Vulnerabilities > CVE-2018-16852 - NULL Pointer Dereference vulnerability in Samba 4.9.0/4.9.1/4.9.2
Attack vector
NETWORK Attack complexity
HIGH Privileges required
HIGH Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Samba from version 4.9.0 and before version 4.9.3 is vulnerable to a NULL pointer de-reference. During the processing of an DNS zone in the DNS management DCE/RPC server, the internal DNS server or the Samba DLZ plugin for BIND9, if the DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS property is set, the server will follow a NULL pointer and terminate. There is no further vulnerability associated with this issue, merely a denial of service.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 9 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2018-333-01.NASL description New samba packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 119280 published 2018-11-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119280 title Slackware 14.0 / 14.1 / 14.2 / current : samba (SSA:2018-333-01) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2018-333-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(119280); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/24"); script_cve_id("CVE-2018-14629", "CVE-2018-16841", "CVE-2018-16851", "CVE-2018-16852", "CVE-2018-16853", "CVE-2018-16857"); script_xref(name:"SSA", value:"2018-333-01"); script_name(english:"Slackware 14.0 / 14.1 / 14.2 / current : samba (SSA:2018-333-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New samba packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2018&m=slackware-security.507711 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?c18ee90c" ); script_set_attribute(attribute:"solution", value:"Update the affected samba package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-16857"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:samba"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/28"); script_set_attribute(attribute:"patch_publication_date", value:"2018/11/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"14.0", pkgname:"samba", pkgver:"4.6.16", pkgarch:"i486", pkgnum:"2_slack14.0")) flag++; if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"samba", pkgver:"4.6.16", pkgarch:"x86_64", pkgnum:"2_slack14.0")) flag++; if (slackware_check(osver:"14.1", pkgname:"samba", pkgver:"4.6.16", pkgarch:"i486", pkgnum:"2_slack14.1")) flag++; if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"samba", pkgver:"4.6.16", pkgarch:"x86_64", pkgnum:"2_slack14.1")) flag++; if (slackware_check(osver:"14.2", pkgname:"samba", pkgver:"4.6.16", pkgarch:"i586", pkgnum:"2_slack14.2")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"samba", pkgver:"4.6.16", pkgarch:"x86_64", pkgnum:"2_slack14.2")) flag++; if (slackware_check(osver:"current", pkgname:"samba", pkgver:"4.9.3", pkgarch:"i586", pkgnum:"1")) flag++; if (slackware_check(osver:"current", arch:"x86_64", pkgname:"samba", pkgver:"4.9.3", pkgarch:"x86_64", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Misc. NASL id SAMBA_4_7_12.NASL description The version of Samba running on the remote host is 4.7.x prior to 4.7.12, or 4.8.x prior to 4.8.7, or 4.9.x prior to 4.9.3. It is, therefore, affected by multiple vulnerabilities. Notes: - Refer to vendor advisories for possible workarounds. - CVE-2018-16852 and CVE-2018-16857 only apply to 4.9.x. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 119306 published 2018-11-30 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119306 title Samba 4.7.x < 4.7.12 / 4.8.x < 4.8.7 / 4.9.x < 4.9.3 Multiple Vulnerabilities NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-202003-52.NASL description The remote host is affected by the vulnerability described in GLSA-202003-52 (Samba: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Samba. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code, cause a Denial of Service condition, conduct a man-in-the-middle attack, or obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-03-31 modified 2020-03-26 plugin id 134927 published 2020-03-26 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134927 title GLSA-202003-52 : Samba: Multiple vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_54976998F24811E881E2005056A311D1.NASL description The samba project reports : All versions of Samba from 4.0.0 onwards are vulnerable to infinite query recursion caused by CNAME loops. Any dns record can be added via ldap by an unprivileged user using the ldbadd tool, so this is a security issue. When configured to accept smart-card authentication, Samba last seen 2020-06-01 modified 2020-06-02 plugin id 119246 published 2018-11-28 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119246 title FreeBSD : samba -- multiple vulnerabilities (54976998-f248-11e8-81e2-005056a311d1) NASL family Fedora Local Security Checks NASL id FEDORA_2018-E423E8743F.NASL description Update to Samba 4.9.3 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120862 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120862 title Fedora 29 : 2:samba (2018-e423e8743f) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1040.NASL description According to the versions of the samba packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - Samba from version 4.9.0 and before version 4.9.3 that have AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. The primary risk from this issue is with regards to domains that have been upgraded from Samba 4.8 and earlier. In these cases the manual testing done to confirm an organisation last seen 2020-06-01 modified 2020-06-02 plugin id 132794 published 2020-01-13 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132794 title EulerOS Virtualization for ARM 64 3.0.5.0 : samba (EulerOS-SA-2020-1040) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2116.NASL description According to the versions of the samba packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in samba versions 4.9.x up to 4.9.13, samba 4.10.x up to 4.10.8 and samba 4.11.x up to 4.11.0rc3, when certain parameters were set in the samba configuration file. An unauthenticated attacker could use this flaw to escape the shared directory and access the contents of directories outside the share.(CVE-2019-10197) - A null pointer dereference flaw was found in the Samba DNS Management server when used as an Active Directory Domain Controller. A remote attacker could use this flaw to cause a denial of service (application crash).Samba from version 4.9.0 and before version 4.9.3 is vulnerable to a NULL pointer de-reference. During the processing of an DNS zone in the DNS management DCE/RPC server, the internal DNS server or the Samba DLZ plugin for BIND9, if the DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS property is set, the server will follow a NULL pointer and terminate. There is no further vulnerability associated with this issue, merely a denial of service.(CVE-2018-16852) - It was found that the last seen 2020-05-03 modified 2019-11-12 plugin id 130825 published 2019-11-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130825 title EulerOS 2.0 SP8 : samba (EulerOS-SA-2019-2116)
References
- http://www.securityfocus.com/bid/106024
- http://www.securityfocus.com/bid/106024
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16852
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16852
- https://security.gentoo.org/glsa/202003-52
- https://security.gentoo.org/glsa/202003-52
- https://security.netapp.com/advisory/ntap-20181127-0001/
- https://security.netapp.com/advisory/ntap-20181127-0001/
- https://www.samba.org/samba/security/CVE-2018-16852.html
- https://www.samba.org/samba/security/CVE-2018-16852.html