ID CVE-2016-2118 Type cve Reporter cve@mitre.org Modified 2018-11-30T21:31:00
Description
The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "BADLOCK."
{"f5": [{"lastseen": "2019-04-30T18:21:05", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 587077 (BIG-IP) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H592129 on the **Diagnostics** > **Identified** > **Medium** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 - 12.1.0| 12.1.1 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Medium| Samba utilities* \nBIG-IP AAM| 12.0.0 - 12.1.0| 12.1.1 \n11.4.0 - 11.6.0| Medium| Samba utilities* \nBIG-IP AFM| 12.0.0 - 12.1.0| 12.1.1 \n11.3.0 - 11.6.0| Medium| Samba utilities* \nBIG-IP Analytics| 12.0.0 - 12.1.0| 12.1.1 \n11.0.0 - 11.6.0| Medium| Samba utilities* \nBIG-IP APM| 12.0.0 - 12.1.0| 12.1.1 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Medium| Samba utilities* \nBIG-IP ASM| 12.0.0 - 12.1.0| 12.1.1 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Medium| Samba utilities* \nBIG-IP DNS| 12.0.0 - 12.1.0| 12.1.1| Medium| Samba utilities* \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| 12.0.0 - 12.1.0| 12.1.1 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Medium| Samba utilities* \nBIG-IP PEM| 12.0.0 - 12.1.0| 12.1.1 \n11.3.0 - 11.6.0| Medium| Samba utilities* \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None \n \n* BIG-IP Extended Application Verification (EAV) or external monitors are only affected when configured to use an external script that calls the **rcpclient** command.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation \n\nTo mitigate this vulnerability, you can use a different monitor type that does not use the affected Samba utility.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K10025: Managing BIG-IP product hotfixes (10.x)](<https://support.f5.com/csp/article/K10025>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n", "modified": "2017-05-03T22:49:00", "published": "2016-05-10T21:54:00", "id": "F5:K37603172", "href": "https://support.f5.com/csp/article/K37603172", "title": "Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118", "type": "f5", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:28", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you can use a different monitor type that does not use the affected Samba utility.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL10025: Managing BIG-IP product hotfixes (10.x)\n * SOL9502: BIG-IP hotfix matrix\n", "modified": "2016-09-01T00:00:00", "published": "2016-05-10T00:00:00", "id": "SOL37603172", "href": "http://support.f5.com/kb/en-us/solutions/public/k/37/sol37603172.html", "type": "f5", "title": "SOL37603172 - Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2017-08-27T20:11:56", "bulletinFamily": "unix", "description": "No description provided", "modified": "2016-04-15T15:08:47", "published": "2016-04-15T15:08:47", "href": "https://access.redhat.com/ru/security/vulnerabilities/2254521", "id": "2254521", "title": "Badlock: \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432 Samba (CVE-2016-2118)", "type": "redhat", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-08-13T18:45:01", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB)\nprotocol and the related Common Internet File System (CIFS) protocol, which\nallow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es):\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security\nAccount Manager Remote Protocol (MS-SAMR) and the Local Security Authority\n(Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection\nthat a client initiates against a server could be used by a man-in-the-middle\nattacker to impersonate the authenticated user against the SAMR or LSA service\non the server. As a result, the attacker would be able to get read/write access\nto the Security Account Manager database, and use this to reveal all passwords\nor any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication.\nAn unauthenticated, man-in-the-middle attacker could use this flaw to clear the\nencryption and integrity flags of a connection, causing data to be transmitted\nin plain text. The attacker could also force the client or server into sending\ndata in plain text even if encryption was explicitly requested for that\nconnection. (CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish\na secure communication channel with a machine using a spoofed computer name. A\nremote attacker able to observe network traffic could use this flaw to obtain\nsession-related information about the spoofed machine. (CVE-2016-2111)\n\nRed Hat would like to thank the Samba project for reporting these issues.\nUpstream acknowledges Stefan Metzmacher (SerNet) as the original reporter of\nCVE-2016-2118 and CVE-2016-2110.\n", "modified": "2017-09-08T11:54:06", "published": "2016-04-14T04:00:00", "id": "RHSA-2016:0623", "href": "https://access.redhat.com/errata/RHSA-2016:0623", "type": "redhat", "title": "(RHSA-2016:0623) Important: samba security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:43", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB)\nprotocol and the related Common Internet File System (CIFS) protocol, which\nallow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es):\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security\nAccount Manager Remote Protocol (MS-SAMR) and the Local Security Authority\n(Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection\nthat a client initiates against a server could be used by a man-in-the-middle\nattacker to impersonate the authenticated user against the SAMR or LSA service\non the server. As a result, the attacker would be able to get read/write access\nto the Security Account Manager database, and use this to reveal all passwords\nor any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication.\nAn unauthenticated, man-in-the-middle attacker could use this flaw to clear the\nencryption and integrity flags of a connection, causing data to be transmitted\nin plain text. The attacker could also force the client or server into sending\ndata in plain text even if encryption was explicitly requested for that\nconnection. (CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish\na secure communication channel with a machine using a spoofed computer name. A\nremote attacker able to observe network traffic could use this flaw to obtain\nsession-related information about the spoofed machine. (CVE-2016-2111)\n\nRed Hat would like to thank the Samba project for reporting these issues.\nUpstream acknowledges Stefan Metzmacher (SerNet) as the original reporter of\nCVE-2016-2118 and CVE-2016-2110.\n", "modified": "2017-09-08T12:17:17", "published": "2016-04-14T04:00:00", "id": "RHSA-2016:0621", "href": "https://access.redhat.com/errata/RHSA-2016:0621", "type": "redhat", "title": "(RHSA-2016:0621) Important: samba security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:25", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB)\nprotocol and the related Common Internet File System (CIFS) protocol, which\nallow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es):\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security\nAccount Manager Remote Protocol (MS-SAMR) and the Local Security Authority\n(Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection\nthat a client initiates against a server could be used by a man-in-the-middle\nattacker to impersonate the authenticated user against the SAMR or LSA service\non the server. As a result, the attacker would be able to get read/write access\nto the Security Account Manager database, and use this to reveal all passwords\nor any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication.\nAn unauthenticated, man-in-the-middle attacker could use this flaw to clear the\nencryption and integrity flags of a connection, causing data to be transmitted\nin plain text. The attacker could also force the client or server into sending\ndata in plain text even if encryption was explicitly requested for that\nconnection. (CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish\na secure communication channel with a machine using a spoofed computer name. A\nremote attacker able to observe network traffic could use this flaw to obtain\nsession-related information about the spoofed machine. (CVE-2016-2111)\n\nRed Hat would like to thank the Samba project for reporting these issues.\nUpstream acknowledges Stefan Metzmacher (SerNet) as the original reporter of\nCVE-2016-2118 and CVE-2016-2110.\n", "modified": "2017-09-08T12:14:57", "published": "2016-04-14T04:00:00", "id": "RHSA-2016:0625", "href": "https://access.redhat.com/errata/RHSA-2016:0625", "type": "redhat", "title": "(RHSA-2016:0625) Important: samba security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:29", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es):\n\n* Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements.\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111)\n\n* It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112)\n\n* It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.", "modified": "2018-06-06T20:24:25", "published": "2016-04-13T10:54:34", "id": "RHSA-2016:0611", "href": "https://access.redhat.com/errata/RHSA-2016:0611", "type": "redhat", "title": "(RHSA-2016:0611) Critical: samba security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:14", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible machines\nto share files, printers, and other information.\n\nSecurity Fix(es):\n\n* Multiple flaws were found in Samba's DCE/RPC protocol implementation. A\nremote, authenticated attacker could use these flaws to cause a denial of\nservice against the Samba server (high CPU load or a crash) or, possibly,\nexecute arbitrary code with the permissions of the user running Samba (root).\nThis flaw could also be used to downgrade a secure DCE/RPC connection by a\nman-in-the-middle attacker taking control of an Active Directory (AD) object and\ncompromising the security of a Samba Active Directory Domain Controller (DC).\n(CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do not support\nrunning Samba as an AD DC, this flaw applies to all roles Samba implements.\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security\nAccount Manager Remote Protocol (MS-SAMR) and the Local Security Authority\n(Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection\nthat a client initiates against a server could be used by a man-in-the-middle\nattacker to impersonate the authenticated user against the SAMR or LSA service\non the server. As a result, the attacker would be able to get read/write access\nto the Security Account Manager database, and use this to reveal all passwords\nor any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication.\nAn unauthenticated, man-in-the-middle attacker could use this flaw to clear the\nencryption and integrity flags of a connection, causing data to be transmitted\nin plain text. The attacker could also force the client or server into sending\ndata in plain text even if encryption was explicitly requested for that\nconnection. (CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish\na secure communication channel with a machine using a spoofed computer name. A\nremote attacker able to observe network traffic could use this flaw to obtain\nsession-related information about the spoofed machine. (CVE-2016-2111)\n\n* It was found that Samba's LDAP implementation did not enforce integrity\nprotection for LDAP connections. A man-in-the-middle attacker could use this\nflaw to downgrade LDAP connections to use no integrity protection, allowing them\nto hijack such connections. (CVE-2016-2112)\n\n* It was found that Samba did not enable integrity protection for IPC traffic by\ndefault. A man-in-the-middle attacker could use this flaw to view and modify the\ndata sent between a Samba server and a client. (CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues.\nUpstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of\nCVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of\nCVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.\n", "modified": "2017-09-08T11:53:57", "published": "2016-04-12T04:00:00", "id": "RHSA-2016:0613", "href": "https://access.redhat.com/errata/RHSA-2016:0613", "type": "redhat", "title": "(RHSA-2016:0613) Critical: samba3x security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:07", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible machines\nto share files, printers, and other information.\n\nSecurity Fix(es):\n\n* Multiple flaws were found in Samba's DCE/RPC protocol implementation. A\nremote, authenticated attacker could use these flaws to cause a denial of\nservice against the Samba server (high CPU load or a crash) or, possibly,\nexecute arbitrary code with the permissions of the user running Samba (root).\nThis flaw could also be used to downgrade a secure DCE/RPC connection by a\nman-in-the-middle attacker taking control of an Active Directory (AD) object and\ncompromising the security of a Samba Active Directory Domain Controller (DC).\n(CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do not support\nrunning Samba as an AD DC, this flaw applies to all roles Samba implements.\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security\nAccount Manager Remote Protocol (MS-SAMR) and the Local Security Authority\n(Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection\nthat a client initiates against a server could be used by a man-in-the-middle\nattacker to impersonate the authenticated user against the SAMR or LSA service\non the server. As a result, the attacker would be able to get read/write access\nto the Security Account Manager database, and use this to reveal all passwords\nor any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication.\nAn unauthenticated, man-in-the-middle attacker could use this flaw to clear the\nencryption and integrity flags of a connection, causing data to be transmitted\nin plain text. The attacker could also force the client or server into sending\ndata in plain text even if encryption was explicitly requested for that\nconnection. (CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish\na secure communication channel with a machine using a spoofed computer name. A\nremote attacker able to observe network traffic could use this flaw to obtain\nsession-related information about the spoofed machine. (CVE-2016-2111)\n\n* It was found that Samba's LDAP implementation did not enforce integrity\nprotection for LDAP connections. A man-in-the-middle attacker could use this\nflaw to downgrade LDAP connections to use no integrity protection, allowing them\nto hijack such connections. (CVE-2016-2112)\n\n* It was found that Samba did not enable integrity protection for IPC traffic by\ndefault. A man-in-the-middle attacker could use this flaw to view and modify the\ndata sent between a Samba server and a client. (CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues.\nUpstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of\nCVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of\nCVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.\n", "modified": "2017-09-08T11:54:29", "published": "2016-04-12T04:00:00", "id": "RHSA-2016:0624", "href": "https://access.redhat.com/errata/RHSA-2016:0624", "type": "redhat", "title": "(RHSA-2016:0624) Critical: samba3x security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:53", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB)\nprotocol and the related Common Internet File System (CIFS) protocol, which\nallow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es):\n\n* Multiple flaws were found in Samba's DCE/RPC protocol implementation. A\nremote, authenticated attacker could use these flaws to cause a denial of\nservice against the Samba server (high CPU load or a crash) or, possibly,\nexecute arbitrary code with the permissions of the user running Samba (root).\nThis flaw could also be used to downgrade a secure DCE/RPC connection by a\nman-in-the-middle attacker taking control of an Active Directory (AD) object and\ncompromising the security of a Samba Active Directory Domain Controller (DC).\n(CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do not support\nrunning Samba as an AD DC, this flaw applies to all roles Samba implements.\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security\nAccount Manager Remote Protocol (MS-SAMR) and the Local Security Authority\n(Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection\nthat a client initiates against a server could be used by a man-in-the-middle\nattacker to impersonate the authenticated user against the SAMR or LSA service\non the server. As a result, the attacker would be able to get read/write access\nto the Security Account Manager database, and use this to reveal all passwords\nor any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication.\nAn unauthenticated, man-in-the-middle attacker could use this flaw to clear the\nencryption and integrity flags of a connection, causing data to be transmitted\nin plain text. The attacker could also force the client or server into sending\ndata in plain text even if encryption was explicitly requested for that\nconnection. (CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish\na secure communication channel with a machine using a spoofed computer name. A\nremote attacker able to observe network traffic could use this flaw to obtain\nsession-related information about the spoofed machine. (CVE-2016-2111)\n\n* It was found that Samba's LDAP implementation did not enforce integrity\nprotection for LDAP connections. A man-in-the-middle attacker could use this\nflaw to downgrade LDAP connections to use no integrity protection, allowing them\nto hijack such connections. (CVE-2016-2112)\n\n* It was found that Samba did not enable integrity protection for IPC traffic by\ndefault. A man-in-the-middle attacker could use this flaw to view and modify the\ndata sent between a Samba server and a client. (CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues.\nUpstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of\nCVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of\nCVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.\n", "modified": "2016-09-04T02:18:36", "published": "2016-04-12T04:00:00", "id": "RHSA-2016:0619", "href": "https://access.redhat.com/errata/RHSA-2016:0619", "type": "redhat", "title": "(RHSA-2016:0619) Critical: samba security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:47:08", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.\n\nThe following packages have been upgraded to a newer upstream version: Samba (4.2.10). Refer to the Release Notes listed in the References section for a complete list of changes.\n\nSecurity Fix(es):\n\n* Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Gluster Storage do not support running Samba as an AD DC, this flaw applies to all roles Samba implements.\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111)\n\n* It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112)\n\n* It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. (CVE-2016-2113)\n\n* It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. (CVE-2016-2114)\n\n* It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, and CVE-2016-2115.", "modified": "2018-06-13T01:28:21", "published": "2016-04-13T01:09:54", "id": "RHSA-2016:0614", "href": "https://access.redhat.com/errata/RHSA-2016:0614", "type": "redhat", "title": "(RHSA-2016:0614) Critical: samba security, bug fix, and enhancement update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:00", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.\n\nThe following packages have been upgraded to a newer upstream version: Samba (4.2.10). Refer to the Release Notes listed in the References section for a complete list of changes.\n\nSecurity Fix(es):\n\n* Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements.\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111)\n\n* It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112)\n\n* It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. (CVE-2016-2113)\n\n* It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. (CVE-2016-2114)\n\n* It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, and CVE-2016-2115.", "modified": "2017-03-08T06:50:55", "published": "2016-04-12T23:07:21", "id": "RHSA-2016:0618", "href": "https://access.redhat.com/errata/RHSA-2016:0618", "type": "redhat", "title": "(RHSA-2016:0618) Critical: samba security, bug fix, and enhancement update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-02-21T01:26:41", "bulletinFamily": "scanner", "description": "The version of Samba, a CIFS/SMB server for Linux and Unix, running on the remote host is affected by a flaw, known as Badlock, that exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) protocols due to improper authentication level negotiation over Remote Procedure Call (RPC) channels. A man-in-the-middle attacker who is able to able to intercept the traffic between a client and a server hosting a SAM database can exploit this flaw to force a downgrade of the authentication level, which allows the execution of arbitrary Samba network calls in the context of the intercepted user, such as viewing or modifying sensitive security data in the Active Directory (AD) database or disabling critical services.", "modified": "2018-07-27T00:00:00", "id": "SAMBA_BADLOCK.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=90509", "published": "2016-04-13T00:00:00", "title": "Samba Badlock Vulnerability", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90509);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/07/27 18:38:14\");\n\n script_cve_id(\"CVE-2016-2118\");\n script_bugtraq_id(86002);\n script_xref(name:\"CERT\", value:\"813296\");\n\n script_name(english:\"Samba Badlock Vulnerability\");\n script_summary(english:\"Detects if the Badlock patch has been applied.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An SMB server running on the remote host is affected by the Badlock\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Samba, a CIFS/SMB server for Linux and Unix, running on\nthe remote host is affected by a flaw, known as Badlock, that exists\nin the Security Account Manager (SAM) and Local Security\nAuthority (Domain Policy) (LSAD) protocols due to improper\nauthentication level negotiation over Remote Procedure Call (RPC)\nchannels. A man-in-the-middle attacker who is able to able to\nintercept the traffic between a client and a server hosting a SAM\ndatabase can exploit this flaw to force a downgrade of the\nauthentication level, which allows the execution of arbitrary Samba\nnetwork calls in the context of the intercepted user, such as viewing\nor modifying sensitive security data in the Active Directory (AD)\ndatabase or disabling critical services.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://badlock.org\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/security/CVE-2016-2118.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Samba version 4.2.11 / 4.3.8 / 4.4.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:samba:samba\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n \n script_dependencies(\"samba_detect.nasl\");\n script_require_ports(139, 445);\n script_require_keys(\"SMB/samba\", \"SMB/name\", \"SMB/transport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\n\n# DCERPC reject status codes\nPROTO_ERROR = 0x1c01000b;\nRING_ERROR = 0x1c010002;\n\nappname = \"Samba\";\nget_kb_item_or_exit(\"SMB/samba\");\nname = kb_smb_name();\nport = kb_smb_transport();\n\n###\n# Binds to one of the typically available pipes\n# @return a fd to the pipe\n##\nfunction bind_to_pipe()\n{\n local_var fid = bind_pipe (pipe:\"\\unixinfo\", uuid:\"9c54e310-a955-4885-bd31-78787147dfa6\", vers:0);\n if (!isnull(fid)) return fid;\n\n fid = bind_pipe (pipe:\"\\spoolss\", uuid:\"12345678-1234-abcd-ef00-0123456789ab\", vers:1);\n if (!isnull(fid)) return fid;\n\n fid = bind_pipe (pipe:\"\\lsarpc\", uuid:\"12345778-1234-abcd-ef00-0123456789ab\", vers:0);\n if (!isnull(fid)) return fid;\n\n # if samba_detect.nasl is successful than we should never be able to\n # hit here since we know it successfully bound to a pipe.\n audit(AUDIT_RESP_BAD, port);\n}\n\nif (get_kb_item(\"Host/scanned\") && !get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);\n\n# establish a connection\nsoc = open_sock_tcp(port);\nif (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n# start the session and try to connect to the share\nsession_init(socket:soc, hostname:name);\nif (NetUseAdd(share:\"IPC$\") != 1) audit(AUDIT_SHARE_FAIL, \"IPC\");\n\n# We need to bind to a pipe. We know samba_detect did so try\n# the known pipes\nbound_pipe = bind_to_pipe();\n\n# Make a ping request (this should be unexpected)\ndata = raw_word(w:0);\ndata = dce_rpc_pipe_request(fid:bound_pipe, code:0x3f, data:data, type:1);\nsmb_close (fid:bound_pipe);\nNetUseDel();\n\nif (!data || (strlen(data) < 28)) audit(AUDIT_RESP_BAD, port, \"the RPC pipe request\");\n \n# Type should be fault (3)\nif (get_byte (blob:data, pos:2) != 3) audit(AUDIT_RESP_BAD, port, \"the type examination\");\n\n# Check against the two known errors; any third type will be flagged as a bad resp.\nerror = get_dword (blob:data, pos:24);\nif (error == PROTO_ERROR) audit(AUDIT_INST_VER_NOT_VULN, appname);\nelse if (error != RING_ERROR) audit(AUDIT_RESP_BAD, port, \"the error code check\");\n\nreport = '\\nNessus detected that the Samba Badlock patch has not been applied.\\n';\nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:26:53", "bulletinFamily": "scanner", "description": "CVE-2015-5370 Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not properly implement the DCE-RPC layer, which allows remote attackers to perform protocol-downgrade attacks, cause a denial of service (application crash or CPU consumption), or possibly execute arbitrary code on a client system via unspecified vectors.\n\nCVE-2016-2118 The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka 'BADLOCK.'", "modified": "2019-01-04T00:00:00", "id": "F5_BIGIP_SOL37603172.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91055", "published": "2016-05-12T00:00:00", "title": "F5 Networks BIG-IP : Samba vulnerabilities (K37603172) (Badlock)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K37603172.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91055);\n script_version(\"2.20\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2015-5370\", \"CVE-2016-2118\");\n\n script_name(english:\"F5 Networks BIG-IP : Samba vulnerabilities (K37603172) (Badlock)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2015-5370 Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and\n4.4.x before 4.4.2 does not properly implement the DCE-RPC layer,\nwhich allows remote attackers to perform protocol-downgrade attacks,\ncause a denial of service (application crash or CPU consumption), or\npossibly execute arbitrary code on a client system via unspecified\nvectors.\n\nCVE-2016-2118 The MS-SAMR and MS-LSAD protocol implementations in\nSamba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before\n4.4.2 mishandle DCERPC connections, which allows man-in-the-middle\nattackers to perform protocol-downgrade attacks and impersonate users\nby modifying the client-server data stream, aka 'BADLOCK.'\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K37603172\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K37603172.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/10\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K37603172\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"12.0.0-12.1.0\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.1.1\",\"11.3.0-11.6.0\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0-12.1.0\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.1.1\",\"11.4.0-11.6.0\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"12.0.0-12.1.0\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.1.1\",\"11.0.0-11.6.0\",\"10.1.0-10.2.4\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"12.0.0-12.1.0\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.1.1\",\"11.0.0-11.6.0\",\"10.1.0-10.2.4\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"12.0.0-12.1.