed; CVE-2012-6150; (bnc#853347). Also non security bugs were fixed : - Fix problem with server taking too long to respond to a MSG_PRINTER_DRVUPGRADE message; (bso#9942); (bnc#863748). - Fix memory leak in printer_list_get_printer(); (bso#9993); (bnc#865561). - Depend on %version-%release with all manual Provides and Requires; (bnc#844307). - Remove superfluous obsoletes *-64bit in the ifarch ppc64 case; (bnc#437293). - Fix Winbind 100% CPU utilization caused by domain list corruption; (bso#10358); (bnc#786677). - Samba is chatty about being unable to open a printer; (bso#10118). - nsswitch: Fix short writes in winbind_write_sock; (bso#10195). - xattr: fix listing EAs on *BSD for non-root users; (bso#10247). - spoolss: accept XPS_PASS datatype used by Windows 8; (bso#10267). - The preceding bugs are tracked by (bnc#854520) too. - Make use of the full gpg pub key file name including the key ID. - Remove bogus libsmbclient0 package description and cleanup the libsmbclient line from baselibs.conf; (bnc#853021). - Allow smbcacls to take a last seen 2020-06-05 modified 2014-06-13 plugin id 75302 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75302 title openSUSE Security Update : samba (openSUSE-SU-2014:0405-1) NASL family Solaris Local Security Checks NASL id SOLARIS11_SAMBA_20140225.NASL description The remote Solaris system is missing necessary patches to address security updates : - The winbind_name_list_to_sid_string_list function in nsswitch/pam_winbind.c in Samba through 4.1.2 handles invalid require_membership_of group names by accepting authentication by any user, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging an administrator last seen 2020-06-01 modified 2020-06-02 plugin id 80766 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80766 title Oracle Solaris Third-Party Patch Update : samba (cve_2012_6150_input_validation) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2054-1.NASL description It was discovered that Winbind incorrectly handled invalid group names with the require_membership_of parameter. If an administrator used an invalid group name by mistake, access was granted instead of having the login fail. (CVE-2012-6150) Stefan Metzmacher and Michael Adam discovered that Samba incorrectly handled DCE-RPC fragment length fields. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code as the root user. (CVE-2013-4408) Hemanth Thummala discovered that Samba incorrectly handled file permissions when vfs_streams_depot or vfs_streams_xattr were enabled. A remote attacker could use this issue to bypass intended restrictions. (CVE-2013-4475). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 71376 published 2013-12-12 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71376 title Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 / 13.10 : samba vulnerabilities (USN-2054-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-1805.NASL description Updated samba4 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A heap-based buffer overflow flaw was found in the DCE-RPC client code in Samba. A specially crafted DCE-RPC packet could cause various Samba programs to crash or, possibly, execute arbitrary code when parsed. A malicious or compromised Active Directory Domain Controller could use this flaw to compromise the winbindd daemon running with root privileges. (CVE-2013-4408) Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Stefan Metzmacher and Michael Adam of SerNet as the original reporters of this issue. All users of Samba are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the smb service will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 71292 published 2013-12-10 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71292 title RHEL 6 : samba4 (RHSA-2013:1805)
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- http://www.samba.org/samba/security/CVE-2013-4408
- http://www.samba.org/samba/ftp/patches/security/samba-4.1.2-CVE-2013-4408-CVE-2012-6150.patch
- http://rhn.redhat.com/errata/RHSA-2013-1805.html
- http://rhn.redhat.com/errata/RHSA-2013-1806.html
- http://www.debian.org/security/2013/dsa-2812
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00088.html
- http://www.ubuntu.com/usn/USN-2054-1
- http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00002.html
- http://rhn.redhat.com/errata/RHSA-2014-0009.html
- http://lists.opensuse.org/opensuse-updates/2014-03/msg00063.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:299
- http://www.securityfocus.com/bid/64191
- http://security.gentoo.org/glsa/glsa-201502-15.xml
- http://marc.info/?l=bugtraq&m=141660010015249&w=2
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00048.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134717.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136864.html