Vulnerabilities > CVE-2018-16860 - Improperly Implemented Security Check for Standard vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
samba
heimdal-project
CWE-358
nessus

Summary

A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode. A man in the middle attacker could use this flaw to intercept the request to the KDC and replace the user name (principal) in the request with any desired user name (principal) that exists in the KDC effectively obtaining a ticket for that principal.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4443.NASL
    descriptionIsaac Boukris and Andrew Bartlett discovered that the S4U2Self Kerberos extension used in Samba
    last seen2020-06-01
    modified2020-06-02
    plugin id125094
    published2019-05-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125094
    titleDebian DSA-4443-1 : samba - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4443. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(125094);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/17");
    
      script_cve_id("CVE-2018-16860");
      script_xref(name:"DSA", value:"4443");
    
      script_name(english:"Debian DSA-4443-1 : samba - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Isaac Boukris and Andrew Bartlett discovered that the S4U2Self
    Kerberos extension used in Samba's Active Directory support was
    susceptible to man-in-the-middle attacks caused by incomplete checksum
    validation.
    
    Details can be found in the upstream advisory at"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/source-package/samba"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/samba"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2019/dsa-4443"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the samba packages.
    
    For the stable distribution (stretch), this problem has been fixed in
    version 2:4.5.16+dfsg-1+deb9u2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"9.0", prefix:"ctdb", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnss-winbind", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libpam-winbind", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libparse-pidl-perl", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libsmbclient", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libsmbclient-dev", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libwbclient-dev", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libwbclient0", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"python-samba", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"registry-tools", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"samba", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"samba-common", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"samba-common-bin", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"samba-dev", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"samba-dsdb-modules", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"samba-libs", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"samba-testsuite", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"samba-vfs-modules", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"smbclient", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"winbind", reference:"2:4.5.16+dfsg-1+deb9u2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3976-2.NASL
    descriptionUSN-3976-1 fixed a vulnerability in Samba. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details : Isaac Boukris and Andrew Bartlett discovered that Samba incorrectly checked S4U2Self packets. In certain environments, a remote attacker could possibly use this issue to escalate privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id125135
    published2019-05-15
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125135
    titleUbuntu 14.04 LTS : samba vulnerability (USN-3976-2)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3976-2. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(125135);
      script_version("1.3");
      script_cvs_date("Date: 2019/06/28 10:05:54");
    
      script_cve_id("CVE-2018-16860");
      script_xref(name:"USN", value:"3976-2");
    
      script_name(english:"Ubuntu 14.04 LTS : samba vulnerability (USN-3976-2)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "USN-3976-1 fixed a vulnerability in Samba. This update provides the
    corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.
    
    Original advisory details :
    
    Isaac Boukris and Andrew Bartlett discovered that Samba incorrectly
    checked S4U2Self packets. In certain environments, a remote attacker
    could possibly use this issue to escalate privileges.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3976-2/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected samba package.");
      script_set_attribute(attribute:"risk_factor", value:"High");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(12\.04|14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"samba", pkgver:"2:4.3.11+dfsg-0ubuntu0.14.04.20+esm1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "samba");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_793A0072782211E981E2005056A311D1.NASL
    descriptionThe samba project reports : The checksum validation in the S4U2Self handler in the embedded Heimdal KDC did not first confirm that the checksum was keyed, allowing replacement of the requested target (client) principal Authenticated users with write permission can trigger a symlink traversal to write or detect files outside the Samba share.
    last seen2020-06-01
    modified2020-06-02
    plugin id125278
    published2019-05-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125278
    titleFreeBSD : samba -- multiple vulnerabilities (793a0072-7822-11e9-81e2-005056a311d1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2020 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(125278);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/15");
    
      script_cve_id("CVE-2018-16860", "CVE-2019-3880");
    
      script_name(english:"FreeBSD : samba -- multiple vulnerabilities (793a0072-7822-11e9-81e2-005056a311d1)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The samba project reports :
    
    The checksum validation in the S4U2Self handler in the embedded
    Heimdal KDC did not first confirm that the checksum was keyed,
    allowing replacement of the requested target (client) principal
    