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.1.1\",\"11.0.0-11.6.0\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"12.0.0-12.1.0\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.1.1\",\"11.0.0-11.6.0\",\"10.1.0-10.2.4\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"12.0.0-12.1.0\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.1.1\",\"11.0.0-11.6.0\",\"10.1.0-10.2.4\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"12.0.0-12.1.0\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.1.1\",\"11.3.0-11.6.0\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:26:40", "bulletinFamily": "scanner", "description": "An update for samba is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\n[Updated 14 April 2016] This advisory previously incorrectly listed the CVE-2016-2112 issue as addressed by this update. However, this issue did not affect the samba packages on Red Hat Enterprise Linux 5.\nThe CVE-2016-2115 was also incorrectly listed as addressed by this update. This issue does affect the samba packages on Red Hat Enterprise Linux 5. Customers are advised to use the 'client signing = required' configuration option in the smb.conf file to mitigate CVE-2016-2115. No changes have been made to the packages.\n\nSamba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es) :\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server.\nAs a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection.\n(CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111)\n\nRed Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118 and CVE-2016-2110.", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2016-0621.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=90498", "published": "2016-04-13T00:00:00", "title": "RHEL 5 : samba (RHSA-2016:0621) (Badlock)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0621. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90498);\n script_version(\"2.16\");\n script_cvs_date(\"Date: 2018/11/10 11:49:55\");\n\n script_cve_id(\"CVE-2016-2110\", \"CVE-2016-2111\", \"CVE-2016-2118\");\n script_xref(name:\"RHSA\", value:\"2016:0621\");\n\n script_name(english:\"RHEL 5 : samba (RHSA-2016:0621) (Badlock)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for samba is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\n[Updated 14 April 2016] This advisory previously incorrectly listed\nthe CVE-2016-2112 issue as addressed by this update. However, this\nissue did not affect the samba packages on Red Hat Enterprise Linux 5.\nThe CVE-2016-2115 was also incorrectly listed as addressed by this\nupdate. This issue does affect the samba packages on Red Hat\nEnterprise Linux 5. Customers are advised to use the 'client signing =\nrequired' configuration option in the smb.conf file to mitigate\nCVE-2016-2115. No changes have been made to the packages.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) protocol and the related Common Internet File System (CIFS)\nprotocol, which allow PC-compatible machines to share files, printers,\nand various information.\n\nSecurity Fix(es) :\n\n* A protocol flaw, publicly referred to as Badlock, was found in the\nSecurity Account Manager Remote Protocol (MS-SAMR) and the Local\nSecurity Authority (Domain Policy) Remote Protocol (MS-LSAD). Any\nauthenticated DCE/RPC connection that a client initiates against a\nserver could be used by a man-in-the-middle attacker to impersonate\nthe authenticated user against the SAMR or LSA service on the server.\nAs a result, the attacker would be able to get read/write access to\nthe Security Account Manager database, and use this to reveal all\npasswords or any other potentially sensitive information in that\ndatabase. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP\nauthentication. An unauthenticated, man-in-the-middle attacker could\nuse this flaw to clear the encryption and integrity flags of a\nconnection, causing data to be transmitted in plain text. The attacker\ncould also force the client or server into sending data in plain text\neven if encryption was explicitly requested for that connection.\n(CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would\nestablish a secure communication channel with a machine using a\nspoofed computer name. A remote attacker able to observe network\ntraffic could use this flaw to obtain session-related information\nabout the spoofed machine. (CVE-2016-2111)\n\nRed Hat would like to thank the Samba project for reporting these\nissues. Upstream acknowledges Stefan Metzmacher (SerNet) as the\noriginal reporter of CVE-2016-2118 and CVE-2016-2110.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/vulnerabilities/badlock\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/articles/2253041\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://badlock.org/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/articles/2243351\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:0621\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2118\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2111\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2110\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/14\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:0621\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"libsmbclient-3.0.33-3.41.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"libsmbclient-devel-3.0.33-3.41.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"samba-3.0.33-3.41.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"samba-3.0.33-3.41.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"samba-3.0.33-3.41.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"samba-client-3.0.33-3.41.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"samba-client-3.0.33-3.41.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"samba-client-3.0.33-3.41.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"samba-common-3.0.33-3.41.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"samba-debuginfo-3.0.33-3.41.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"samba-swat-3.0.33-3.41.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"samba-swat-3.0.33-3.41.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"samba-swat-3.0.33-3.41.el5_11\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libsmbclient / libsmbclient-devel / samba / samba-client / etc\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:26:40", "bulletinFamily": "scanner", "description": "An update for samba is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\n[Updated 14 April 2016] This advisory previously incorrectly listed the CVE-2016-2112 issue as addressed by this update. However, this issue did not affect the samba packages on Red Hat Enterprise Linux 5.\nThe CVE-2016-2115 was also incorrectly listed as addressed by this update. This issue does affect the samba packages on Red Hat Enterprise Linux 5. Customers are advised to use the 'client signing = required' configuration option in the smb.conf file to mitigate CVE-2016-2115. No changes have been made to the packages.\n\nSamba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es) :\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server.\nAs a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection.\n(CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111)\n\nRed Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118 and CVE-2016-2110.", "modified": "2018-11-10T00:00:00", "id": "CENTOS_RHSA-2016-0621.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=90452", "published": "2016-04-13T00:00:00", "title": "CentOS 5 : samba (CESA-2016:0621) (Badlock)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0621 and \n# CentOS Errata and Security Advisory 2016:0621 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90452);\n script_version(\"2.15\");\n script_cvs_date(\"Date: 2018/11/10 11:49:31\");\n\n script_cve_id(\"CVE-2016-2110\", \"CVE-2016-2111\", \"CVE-2016-2118\");\n script_xref(name:\"RHSA\", value:\"2016:0621\");\n\n script_name(english:\"CentOS 5 : samba (CESA-2016:0621) (Badlock)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for samba is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\n[Updated 14 April 2016] This advisory previously incorrectly listed\nthe CVE-2016-2112 issue as addressed by this update. However, this\nissue did not affect the samba packages on Red Hat Enterprise Linux 5.\nThe CVE-2016-2115 was also incorrectly listed as addressed by this\nupdate. This issue does affect the samba packages on Red Hat\nEnterprise Linux 5. Customers are advised to use the 'client signing =\nrequired' configuration option in the smb.conf file to mitigate\nCVE-2016-2115. No changes have been made to the packages.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) protocol and the related Common Internet File System (CIFS)\nprotocol, which allow PC-compatible machines to share files, printers,\nand various information.\n\nSecurity Fix(es) :\n\n* A protocol flaw, publicly referred to as Badlock, was found in the\nSecurity Account Manager Remote Protocol (MS-SAMR) and the Local\nSecurity Authority (Domain Policy) Remote Protocol (MS-LSAD). Any\nauthenticated DCE/RPC connection that a client initiates against a\nserver could be used by a man-in-the-middle attacker to impersonate\nthe authenticated user against the SAMR or LSA service on the server.\nAs a result, the attacker would be able to get read/write access to\nthe Security Account Manager database, and use this to reveal all\npasswords or any other potentially sensitive information in that\ndatabase. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP\nauthentication. An unauthenticated, man-in-the-middle attacker could\nuse this flaw to clear the encryption and integrity flags of a\nconnection, causing data to be transmitted in plain text. The attacker\ncould also force the client or server into sending data in plain text\neven if encryption was explicitly requested for that connection.\n(CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would\nestablish a secure communication channel with a machine using a\nspoofed computer name. A remote attacker able to observe network\ntraffic could use this flaw to obtain session-related information\nabout the spoofed machine. (CVE-2016-2111)\n\nRed Hat would like to thank the Samba project for reporting these\nissues. Upstream acknowledges Stefan Metzmacher (SerNet) as the\noriginal reporter of CVE-2016-2118 and CVE-2016-2110.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2016-April/021823.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3db8a7e1\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"libsmbclient-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"libsmbclient-devel-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"samba-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"samba-client-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"samba-common-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"samba-swat-3.0.33-3.41.el5_11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:26:40", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2016:0621 :\n\nAn update for samba is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\n[Updated 14 April 2016] This advisory previously incorrectly listed the CVE-2016-2112 issue as addressed by this update. However, this issue did not affect the samba packages on Red Hat Enterprise Linux 5.\nThe CVE-2016-2115 was also incorrectly listed as addressed by this update. This issue does affect the samba packages on Red Hat Enterprise Linux 5. Customers are advised to use the 'client signing = required' configuration option in the smb.conf file to mitigate CVE-2016-2115. No changes have been made to the packages.\n\nSamba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es) :\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server.\nAs a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection.\n(CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111)\n\nRed Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118 and CVE-2016-2110.", "modified": "2018-07-24T00:00:00", "id": "ORACLELINUX_ELSA-2016-0621.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=90489", "published": "2016-04-13T00:00:00", "title": "Oracle Linux 5 : samba (ELSA-2016-0621) (Badlock)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2016:0621 and \n# Oracle Linux Security Advisory ELSA-2016-0621 respectively.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90489);\n script_version(\"2.14\");\n script_cvs_date(\"Date: 2018/07/24 18:56:12\");\n\n script_cve_id(\"CVE-2016-2110\", \"CVE-2016-2111\", \"CVE-2016-2118\");\n script_xref(name:\"RHSA\", value:\"2016:0621\");\n\n script_name(english:\"Oracle Linux 5 : samba (ELSA-2016-0621) (Badlock)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2016:0621 :\n\nAn update for samba is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\n[Updated 14 April 2016] This advisory previously incorrectly listed\nthe CVE-2016-2112 issue as addressed by this update. However, this\nissue did not affect the samba packages on Red Hat Enterprise Linux 5.\nThe CVE-2016-2115 was also incorrectly listed as addressed by this\nupdate. This issue does affect the samba packages on Red Hat\nEnterprise Linux 5. Customers are advised to use the 'client signing =\nrequired' configuration option in the smb.conf file to mitigate\nCVE-2016-2115. No changes have been made to the packages.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) protocol and the related Common Internet File System (CIFS)\nprotocol, which allow PC-compatible machines to share files, printers,\nand various information.\n\nSecurity Fix(es) :\n\n* A protocol flaw, publicly referred to as Badlock, was found in the\nSecurity Account Manager Remote Protocol (MS-SAMR) and the Local\nSecurity Authority (Domain Policy) Remote Protocol (MS-LSAD). Any\nauthenticated DCE/RPC connection that a client initiates against a\nserver could be used by a man-in-the-middle attacker to impersonate\nthe authenticated user against the SAMR or LSA service on the server.\nAs a result, the attacker would be able to get read/write access to\nthe Security Account Manager database, and use this to reveal all\npasswords or any other potentially sensitive information in that\ndatabase. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP\nauthentication. An unauthenticated, man-in-the-middle attacker could\nuse this flaw to clear the encryption and integrity flags of a\nconnection, causing data to be transmitted in plain text. The attacker\ncould also force the client or server into sending data in plain text\neven if encryption was explicitly requested for that connection.\n(CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would\nestablish a secure communication channel with a machine using a\nspoofed computer name. A remote attacker able to observe network\ntraffic could use this flaw to obtain session-related information\nabout the spoofed machine. (CVE-2016-2111)\n\nRed Hat would like to thank the Samba project for reporting these\nissues. Upstream acknowledges Stefan Metzmacher (SerNet) as the\noriginal reporter of CVE-2016-2118 and CVE-2016-2110.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-April/005950.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/13\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"libsmbclient-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"libsmbclient-devel-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"samba-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"samba-client-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"samba-common-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"samba-swat-3.0.33-3.41.el5_11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libsmbclient / libsmbclient-devel / samba / samba-client / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:26:40", "bulletinFamily": "scanner", "description": "An update for samba is now available for Red Hat Enterprise Linux 5.6 Long Life and Red Hat Enterprise Linux 5.9 Long Life.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\n[Updated 13 April 2016] This advisory previously incorrectly listed the CVE-2015-5370 issue as addressed by this update. However, this issue did not affect the samba packages on Red Hat Enterprise Linux 5.6 and 5.9 Long Life. No changes have been made to the packages.\n\n[Updated 14 April 2016] This advisory previously incorrectly listed the CVE-2016-2112 issue as addressed by this update. However, this issue did not affect the samba packages on Red Hat Enterprise Linux 5.6 and 5.9 Long Life. The CVE-2016-2115 was also incorrectly listed as addressed by this update. This issue does affect the samba packages on Red Hat Enterprise Linux 5.6 and 5.9 Long Life. Customers are advised to use the 'client signing = required' configuration option in the smb.conf file to mitigate CVE-2016-2115. No changes have been made to the packages.\n\nSamba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es) :\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server.\nAs a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection.\n(CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111)\n\nRed Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118 and CVE-2016-2110.", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2016-0623.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=90499", "published": "2016-04-13T00:00:00", "title": "RHEL 5 : samba (RHSA-2016:0623) (Badlock)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0623. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90499);\n script_version(\"2.16\");\n script_cvs_date(\"Date: 2018/11/10 11:49:55\");\n\n script_cve_id(\"CVE-2016-2110\", \"CVE-2016-2111\", \"CVE-2016-2118\");\n script_xref(name:\"RHSA\", value:\"2016:0623\");\n\n script_name(english:\"RHEL 5 : samba (RHSA-2016:0623) (Badlock)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for samba is now available for Red Hat Enterprise Linux 5.6\nLong Life and Red Hat Enterprise Linux 5.9 Long Life.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\n[Updated 13 April 2016] This advisory previously incorrectly listed\nthe CVE-2015-5370 issue as addressed by this update. However, this\nissue did not affect the samba packages on Red Hat Enterprise Linux\n5.6 and 5.9 Long Life. No changes have been made to the packages.\n\n[Updated 14 April 2016] This advisory previously incorrectly listed\nthe CVE-2016-2112 issue as addressed by this update. However, this\nissue did not affect the samba packages on Red Hat Enterprise Linux\n5.6 and 5.9 Long Life. The CVE-2016-2115 was also incorrectly listed\nas addressed by this update. This issue does affect the samba packages\non Red Hat Enterprise Linux 5.6 and 5.9 Long Life. Customers are\nadvised to use the 'client signing = required' configuration option in\nthe smb.conf file to mitigate CVE-2016-2115. No changes have been made\nto the packages.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) protocol and the related Common Internet File System (CIFS)\nprotocol, which allow PC-compatible machines to share files, printers,\nand various information.\n\nSecurity Fix(es) :\n\n* A protocol flaw, publicly referred to as Badlock, was found in the\nSecurity Account Manager Remote Protocol (MS-SAMR) and the Local\nSecurity Authority (Domain Policy) Remote Protocol (MS-LSAD). Any\nauthenticated DCE/RPC connection that a client initiates against a\nserver could be used by a man-in-the-middle attacker to impersonate\nthe authenticated user against the SAMR or LSA service on the server.\nAs a result, the attacker would be able to get read/write access to\nthe Security Account Manager database, and use this to reveal all\npasswords or any other potentially sensitive information in that\ndatabase. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP\nauthentication. An unauthenticated, man-in-the-middle attacker could\nuse this flaw to clear the encryption and integrity flags of a\nconnection, causing data to be transmitted in plain text. The attacker\ncould also force the client or server into sending data in plain text\neven if encryption was explicitly requested for that connection.\n(CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would\nestablish a secure communication channel with a machine using a\nspoofed computer name. A remote attacker able to observe network\ntraffic could use this flaw to obtain session-related information\nabout the spoofed machine. (CVE-2016-2111)\n\nRed Hat would like to thank the Samba project for reporting these\nissues. Upstream acknowledges Stefan Metzmacher (SerNet) as the\noriginal reporter of CVE-2016-2118 and CVE-2016-2110.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/vulnerabilities/badlock\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/articles/2253041\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://badlock.org/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/articles/2243351\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:0623\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2118\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2111\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2110\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/14\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:0623\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"libsmbclient-3.0.33-3.30.el5_6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"libsmbclient-3.0.33-3.40.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"libsmbclient-3.0.33-3.30.el5_6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"libsmbclient-3.0.33-3.40.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"libsmbclient-devel-3.0.33-3.30.el5_6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"libsmbclient-devel-3.0.33-3.40.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"libsmbclient-devel-3.0.33-3.30.el5_6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"libsmbclient-devel-3.0.33-3.40.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"samba-3.0.33-3.30.el5_6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"samba-3.0.33-3.40.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"samba-3.0.33-3.30.el5_6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"samba-3.0.33-3.40.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"samba-client-3.0.33-3.30.el5_6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"samba-client-3.0.33-3.40.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"samba-client-3.0.33-3.30.el5_6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"samba-client-3.0.33-3.40.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"samba-common-3.0.33-3.30.el5_6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"samba-common-3.0.33-3.40.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"samba-common-3.0.33-3.30.el5_6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"samba-common-3.0.33-3.40.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"samba-debuginfo-3.0.33-3.30.el5_6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"samba-debuginfo-3.0.33-3.40.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"samba-debuginfo-3.0.33-3.30.el5_6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"samba-debuginfo-3.0.33-3.40.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"samba-swat-3.0.33-3.30.el5_6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"samba-swat-3.0.33-3.40.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"samba-swat-3.0.33-3.30.el5_6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"samba-swat-3.0.33-3.40.el5_9\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libsmbclient / libsmbclient-devel / samba / samba-client / etc\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:26:41", "bulletinFamily": "scanner", "description": "Security Fix(es) :\n\n - A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118)\n\n - Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection.\n (CVE-2016-2110)\n\n - It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111)\n\n - It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections.\n (CVE-2016-2112)\n\n - It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115)", "modified": "2018-12-28T00:00:00", "id": "SL_20160412_SAMBA_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=90503", "published": "2016-04-13T00:00:00", "title": "Scientific Linux Security Update : samba on SL5.x i386/x86_64 (Badlock)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90503);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2018/12/28 10:10:36\");\n\n script_cve_id(\"CVE-2016-2110\", \"CVE-2016-2111\", \"CVE-2016-2112\", \"CVE-2016-2115\", \"CVE-2016-2118\");\n\n script_name(english:\"Scientific Linux Security Update : samba on SL5.x i386/x86_64 (Badlock)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - A protocol flaw, publicly referred to as Badlock, was\n found in the Security Account Manager Remote Protocol\n (MS-SAMR) and the Local Security Authority (Domain\n Policy) Remote Protocol (MS-LSAD). Any authenticated\n DCE/RPC connection that a client initiates against a\n server could be used by a man-in-the-middle attacker to\n impersonate the authenticated user against the SAMR or\n LSA service on the server. As a result, the attacker\n would be able to get read/write access to the Security\n Account Manager database, and use this to reveal all\n passwords or any other potentially sensitive information\n in that database. (CVE-2016-2118)\n\n - Several flaws were found in Samba's implementation of\n NTLMSSP authentication. An unauthenticated,\n man-in-the-middle attacker could use this flaw to clear\n the encryption and integrity flags of a connection,\n causing data to be transmitted in plain text. The\n attacker could also force the client or server into\n sending data in plain text even if encryption was\n explicitly requested for that connection.\n (CVE-2016-2110)\n\n - It was discovered that Samba configured as a Domain\n Controller would establish a secure communication\n channel with a machine using a spoofed computer name. A\n remote attacker able to observe network traffic could\n use this flaw to obtain session-related information\n about the spoofed machine. (CVE-2016-2111)\n\n - It was found that Samba's LDAP implementation did not\n enforce integrity protection for LDAP connections. A\n man-in-the-middle attacker could use this flaw to\n downgrade LDAP connections to use no integrity\n protection, allowing them to hijack such connections.\n (CVE-2016-2112)\n\n - It was found that Samba did not enable integrity\n protection for IPC traffic by default. A\n man-in-the-middle attacker could use this flaw to view\n and modify the data sent between a Samba server and a\n client. (CVE-2016-2115)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1604&L=scientific-linux-errata&F=&S=&P=6906\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b633e72b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"libsmbclient-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"libsmbclient-devel-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"samba-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"samba-client-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"samba-common-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"samba-debuginfo-3.0.33-3.41.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"samba-swat-3.0.33-3.41.el5_11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:26:41", "bulletinFamily": "scanner", "description": "Security Fix(es) :\n\n - Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC).\n (CVE-2015-5370)\n\nNote: While Samba packages as shipped in Scientific Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements.\n\n - A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118)\n\n - It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111)\n\n - It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections.\n (CVE-2016-2112)\n\n - It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115)", "modified": "2018-12-28T00:00:00", "id": "SL_20160412_SAMBA_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=90504", "published": "2016-04-13T00:00:00", "title": "Scientific Linux Security Update : samba on SL6.x i386/x86_64 (Badlock)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90504);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2018/12/28 10:10:36\");\n\n script_cve_id(\"CVE-2015-5370\", \"CVE-2016-2111\", \"CVE-2016-2112\", \"CVE-2016-2115\", \"CVE-2016-2118\");\n\n script_name(english:\"Scientific Linux Security Update : samba on SL6.x i386/x86_64 (Badlock)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - Multiple flaws were found in Samba's DCE/RPC protocol\n implementation. A remote, authenticated attacker could\n use these flaws to cause a denial of service against the\n Samba server (high CPU load or a crash) or, possibly,\n execute arbitrary code with the permissions of the user\n running Samba (root). This flaw could also be used to\n downgrade a secure DCE/RPC connection by a\n man-in-the-middle attacker taking control of an Active\n Directory (AD) object and compromising the security of a\n Samba Active Directory Domain Controller (DC).\n (CVE-2015-5370)\n\nNote: While Samba packages as shipped in Scientific Linux do not\nsupport running Samba as an AD DC, this flaw applies to all roles\nSamba implements.\n\n - A protocol flaw, publicly referred to as Badlock, was\n found in the Security Account Manager Remote Protocol\n (MS-SAMR) and the Local Security Authority (Domain\n Policy) Remote Protocol (MS-LSAD). Any authenticated\n DCE/RPC connection that a client initiates against a\n server could be used by a man-in-the-middle attacker to\n impersonate the authenticated user against the SAMR or\n LSA service on the server. As a result, the attacker\n would be able to get read/write access to the Security\n Account Manager database, and use this to reveal all\n passwords or any other potentially sensitive information\n in that database. (CVE-2016-2118)\n\n - It was discovered that Samba configured as a Domain\n Controller would establish a secure communication\n channel with a machine using a spoofed computer name. A\n remote attacker able to observe network traffic could\n use this flaw to obtain session-related information\n about the spoofed machine. (CVE-2016-2111)\n\n - It was found that Samba's LDAP implementation did not\n enforce integrity protection for LDAP connections. A\n man-in-the-middle attacker could use this flaw to\n downgrade LDAP connections to use no integrity\n protection, allowing them to hijack such connections.\n (CVE-2016-2112)\n\n - It was found that Samba did not enable integrity\n protection for IPC traffic by default. A\n man-in-the-middle attacker could use this flaw to view\n and modify the data sent between a Samba server and a\n client. (CVE-2016-2115)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1604&L=scientific-linux-errata&F=&S=&P=7302\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?98da124b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"libsmbclient-3.6.23-30.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"libsmbclient-devel-3.6.23-30.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-3.6.23-30.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-client-3.6.23-30.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-common-3.6.23-30.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-debuginfo-3.6.23-30.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-doc-3.6.23-30.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-domainjoin-gui-3.6.23-30.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"x86_64\", reference:\"samba-glusterfs-3.6.23-30.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-swat-3.6.23-30.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-winbind-3.6.23-30.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-winbind-clients-3.6.23-30.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-winbind-devel-3.6.23-30.el6_7\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba-winbind-krb5-locator-3.6.23-30.el6_7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:26:40", "bulletinFamily": "scanner", "description": "An update for samba is now available for Red Hat Enterprise Linux 6.2 Advanced Update Support, Red Hat Enterprise Linux 6.4 Advanced Update Support, Red Hat Enterprise Linux 6.5 Advanced Update Support, and Red Hat Enterprise Linux 6.6 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es) :\n\n* Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC).\n(CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements.\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server.\nAs a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection.\n(CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111)\n\n* It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections.\n(CVE-2016-2112)\n\n* It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client.\n(CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.", "modified": "2018-12-20T00:00:00", "id": "REDHAT-RHSA-2016-0619.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=90496", "published": "2016-04-13T00:00:00", "title": "RHEL 6 : samba (RHSA-2016:0619) (Badlock)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0619. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90496);\n script_version(\"2.16\");\n script_cvs_date(\"Date: 2018/12/20 11:08:45\");\n\n script_cve_id(\"CVE-2015-5370\", \"CVE-2016-2110\", \"CVE-2016-2111\", \"CVE-2016-2112\", \"CVE-2016-2115\", \"CVE-2016-2118\");\n script_xref(name:\"RHSA\", value:\"2016:0619\");\n\n script_name(english:\"RHEL 6 : samba (RHSA-2016:0619) (Badlock)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for samba is now available for Red Hat Enterprise Linux 6.2\nAdvanced Update Support, Red Hat Enterprise Linux 6.4 Advanced Update\nSupport, Red Hat Enterprise Linux 6.5 Advanced Update Support, and Red\nHat Enterprise Linux 6.6 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) protocol and the related Common Internet File System (CIFS)\nprotocol, which allow PC-compatible machines to share files, printers,\nand various information.\n\nSecurity Fix(es) :\n\n* Multiple flaws were found in Samba's DCE/RPC protocol\nimplementation. A remote, authenticated attacker could use these flaws\nto cause a denial of service against the Samba server (high CPU load\nor a crash) or, possibly, execute arbitrary code with the permissions\nof the user running Samba (root). This flaw could also be used to\ndowngrade a secure DCE/RPC connection by a man-in-the-middle attacker\ntaking control of an Active Directory (AD) object and compromising the\nsecurity of a Samba Active Directory Domain Controller (DC).\n(CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do\nnot support running Samba as an AD DC, this flaw applies to all roles\nSamba implements.\n\n* A protocol flaw, publicly referred to as Badlock, was found in the\nSecurity Account Manager Remote Protocol (MS-SAMR) and the Local\nSecurity Authority (Domain Policy) Remote Protocol (MS-LSAD). Any\nauthenticated DCE/RPC connection that a client initiates against a\nserver could be used by a man-in-the-middle attacker to impersonate\nthe authenticated user against the SAMR or LSA service on the server.\nAs a result, the attacker would be able to get read/write access to\nthe Security Account Manager database, and use this to reveal all\npasswords or any other potentially sensitive information in that\ndatabase. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP\nauthentication. An unauthenticated, man-in-the-middle attacker could\nuse this flaw to clear the encryption and integrity flags of a\nconnection, causing data to be transmitted in plain text. The attacker\ncould also force the client or server into sending data in plain text\neven if encryption was explicitly requested for that connection.\n(CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would\nestablish a secure communication channel with a machine using a\nspoofed computer name. A remote attacker able to observe network\ntraffic could use this flaw to obtain session-related information\nabout the spoofed machine. (CVE-2016-2111)\n\n* It was found that Samba's LDAP implementation did not enforce\nintegrity protection for LDAP connections. A man-in-the-middle\nattacker could use this flaw to downgrade LDAP connections to use no\nintegrity protection, allowing them to hijack such connections.\n(CVE-2016-2112)\n\n* It was found that Samba did not enable integrity protection for IPC\ntraffic by default. A man-in-the-middle attacker could use this flaw\nto view and modify the data sent between a Samba server and a client.\n(CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these\nissues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the\noriginal reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as\nthe original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112,\nand CVE-2016-2115.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/vulnerabilities/badlock\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/articles/2253041\"\n );\n # http://badlock.org/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://samba.plus\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/articles/2243351\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:0619\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5370\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2115\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2112\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2118\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2111\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2110\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-domainjoin-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-glusterfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-winbind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(6\\.2|6\\.4|6\\.5|6\\.6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.2 / 6.4 / 6.5 / 6.6\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:0619\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", reference:\"libsmbclient-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"libsmbclient-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"libsmbclient-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"libsmbclient-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"libsmbclient-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"libsmbclient-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"libsmbclient-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", reference:\"libsmbclient-devel-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"libsmbclient-devel-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"libsmbclient-devel-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"libsmbclient-devel-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"libsmbclient-devel-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"libsmbclient-devel-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"libsmbclient-devel-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"i686\", reference:\"samba-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"s390x\", reference:\"samba-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"samba-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"samba-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"samba-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"samba-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"i686\", reference:\"samba-client-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"s390x\", reference:\"samba-client-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"samba-client-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"samba-client-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"samba-client-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"samba-client-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", reference:\"samba-common-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"samba-common-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"samba-common-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"samba-common-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"samba-common-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"samba-common-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"samba-common-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", reference:\"samba-debuginfo-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"samba-debuginfo-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"samba-debuginfo-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"samba-debuginfo-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"samba-debuginfo-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"samba-debuginfo-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"samba-debuginfo-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"i686\", reference:\"samba-doc-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"s390x\", reference:\"samba-doc-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"samba-doc-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"samba-doc-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"samba-doc-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"samba-doc-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"i686\", reference:\"samba-domainjoin-gui-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"s390x\", reference:\"samba-domainjoin-gui-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"samba-domainjoin-gui-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"samba-domainjoin-gui-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"samba-domainjoin-gui-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"samba-domainjoin-gui-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"samba-glusterfs-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"i686\", reference:\"samba-swat-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"s390x\", reference:\"samba-swat-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"samba-swat-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"samba-swat-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"samba-swat-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"samba-swat-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"i686\", reference:\"samba-winbind-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"s390x\", reference:\"samba-winbind-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"samba-winbind-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"samba-winbind-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"samba-winbind-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"samba-winbind-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", reference:\"samba-winbind-clients-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"samba-winbind-clients-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"samba-winbind-clients-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"samba-winbind-clients-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"samba-winbind-clients-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"samba-winbind-clients-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"samba-winbind-clients-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", reference:\"samba-winbind-devel-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"samba-winbind-devel-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"samba-winbind-devel-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"samba-winbind-devel-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"samba-winbind-devel-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"samba-winbind-devel-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"samba-winbind-devel-3.6.23-30.el6_5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"i686\", reference:\"samba-winbind-krb5-locator-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"s390x\", reference:\"samba-winbind-krb5-locator-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"samba-winbind-krb5-locator-3.6.23-30.el6_6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"samba-winbind-krb5-locator-3.6.23-30.el6_4\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"samba-winbind-krb5-locator-3.6.23-30.el6_2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"samba-winbind-krb5-locator-3.6.23-30.el6_5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libsmbclient / libsmbclient-devel / samba / samba-client / etc\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:26:39", "bulletinFamily": "scanner", "description": "An update for samba3x is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information.