    Authenticated users with write permission can trigger a symlink
    traversal to write or detect files outside the Samba share."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.samba.org/samba/security/CVE-2018-16860.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.samba.org/samba/security/CVE-2019-3880.html"
      );
      # https://vuxml.freebsd.org/freebsd/793a0072-7822-11e9-81e2-005056a311d1.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?09491989"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:samba410");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:samba46");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:samba47");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:samba48");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:samba49");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"samba46<=4.6.16")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"samba47<=4.7.12")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"samba48<4.8.12")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"samba49<4.9.8")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"samba410<4.10.3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMisc.
    NASL idAPPLETV_12_4.NASL
    descriptionAccording to its banner, the version of Apple TV on the remote device is prior to 12.4. It is therefore affected by multiple vulnerabilities as described in HT210351.
    last seen2020-06-01
    modified2020-06-02
    plugin id127048
    published2019-07-26
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127048
    titleApple TV < 12.4 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(127048);
      script_version("1.4");
      script_cvs_date("Date: 2020/01/03");
    
      script_cve_id(
        "CVE-2018-16860",
        "CVE-2019-8641",
        "CVE-2019-8644",
        "CVE-2019-8646",
        "CVE-2019-8647",
        "CVE-2019-8649",
        "CVE-2019-8657",
        "CVE-2019-8658",
        "CVE-2019-8660",
        "CVE-2019-8662",
        "CVE-2019-8666",
        "CVE-2019-8669",
        "CVE-2019-8671",
        "CVE-2019-8672",
        "CVE-2019-8673",
        "CVE-2019-8676",
        "CVE-2019-8677",
        "CVE-2019-8678",
        "CVE-2019-8679",
        "CVE-2019-8680",
        "CVE-2019-8681",
        "CVE-2019-8683",
        "CVE-2019-8684",
        "CVE-2019-8685",
        "CVE-2019-8686",
        "CVE-2019-8687",
        "CVE-2019-8688",
        "CVE-2019-8689",
        "CVE-2019-8690",
        "CVE-2019-8698",
        "CVE-2019-13118"
      );
      script_xref(name:"APPLE-SA", value:"HT210351");
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2019-07-17");
    
      script_name(english:"Apple TV < 12.4 Multiple Vulnerabilities");
      script_summary(english:"Checks the build number");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Apple TV device is affected by multiple vulnerabilities");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of Apple TV on the remote
    device is prior to 12.4. It is therefore affected by multiple
    vulnerabilities as described in HT210351.");
      script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT210351");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apple TV version 12.4 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8689");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/26");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:apple_tv");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("appletv_version.nasl");
      script_require_keys("AppleTV/Version", "AppleTV/Model", "AppleTV/URL", "AppleTV/Port");
      script_require_ports("Services/www", 7000);
    
      exit(0);
    }
    
    include('audit.inc');
    include('appletv_func.inc');
    
    url = get_kb_item('AppleTV/URL');
    if (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.');
    port = get_kb_item('AppleTV/Port');
    if (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.');
    build = get_kb_item('AppleTV/Version');
    if (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV');
    model = get_kb_item('AppleTV/Model');
    if (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.');
    
    fixed_build = '16M568';
    tvos_ver = '12.4';
    
    # determine gen from the model
    gen = APPLETV_MODEL_GEN[model];
    
    appletv_check_version(
      build          : build,
      fix            : fixed_build,
      affected_gen   : make_list(4, 5),
      fix_tvos_ver   : tvos_ver,
      model          : model,
      gen            : gen,
      port           : port,
      url            : url,
      severity       : SECURITY_HOLE
    );
    
  • NASL familyMisc.
    NASL idSAMBA_4_10_3.NASL
    descriptionThe version of Samba running on the remote host is 4.x prior to 4.8.12, 4.9.x prior to 4.9.8 or 4.10.x prior to 4.10.3. It is, therefore, affected by a man in the middle vulnerability in the Heimdal KDC due to an design error. An authenticated, remote attacker can exploit this, via replacing the user name on intercepted requests to the KDC, to bypass security restrictions. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id125388
    published2019-05-24
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125388
    titleSamba 4.x < 4.8.12 / 4.9.x < 4.9.8 / 4.10.x < 4.10.3 Man in the Middle Vulnerability (CVE-2018-16860)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(125388);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/30 13:24:46");
    
      script_cve_id("CVE-2018-16860");
      script_bugtraq_id(108332);
    
      script_name(english:"Samba 4.x < 4.8.12 / 4.9.x < 4.9.8 / 4.10.x < 4.10.3 Man in the Middle Vulnerability (CVE-2018-16860)");
      script_summary(english:"Checks the version of Samba.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Samba server is potentially affected by a man in the middle vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of Samba running on the remote host is 4.x prior to
    4.8.12, 4.9.x prior to 4.9.8 or 4.10.x prior to 4.10.3. It is,
    therefore, affected by a man in the middle vulnerability in the
    Heimdal KDC due to an design error. An authenticated, remote
    attacker can exploit this, via replacing the user name on
    intercepted requests to the KDC, to bypass security restrictions.
    