\n\nSecurity Fix(es) :\n\n* Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC).\n(CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements.\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server.\nAs a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection.\n(CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111)\n\n* It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections.\n(CVE-2016-2112)\n\n* It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client.\n(CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.", "modified": "2018-11-10T00:00:00", "id": "CENTOS_RHSA-2016-0613.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=90451", "published": "2016-04-13T00:00:00", "title": "CentOS 5 : samba3x (CESA-2016:0613) (Badlock)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0613 and \n# CentOS Errata and Security Advisory 2016:0613 respectively.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90451);\n script_version(\"2.14\");\n script_cvs_date(\"Date: 2018/11/10 11:49:31\");\n\n script_cve_id(\"CVE-2015-5370\", \"CVE-2016-2110\", \"CVE-2016-2111\", \"CVE-2016-2112\", \"CVE-2016-2115\", \"CVE-2016-2118\");\n script_xref(name:\"RHSA\", value:\"2016:0613\");\n\n script_name(english:\"CentOS 5 : samba3x (CESA-2016:0613) (Badlock)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for samba3x is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nSecurity Fix(es) :\n\n* Multiple flaws were found in Samba's DCE/RPC protocol\nimplementation. A remote, authenticated attacker could use these flaws\nto cause a denial of service against the Samba server (high CPU load\nor a crash) or, possibly, execute arbitrary code with the permissions\nof the user running Samba (root). This flaw could also be used to\ndowngrade a secure DCE/RPC connection by a man-in-the-middle attacker\ntaking control of an Active Directory (AD) object and compromising the\nsecurity of a Samba Active Directory Domain Controller (DC).\n(CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do\nnot support running Samba as an AD DC, this flaw applies to all roles\nSamba implements.\n\n* A protocol flaw, publicly referred to as Badlock, was found in the\nSecurity Account Manager Remote Protocol (MS-SAMR) and the Local\nSecurity Authority (Domain Policy) Remote Protocol (MS-LSAD). Any\nauthenticated DCE/RPC connection that a client initiates against a\nserver could be used by a man-in-the-middle attacker to impersonate\nthe authenticated user against the SAMR or LSA service on the server.\nAs a result, the attacker would be able to get read/write access to\nthe Security Account Manager database, and use this to reveal all\npasswords or any other potentially sensitive information in that\ndatabase. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP\nauthentication. An unauthenticated, man-in-the-middle attacker could\nuse this flaw to clear the encryption and integrity flags of a\nconnection, causing data to be transmitted in plain text. The attacker\ncould also force the client or server into sending data in plain text\neven if encryption was explicitly requested for that connection.\n(CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would\nestablish a secure communication channel with a machine using a\nspoofed computer name. A remote attacker able to observe network\ntraffic could use this flaw to obtain session-related information\nabout the spoofed machine. (CVE-2016-2111)\n\n* It was found that Samba's LDAP implementation did not enforce\nintegrity protection for LDAP connections. A man-in-the-middle\nattacker could use this flaw to downgrade LDAP connections to use no\nintegrity protection, allowing them to hijack such connections.\n(CVE-2016-2112)\n\n* It was found that Samba did not enable integrity protection for IPC\ntraffic by default. A man-in-the-middle attacker could use this flaw\nto view and modify the data sent between a Samba server and a client.\n(CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these\nissues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the\noriginal reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as\nthe original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112,\nand CVE-2016-2115.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2016-April/021821.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5b672964\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba3x packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba3x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba3x-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba3x-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba3x-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba3x-domainjoin-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba3x-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba3x-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba3x-winbind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"samba3x-3.6.23-12.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"samba3x-client-3.6.23-12.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"samba3x-common-3.6.23-12.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"samba3x-doc-3.6.23-12.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"samba3x-domainjoin-gui-3.6.23-12.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"samba3x-swat-3.6.23-12.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"samba3x-winbind-3.6.23-12.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"samba3x-winbind-devel-3.6.23-12.el5_11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "rapid7community": [{"lastseen": "2017-05-01T16:52:25", "bulletinFamily": "blog", "description": "<!-- [DocumentBodyStart:19e3d185-1b88-423d-89c7-c010d4979ac8] --><div class=\"jive-rendered-content\"><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Why should <span style=\"color: #909090; background-color: black;\">[REDACTED]</span> have all the fun with spiffy codenames for their exploits? As of </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fcommit%2Fb5771b0f727dabfa4df4216a799a8611469b01ba\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc; text-decoration: underline;\">today</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, Metasploit is taking a page from <span style=\"color: #909090; font-family: Arial; font-size: 14.6667px; background-color: #000000;\">[REDACTED]</span>, and equipping all Metasploit modules with equally fear-and-awe-inspiring codenames. Sure, there are catchy names for vulnerabilities -- we remember you fondly, </span><a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7460\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2016/04/12/on-badlock-cve-2016-2118-for-samba-and-windows\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc; text-decoration: underline;\">Badblock</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> -- but clearly, unique names for exploits is where the real action is at, especially when you're <span style=\"color: black; font-family: Arial; font-size: 14.6667px; background-color: #000000;\">[REDACTED][REDACTED][REDACTED][REDACTED][REDACTED]</span>.</span></p><p style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">So, instead of running boring old '<span style=\"font-family: 'andale mono', times;\">exploit/windows/smb/ms08_067_netapi</span>', now you can don your onyx </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dtactleneck%26source%3Dlnms%26tbm%3Disch%26sa%3DX\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc; text-decoration: underline;\">tactleneck</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, and use </span><span style=\"font-size: 11pt; font-family: 'Courier New'; color: #000000; font-weight: bold;\">CRISPYTRUFFLE</span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> like the international man of mystery that you are.</span></p><p style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Need to scan for telnet banners? Sure, you </span><span style=\"font-size: 11pt; font-family: Arial; color: #000000; font-style: italic;\">could</span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> use '<span style=\"font-family: 'andale mono', times;\">auxiliary/scanner/telnet/telnet_version</span>', like some kind of civilian, or you can be a shadowy puppetmaster and unleash the awesome power of </span><span style=\"font-size: 11pt; font-family: 'Courier New'; color: #000000; font-weight: bold;\">HIDDENBOYFRIEND</span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">.</span></p><p style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Or, maybe you're looking to deploy one of Metasploit's payloads as a standalone executable, given to your operative in the field. Once you've lost your tail and met your contact in a darkened, rain-slicked alley, you can hand off a USB key loaded up with </span><span style=\"font-size: 11pt; font-family: 'Courier New'; color: #000000; font-weight: bold;\">VENGEFULPONY</span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">, and trust he'll do what it takes to get back across the border.</span></p><p style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">In order to enable these ultra-top-secret codenames, you'll need to run a fresh checkout of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fwiki%2FSetting-Up-a-Metasploit-Development-Environment\" rel=\"nofollow\" target=\"_blank\">development version</a> of the Metasploit Framework. If you're on one of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=http%3A%2F%2Fmetasploit.com%2Fdownload\" target=\"_blank\">binary versions</a> of Metasploit, they'll be getting these codenames as well, so you can check if they're available by setting the environment variable DANGERZONE, like so:</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><div style=\"background-color: black;\"><p dir=\"ltr\"><span style=\"font-family: 'andale mono', times; color: #7ed529; padding: 5px;\">$ DANGERZONE=1 ./msfconsole -q</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-family: 'andale mono', times; color: #7ed529; padding: 5px;\">msf > use CRISPYTRUFFLE</span></p><p dir=\"ltr\"><span style=\"font-family: 'andale mono', times; color: #7ed529; padding: 5px;\">msf exploit(ms08_067_netapi) ></span></p></div><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">So take a moment today, April 1st, to read yourself into <span style=\"color: #909090; font-family: Arial; font-size: 14.6667px; background-color: #000000;\">[REDACTED]</span> by visiting </span><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=http%3A%2F%2Fwww.5z8.info%2Feid-howto_j0b9mh_openme.exe\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 11pt; font-family: Arial; color: #1155cc; text-decoration: underline;\">http://www.5z8.info/eid-howto_j0b9mh_openme.exe</span></a><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">. Make sure you're behind at least seven proxies when you do so, since <span style=\"color: #909090; font-family: Arial; font-size: 14.6667px; background-color: #000000;\">[REDACTED]</span> is probably watching.</span></p></div><!-- [DocumentBodyEnd:19e3d185-1b88-423d-89c7-c010d4979ac8] -->", "modified": "2017-04-01T12:03:18", "published": "2017-04-01T12:03:18", "href": "https://community.rapid7.com/community/metasploit/blog/2017/04/01/metasploit-redacted-edition", "id": "RAPID7COMMUNITY:ACA23AA788066EC985562287B2410D08", "title": "Metasploit, [REDACTED] Edition", "type": "rapid7community", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2019-05-29T20:42:47", "bulletinFamily": "info", "description": "### Overview \n\nThe Security Account Manager Remote (SAMR) and Local Security Authority (Domain Policy) (LSAD) protocols do not properly establish Remote Procedure Call (RPC) channels, which may allow any attacker to impersonate an authenticated user or gain access to the SAM database, or launch denial of service attacks. This vulnerability is also known publicly as \"Badlock\".