    Note that Nessus has not tested for this issue but has instead relied
    only on the application's self-reported version number.");
      # https://www.samba.org/samba/security/CVE-2018-16860.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2b2593d1");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Samba version 4.8.12 / 4.9.8 / 4.10.3 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-16860");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/24");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:heimdal_project:heimdal");
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_nativelanman.nasl");
      script_require_keys("SMB/NativeLanManager", "SMB/samba", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    include('vcf.inc');
    include('vcf_extras.inc');
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    app = vcf::samba::get_app_info();
    vcf::check_granularity(app_info:app, sig_segments:3);
    
    constraints = [
      {'min_version':'4.0.0rc0', 'fixed_version':'4.8.0rc0', 'fixed_display':'4.8.12 / 4.9.8 / 4.10.3'},
      {'min_version':'4.8.0rc0', 'fixed_version':'4.8.12'},
      {'min_version':'4.9.0rc0', 'fixed_version':'4.9.8'},
      {'min_version':'4.10.0rc0', 'fixed_version':'4.10.3'}
    ];
    
    vcf::check_version_and_report(app_info:app, constraints:constraints, severity:SECURITY_WARNING, strict:FALSE);
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4455.NASL
    descriptionSeveral vulnerabilities were discovered in Heimdal, an implementation of Kerberos 5 that aims to be compatible with MIT Kerberos. - CVE-2018-16860 Isaac Boukris and Andrew Bartlett discovered that Heimdal was susceptible to man-in-the-middle attacks caused by incomplete checksum validation. Details on the issue can be found in the Samba advisory at https://www.samba.org/samba/security/CVE-2018-16860.html . - CVE-2019-12098 It was discovered that failure of verification of the PA-PKINIT-KX key exchange client-side could permit to perform man-in-the-middle attack.
    last seen2020-06-01
    modified2020-06-02
    plugin id125709
    published2019-06-05
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125709
    titleDebian DSA-4455-1 : heimdal - security update
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-202003-52.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-202003-52 (Samba: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Samba. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code, cause a Denial of Service condition, conduct a man-in-the-middle attack, or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen2020-03-31
    modified2020-03-26
    plugin id134927
    published2020-03-26
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134927
    titleGLSA-202003-52 : Samba: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-307E117A2E.NASL
    descriptionUpdate to Samba 4.10.3, Security fixes for CVE-2018-16860 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id125179
    published2019-05-16
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125179
    titleFedora 30 : 2:samba (2019-307e117a2e)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOS_10_14_6.NASL
    descriptionThe remote host is running a version of macOS / Mac OS X that is 10.14.x prior to 10.14.6. It is, therefore, affected by multiple vulnerabilities : - An application may be able to read restricted memory (CVE-2019-8691, CVE-2019-8692, CVE-2019-8693) - Extracting a zip file containing a symbolic link to an endpoint in an NFS mount that is attacker controlled may bypass Gatekeeper (CVE-2019-8656) - A remote attacker may be able to cause arbitrary code execution (CVE-2019-8648, CVE-2018-19860, CVE-2019-8661) - A remote attacker may be able to leak memory (CVE-2019-8646, CVE-2019-8663) - A remote attacker may be able to cause unexpected application termination or arbitrary code execution (CVE-2019-8641, CVE-2019-8660) - An application may be able to execute arbitrary code with system privileges (CVE-2019-8695, CVE-2019-8697) - An issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services (CVE-2018-16860) - An application may be able to execute arbitrary code with kernel privileges (CVE-2019-8694) - A remote attacker may be able to view sensitive information (CVE-2019-13118) - An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary (CVE-2019-8662) - Visiting a malicious website may lead to address bar spoofing (CVE-2019-8670) - The encryption status of a Time Machine backup may be incorrect (CVE-2019-8667) - Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution (CVE-2019-8657) - Processing maliciously crafted web content may lead to universal cross site scripting (CVE-2019-8690, CVE-2019-8649, CVE-2019-8658) - Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689) Note that Nessus has not tested for this issue but has instead relied only on the operating system
    last seen2020-06-01
    modified2020-06-02
    plugin id127054
    published2019-07-26
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127054
    titlemacOS 10.14.x < 10.14.6 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1682.NASL
    descriptionThis update for libheimdal fixes the following issues : libheimdal was updated to version 7.7.0 : + Bug fixes : - PKCS#11 hcrypto back-end : + initialize the p11_module_load function list + verify that not only is a mechanism present but that its mechanism info states that it offers the required encryption, decryption or digest services - krb5 : + Starting with 7.6, Heimdal permitted requesting authenticated anonymous tickets. However, it did not verify that a KDC in fact returned an anonymous ticket when one was requested. + Cease setting the KDCOption reaquest_anonymous flag when issuing S4UProxy (constrained delegation) TGS requests. + when the Win2K PKINIT compatibility option is set, do not require krbtgt otherName to match when validating KDC certificate. + set PKINIT_BTMM flag per Apple implementation + use memset_s() instead of memset() - kdc : + When generating KRB5SignedPath in the AS, use the reply client name rather than the one from the request, so validation will work correctly in the TGS. + allow checksum of PA-FOR-USER to be HMAC_MD5. Even if TGT used an enctype with a different checksum. Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always HMAC_MD5, and that
    last seen2020-05-31
    modified2019-07-02
    plugin id126437
    published2019-07-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126437
    titleopenSUSE Security Update : libheimdal (openSUSE-2019-1682)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-208CC34D40.NASL
    descriptionUpdate to Samba 4.9.8, Security fixes for CVE-2018-16860 ---- Update to Samba 4.9.7 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id125271
    published2019-05-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125271
    titleFedora 29 : 2:samba (2019-208cc34d40)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1616.NASL
    descriptionAccording to the version of the samba packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in samba
    last seen2020-06-06
    modified2020-06-02
    plugin id137034
    published2020-06-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137034
    titleEulerOS 2.0 SP5 : samba (EulerOS-SA-2020-1616)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2019-004.NASL
    descriptionThe remote host is running Mac OS X 10.12.6 or Mac OS X 10.13.6 and is missing a security update. It is, therefore, affected by multiple vulnerabilities : - An application may be able to read restricted memory (CVE-2019-8691, CVE-2019-8692, CVE-2019-8693) - Extracting a zip file containing a symbolic link to an endpoint in an NFS mount that is attacker controlled may bypass Gatekeeper (CVE-2019-8656) - A remote attacker may be able to cause arbitrary code execution (CVE-2019-8648, CVE-2018-19860, CVE-2019-8661) - A remote attacker may be able to leak memory (CVE-2019-8646, CVE-2019-8663) - A remote attacker may be able to cause unexpected application termination or arbitrary code execution ( CVE-2019-8641, CVE-2019-8660) - An application may be able to execute arbitrary code with system privileges (CVE-2019-8695, CVE-2019-8697) - An issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services (CVE-2018-16860) - An application may be able to execute arbitrary code with kernel privileges (CVE-2019-8694) - A remote attacker may be able to view sensitive information (CVE-2019-13118) - An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary (CVE-2019-8662) - Visiting a malicious website may lead to address bar spoofing (CVE-2019-8670) - The encryption status of a Time Machine backup may be incorrect (CVE-2019-8667) - Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution (CVE-2019-8657) - Processing maliciously crafted web content may lead to universal cross site scripting (CVE-2019-8649, CVE-2019-8658, CVE-2019-8690) - Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2019-8644, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8685, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689) Note that Nessus has not tested for this issue but has instead relied only on the operating system
    last seen2020-06-01
    modified2020-06-02
    plugin id127055
    published2019-07-26
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127055
    titlemacOS Sierra / High Sierra Multiple Vulnerabilities (Security Update 2019-004)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1788.NASL
    descriptionIsaac Boukris and Andrew Bartlett discovered that the S4U2Self Kerberos extension used in Samba
    last seen2020-06-01
    modified2020-06-02
    plugin id125174
    published2019-05-16
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125174
    titleDebian DLA-1788-1 : samba security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1040.NASL
    descriptionAccording to the versions of the samba packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - Samba from version 4.9.0 and before version 4.9.3 that have AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. The primary risk from this issue is with regards to domains that have been upgraded from Samba 4.8 and earlier. In these cases the manual testing done to confirm an organisation
    last seen2020-06-01
    modified2020-06-02
    plugin id132794
    published2020-01-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132794
    titleEulerOS Virtualization for ARM 64 3.0.5.0 : samba (EulerOS-SA-2020-1040)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3976-1.NASL
    descriptionIsaac Boukris and Andrew Bartlett discovered that Samba incorrectly checked S4U2Self packets. In certain environments, a remote attacker could possibly use this issue to escalate privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id125134
    published2019-05-15
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125134
    titleUbuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04 : samba vulnerability (USN-3976-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1032.NASL
    descriptionAccording to the versions of the samba packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in samba
    last seen2020-05-03
    modified2020-01-02
    plugin id132625
    published2020-01-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132625
    titleEulerOS 2.0 SP8 : samba (EulerOS-SA-2020-1032)

References