\n\n### Description \n\n[**CWE-757**](<http://cwe.mitre.org/data/definitions/757.html>)**: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')** \\- CVE-2016-2118, CVE-2016-0128\n\nThe SAMR and LSAD remote protocols are used by Windows and Samba (for UNIX-like platforms) to authenticate users to a Windows domain. A flaw in the way these protocols establish RPC channels may allow an attacker to impersonate an authenticated user or gain access to the SAM database. CVE-2016-2118 identifies this vulnerability in Samba, while CVE-2016-0128 identifies this vulnerability in Windows. \n \nFrom Microsoft's security bulletin [MS16-047](<https://technet.microsoft.com/library/security/MS16-047>) for CVE-2016-0128: \n \n_An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols when they accept authentication levels that do not protect the RPC channel adequately. The vulnerability is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database._ \n \n_To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the RPC channel, and then impersonate an authenticated user. _ \n \nA number of other related vulnerabilities also exist only in Samba. For more information, please see the researcher's ['Badlock' website](<http://badlock.org/>). \n \nThe CVSS score below is based on CVE-2016-2118. \n \n--- \n \n### Impact \n\nA remote attacker with network access to perform a man-in-the-middle attack may be able to impersonate an authenticated user or gain access to the SAM database. Additionally, an attacker may use this vulnerability to launch a denial of service attack. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nAffected users of supported versions of Microsoft Windows should apply updates from Windows Update as soon as possible. \n \nAffected users of Samba versions 4.2, 4.3, and 4.4 should update to the latest [bugfix release](<https://www.samba.org/samba/history/security.html>) (at least 4.2.10, 4.3.7, or 4.4.1, respectively). Samba versions 4.1 and prior have been discontinued and will not receive security updates. \n \nNetwork administrators may also consider the following workarounds: \n \n--- \n \n**Configure SMB for mitigating man-in-the-middle** \n \nAccording to ['Badlock' website](<http://badlock.org/>), it is recommended that administrators set these additional options, if compatible with their network environment:\n\n_server signing = mandatory \nntlm auth = no_\n\n \n**Restrict Network Access** \n \nAs a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall product's manual for more information. \n \n--- \n \n### Vendor Information\n\n813296\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Microsoft Corporation\n\nNotified: March 25, 2016 Updated: March 25, 2016 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ Samba\n\nNotified: March 25, 2016 Updated: April 12, 2016 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ ACCESS\n\nNotified: April 14, 2016 Updated: April 14, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### __ Fujitsu\n\nNotified: April 14, 2016 Updated: April 14, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 8.8 | AV:N/AC:M/Au:N/C:C/I:C/A:N \nTemporal | 6.9 | E:POC/RL:OF/RC:C \nEnvironmental | 6.9 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://badlock.org/>\n * <https://www.samba.org/samba/security/CVE-2016-2118.html>\n * <https://www.samba.org/samba/latest_news.html#4.4.2>\n * <https://technet.microsoft.com/library/security/MS16-047>\n * <https://isc.sans.edu/forums/diary/Getting+Ready+for+Badlock/20877/>\n * <http://cwe.mitre.org/data/definitions/757.html>\n\n### Acknowledgements\n\nCredit to Stefan Metzmacher for discovering and publicly disclosing this issue in coordination with Microsoft. \n\nThis document was written by Garret Wassermann. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2016-2118, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2118>) [CVE-2016-0128](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0128>) \n---|--- \n**Date Public:** | 2016-04-12 \n**Date First Published:** | 2016-04-12 \n**Date Last Updated: ** | 2016-04-14 18:29 UTC \n**Document Revision: ** | 48 \n", "modified": "2016-04-14T18:29:00", "published": "2016-04-12T00:00:00", "id": "VU:813296", "href": "https://www.kb.cert.org/vuls/id/813296", "type": "cert", "title": "Microsoft Windows and Samba may allow spoofing of authenticated users (\"Badlock\")", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "samba": [{"lastseen": "2019-05-29T19:19:10", "bulletinFamily": "software", "description": "The Security Account Manager Remote Protocol [MS-SAMR] and the Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD] are both vulnerable to man in the middle attacks. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.\nThese protocols are typically available on all Windows installations as well as every Samba server. They are used to maintain the Security Account Manager Database. This applies to all roles, e.g. standalone, domain member, domain controller.\nAny authenticated DCERPC connection a client initiates against a server can be used by a man in the middle to impersonate the authenticated user against the SAMR or LSAD service on the server.\nThe client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP) and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter in this case. A man in the middle can change auth level to CONNECT (which means authentication without message protection) and take over the connection.\nAs a result, a man in the middle is able to get read/write access to the Security Account Manager Database, which reveals all passwords and any other potential sensitive information.\nSamba running as an active directory domain controller is additionally missing checks to enforce PKT_PRIVACY for the Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi) and the BackupKey Remote Protocol [MS-BKRP] (backupkey). The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver) is not enforcing at least PKT_INTEGRITY.", "modified": "2016-04-12T00:00:00", "published": "2016-04-12T00:00:00", "id": "SAMBA:CVE-2016-2118(BADLOCK)", "href": "https://www.samba.org/samba/security/CVE-2016-2118.html", "title": "SAMR and LSA man in the middle attacks possible ", "type": "samba", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2018-10-06T22:55:29", "bulletinFamily": "info", "description": "Weeks of anxiety and concern over the [Badlock vulnerability](<https://threatpost.com/badlock-vulnerability-clues-few-and-far-between/117008/>) ended today with an anticlimactic thud.\n\nBadlock was the security boogeyman since the appearance three weeks ago of a website and logo branding the bug as something serious in Samba, an open source implementation of the server message block (SMB) protocol that provides file and print services for Windows clients.\n\nAs it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it\u2019s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services.\n\nSerNet, a German consultancy behind the discovery of Badlock, fueled the hype at the outset with a number of since-deleted tweets that said any marketing boost as a result of its branding and private disclosure of the bug to Microsoft was a bonus for its business.\n\nFor its part, Microsoft refused to join the hype machine and today in [MS16-047](<https://technet.microsoft.com/en-us/library/security/ms16-047>) issued a security update it rated \u201cImportant\u201d for the Windows Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD). The bulletin patches one vulnerability (CVE-2016-0128), an elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels, Microsoft said. An attacker could then impersonate an authenticated user.\n\nSamba, meanwhile, also [patched its software](<https://www.samba.org/samba/latest_news.html#4.4.2>) in versions 4.2.10/4.2.11, 4.3.7/4.3.8, and 4.4.1/4.4.2. Older versions starting with the 4.1 release branch are end of life, Samba said, and will not be patched.\n\nBadlock in Samba is CVE-2016-2118 and umbrellas seven vulnerabilities including man-in-the-middle attacks with NTLMSSP, issues with DCE-RPC code, NETLOGON spoofing, missing TLS certificate validation and more.\n\n\u201cThere are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user,\u201d said an [advisory](<http://badlock.org/>) published today on badlock.org.\n\nThe risks to a Samba Active Directory server including manipulation of secrets such as password hashes or service shutdown in an Active Directory database, or the modification of file or directory permissions. Sernet also warns that an attacker could use these vulnerabilities to remotely trigger a denial of service condition.\n\nThe bug, meanwhile, has not been publicly exploited according to Microsoft and SerNet, despite attackers having a three-week headstart.\n\n\u201cIt may be possible since we already have several PoC (none of them will be released in the near future),\u201d the badlock.org advisory said.\n\nRed Hat security strategist Josh Bressers said Badlock could have been much worse, especially if it had turned out to be a memory corruption issue in SMB as some had surmised. Such a scenario would have cleared a path for remote code execution, for example.\n\n\u201cBadlock is one more potentially dangerous exploit that was identified and addressed by the open source community before it caused significant damage to the broader connected world,\u201d he said.\n\nThe Samba team said there are a number of mitigations that can be used until patches are applied, including DHCP snooping and ARP inspection to counter man-in-the-middle attacks, and firewall rules permitting connectivity only from trusted addresses could prevent denial-of-service attacks.\n\nBadlock, meanwhile, threatens to take focus away from the remainder of today\u2019s [Microsoft security bulletins](<https://technet.microsoft.com/library/security/ms16-apr>), six of which were rated critical by Microsoft.\n\n\u201cFor many people, the Badlock hype was just that, a lot of hype,\u201d said Andrew Storms, vice president of security services at New Context. \u201cSecurity teams should patch immediately, but also put it in perspective with all of the patches that Microsoft released today. For example, patching a remote code execution bug in Internet Explorer may be more important to your organization than the over-hyped Badlock.\u201d\n\nRepresentatives of SerNet and Samba did not return requests for comment. The security community, however, in short order took to Twitter with a tidal wave of cynical reaction to the Badlock hype.\n\n> May I be the first to suggest nominating [#badlock](<https://twitter.com/hashtag/badlock?src=hash>) for a pwnie for most overhyped bug?\n> \n> \u2014 David Litchfield (@dlitchfield) [April 12, 2016](<https://twitter.com/dlitchfield/status/719936210316181508>)\n\n> I couldn't resist. Jumping the [#badlock](<https://twitter.com/hashtag/badlock?src=hash>) [pic.twitter.com/5K1xgpdFJO](<https://t.co/5K1xgpdFJO>)\n> \n> \u2014 Eric Conrad (@eric_conrad) [April 12, 2016](<https://twitter.com/eric_conrad/status/719944109503483905>)\n\n> \"And the Internet yawned. The [#Badlock](<https://twitter.com/hashtag/Badlock?src=hash>) story.\"\n> \n> \u2014 Dave Lewis (@gattaca) [April 12, 2016](<https://twitter.com/gattaca/status/719943656992407552>)\n\n> I apologize to any followers I may have mislead by implying [#badlock](<https://twitter.com/hashtag/badlock?src=hash>) was a dangerous bug. I am also shocked by this development.\n> \n> \u2014 Dave Maynor (@Dave_Maynor) [April 12, 2016](<https://twitter.com/Dave_Maynor/status/719942733977284608>)\n", "modified": "2016-04-14T20:50:53", "published": "2016-04-12T14:30:14", "id": "THREATPOST:C02524F0FB089C0A7D2EEB296C9E643C", "href": "https://threatpost.com/badlock-vulnerability-falls-flat-against-its-hype/117349/", "type": "threatpost", "title": "Badlock Windows, Samba Man-in-the-Middle Vulnerability", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "centos": [{"lastseen": "2019-05-29T18:33:31", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2016:0621\n\n\nSamba is an open-source implementation of the Server Message Block (SMB)\nprotocol and the related Common Internet File System (CIFS) protocol, which\nallow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es):\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security\nAccount Manager Remote Protocol (MS-SAMR) and the Local Security Authority\n(Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection\nthat a client initiates against a server could be used by a man-in-the-middle\nattacker to impersonate the authenticated user against the SAMR or LSA service\non the server. As a result, the attacker would be able to get read/write access\nto the Security Account Manager database, and use this to reveal all passwords\nor any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication.\nAn unauthenticated, man-in-the-middle attacker could use this flaw to clear the\nencryption and integrity flags of a connection, causing data to be transmitted\nin plain text. The attacker could also force the client or server into sending\ndata in plain text even if encryption was explicitly requested for that\nconnection. (CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish\na secure communication channel with a machine using a spoofed computer name. A\nremote attacker able to observe network traffic could use this flaw to obtain\nsession-related information about the spoofed machine. (CVE-2016-2111)\n\nRed Hat would like to thank the Samba project for reporting these issues.\nUpstream acknowledges Stefan Metzmacher (SerNet) as the original reporter of\nCVE-2016-2118 and CVE-2016-2110.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021823.html\n\n**Affected packages:**\nlibsmbclient\nlibsmbclient-devel\nsamba\nsamba-client\nsamba-common\nsamba-swat\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0621.html", "modified": "2016-04-13T00:30:21", "published": "2016-04-13T00:30:21", "href": "http://lists.centos.org/pipermail/centos-announce/2016-April/021823.html", "id": "CESA-2016:0621", "title": "libsmbclient, samba security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:15", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2016:0611\n\n\nSamba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.\n\nSecurity Fix(es):\n\n* Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements.\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111)\n\n* It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112)\n\n* It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021815.html\n\n**Affected packages:**\nlibsmbclient\nlibsmbclient-devel\nsamba\nsamba-client\nsamba-common\nsamba-doc\nsamba-domainjoin-gui\nsamba-glusterfs\nsamba-swat\nsamba-winbind\nsamba-winbind-clients\nsamba-winbind-devel\nsamba-winbind-krb5-locator\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0611.html", "modified": "2016-04-13T00:14:40", "published": "2016-04-13T00:14:40", "href": "http://lists.centos.org/pipermail/centos-announce/2016-April/021815.html", "id": "CESA-2016:0611", "title": "libsmbclient, samba security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:24", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2016:0613\n\n\nSamba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible machines\nto share files, printers, and other information.\n\nSecurity Fix(es):\n\n* Multiple flaws were found in Samba's DCE/RPC protocol implementation. A\nremote, authenticated attacker could use these flaws to cause a denial of\nservice against the Samba server (high CPU load or a crash) or, possibly,\nexecute arbitrary code with the permissions of the user running Samba (root).\nThis flaw could also be used to downgrade a secure DCE/RPC connection by a\nman-in-the-middle attacker taking control of an Active Directory (AD) object and\ncompromising the security of a Samba Active Directory Domain Controller (DC).\n(CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do not support\nrunning Samba as an AD DC, this flaw applies to all roles Samba implements.\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security\nAccount Manager Remote Protocol (MS-SAMR) and the Local Security Authority\n(Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection\nthat a client initiates against a server could be used by a man-in-the-middle\nattacker to impersonate the authenticated user against the SAMR or LSA service\non the server. As a result, the attacker would be able to get read/write access\nto the Security Account Manager database, and use this to reveal all passwords\nor any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication.\nAn unauthenticated, man-in-the-middle attacker could use this flaw to clear the\nencryption and integrity flags of a connection, causing data to be transmitted\nin plain text. The attacker could also force the client or server into sending\ndata in plain text even if encryption was explicitly requested for that\nconnection. (CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish\na secure communication channel with a machine using a spoofed computer name. A\nremote attacker able to observe network traffic could use this flaw to obtain\nsession-related information about the spoofed machine. (CVE-2016-2111)\n\n* It was found that Samba's LDAP implementation did not enforce integrity\nprotection for LDAP connections. A man-in-the-middle attacker could use this\nflaw to downgrade LDAP connections to use no integrity protection, allowing them\nto hijack such connections. (CVE-2016-2112)\n\n* It was found that Samba did not enable integrity protection for IPC traffic by\ndefault. A man-in-the-middle attacker could use this flaw to view and modify the\ndata sent between a Samba server and a client. (CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues.\nUpstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of\nCVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of\nCVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021821.html\n\n**Affected packages:**\nsamba3x\nsamba3x-client\nsamba3x-common\nsamba3x-doc\nsamba3x-domainjoin-gui\nsamba3x-swat\nsamba3x-winbind\nsamba3x-winbind-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0613.html", "modified": "2016-04-13T00:27:00", "published": "2016-04-13T00:27:00", "href": "http://lists.centos.org/pipermail/centos-announce/2016-April/021821.html", "id": "CESA-2016:0613", "title": "samba3x security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:44", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2016:0612\n\n\nSamba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.\n\nThe following packages have been upgraded to a newer upstream version: Samba (4.2.10). Refer to the Release Notes listed in the References section for a complete list of changes.\n\nSecurity Fix(es):\n\n* Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). (CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do not support running Samba as an AD DC, this flaw applies to all roles Samba implements.\n\n* A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. (CVE-2016-2118)\n\n* Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. (CVE-2016-2110)\n\n* It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. (CVE-2016-2111)\n\n* It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. (CVE-2016-2112)\n\n* It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. (CVE-2016-2113)\n\n* It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. (CVE-2016-2114)\n\n* It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues. Upstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter of CVE-2015-5370; and Stefan Metzmacher (SerNet) as the original reporter of CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, and CVE-2016-2115.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021814.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021816.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021817.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021818.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021819.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021820.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021822.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021824.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021825.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021826.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021827.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021828.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021829.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-April/021830.html\n\n**Affected packages:**\nctdb\nctdb-devel\nctdb-tests\nipa\nipa-admintools\nipa-client\nipa-python\nipa-server\nipa-server-dns\nipa-server-selinux\nipa-server-trust-ad\nldb-tools\nlibldb\nlibldb-devel\nlibsmbclient\nlibsmbclient-devel\nlibtalloc\nlibtalloc-devel\nlibtdb\nlibtdb-devel\nlibtevent\nlibtevent-devel\nlibwbclient\nlibwbclient-devel\nopenchange\nopenchange-client\nopenchange-devel\nopenchange-devel-docs\npyldb\npyldb-devel\npytalloc\npytalloc-devel\npython-tdb\npython-tevent\nsamba\nsamba-client\nsamba-client-libs\nsamba-common\nsamba-common-libs\nsamba-common-tools\nsamba-dc\nsamba-dc-libs\nsamba-devel\nsamba-libs\nsamba-pidl\nsamba-python\nsamba-test\nsamba-test-devel\nsamba-test-libs\nsamba-vfs-glusterfs\nsamba-winbind\nsamba-winbind-clients\nsamba-winbind-krb5-locator\nsamba-winbind-modules\nsamba4\nsamba4-client\nsamba4-common\nsamba4-dc\nsamba4-dc-libs\nsamba4-devel\nsamba4-libs\nsamba4-pidl\nsamba4-python\nsamba4-test\nsamba4-winbind\nsamba4-winbind-clients\nsamba4-winbind-krb5-locator\ntdb-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0612.html", "modified": "2016-04-13T03:11:17", "published": "2016-04-13T00:13:42", "href": "http://lists.centos.org/pipermail/centos-announce/2016-April/021814.html", "id": "CESA-2016:0612", "title": "ctdb, ipa, ldb, libldb, libsmbclient, libtalloc, libtdb, libtevent, libwbclient, openchange, pyldb, pytalloc, python, samba, samba4, tdb security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2017-06-19T23:16:03", "bulletinFamily": "blog", "description": "Hi everyone! Today I would like talk about software vulnerabilities. How to find really interesting vulnerabilities in the overall CVE flow. And how to do it automatically.\n\n\n\nFirst of all, let's talk why we may ever need to analyze software vulnerabilities? How people usually do their Vulnerability Management and Vulnerability Intelligence?\n\n\n\n * Some people have a Vulnerability scanner, scan infrastructure with it, patch founded vulnerabilities and think that this will be enough.\n * Some people pay attention to the vulnerabilities that are widely covered by media.\n * Some people use vulnerability databases and search for the most critical vulnerabilities by some criteria.\n\nEach of these ways have some advantages and some disadvantages.\n\n### Vulnerability Scanners\n\nHuge part of detection plugins were written manually. Especially plugins that work remotely without authorization. It takes time to make them and so they may appear in scanner with a huge latency. It also might be economically impractical for VM vendors to deal with vulnerabilities in some rare software.\n\n### Vulnerabilities, that are widely covered in media\n\nFrom the one hand it's really great. Even Top managers might ask you if we have, for example, GHOST in our infrastructure or other popular vulnerability. They begin to see that you are doing something important!\n\n\n\nOn the other hand, vulnerability researchers are also people. And they are interested in making more hype around the vulnerabilities they have discovered. It's just a part of their self-promotion. It's relatively easy to come with a name, register a domain and make a beautiful logo for the vulnerability. And it's hard to understand how critical this vulnerability really is. Especially when there are no so much details.\n\nHere you can see some well-known vulnerabilities that made a lot of noise in the past.\n\n\n\nMost of them were really critical. But, I have seen plenty of publications about BadLock saying that this vulnerability was overvalued.\n\n### Vulnerability databases and feeds\n\nMost people use CVSS vector and the CVSS Base Score for vulnerability filtering and vulnerability prioritization. They may also take into consideration the existence of exploits, for example. But the CVSS is still a basis.\n\nWhat is the Common Vulnerability Scoring System? In fact, there is a framework, a questionnaire, in which some person manually describes the vulnerability.\n\n\n\nI do not know who fills CVSS for National Vulnerability Database. But, imagine some people in US military uniform.\n\n\n\nThe final result is a score, number from 0 to 10, and a vector containing all the answers in a compact form.\n\nWhat's wrong with CVSS?\n\n * Filling the questionnaire is highly subjective procedure. You can easily make a mistake or just think differently during the classification.Or you may just have a controversial information about the vulnerability.\n * It takes time. That's why CVSS for the vulnerability appears in database much later than a human-readable description.\n * In NVD, for example, you can see only Base Score and Base Vector. And there is no Temporal Vector available.\n * CVSS model works well when we talk about desktops and servers and doesn't really fit for Internet of Things, for example.\n * CVSS is not well suited for confidentiality threats. A good example is the well-known Heartbleed.\n\nHeartbleed was rated as a medium-level vulnerability by NVD. But on the other hand, Tenable Network Security, the well-known Vulnerability Management vendor, believes that this vulnerability should have different CVSS vector.\n\n\n\nSo this is a controversial issue:\n\n * Confidentiality Impact is Complete or Partial?\n * Integrity Impact is None or Complete?\n\nAnd the final result depends on this.\n\nIt was the 2nd version of the CVSS standard, now the actual version is 3rd. But in 3rd versions problems with confidentiality threats were not solved either.\n\n### Vulnerability Quadrants\n\nSo, my idea was to evaluate vulnerabilities using the data that we currently have. Of course, it would be great to work with some highly formalized descriptions of vulnerabilities. However, as a rule, we do not have such information. We have only different objects linked with each other and stored in some vulnerability database.\n\nIf we open, for example, [Heartbleed page](<https://vulners.com/cve/CVE-2014-0160>) at [vulners.com](<https://vulners.com>) (read more about this service at \"[Vulners \u2013 Google for hacker](<https://avleonov.com/2016/07/23/vulners-google-for-hacker-how-the-best-vulnerability-search-engine-works-and-how-to-use-it/>)\") we can see all the objects linked to this vulnerability and the timestamps when objects were created.\n\n\n\nUsing this data I can calculate two integrated characteristics of vulnerability: \"Danger\" and \"Relevance\". And I can do it for any moment of time.\n\n**\"Danger\"** is about technical criticality and exploitability. It shows how interesting this vulnerability may be for an attacker.\n\nIt depends on:\n\n * CVSS Base Score \u2191\n * Potential exploitability \u2191\n * Exploits \u2191\n * Malware* \u2191\n * Patches \u2193\n * Detection plugins \u2193\n * Age \u2193\n\n**\"Relevance\"** shows the attention paid to the vulnerability by media, vulnerability management vendors, and users of vulnerability databases.\n\nIt depends on:\n\n * Media coverage \u2191\n * Descriptions \u2191\n * Detection plugins \u2191\n * Search queries* \u2191\n * Search results* \u2191 \n\n * Clicks* \u2191 \n\n * Age \u2193\n\n* haven't used it in PoC\n\nTo show the current state of vulnerability I use \"quadrants\". Like consulting and research companies do it for comparing software vendors.\n\n\n\n\n\nSo, for products \"Ability to execute\" and \"Completeness of vision\" are important, for vulnerabilities it will be \"Danger\" and \"Relevance\".\n\nI gave this names to quadrants:\n\n * Leading Threats\n * Local Disaster\n * Well-known Issue\n * Daily Routine\n\nHere is, for example, Vulnerability Quadrant for [Heartbleed](<https://vulners.com/cve/CVE-2014-0160>):\n\nAnd this one is for [Badlock](<https://vulners.com/cve/CVE-2016-2118>):\n\nAs you can see, unlike Heartbleed, Badlock was never a Leading Threat.\n\nWe can visualize more than one vulnerability at the same time. For example, here I took [last year CVEs](<https://vulners.com/search?query=type:cve%20last%20year>) and showed dynamics of their state since this beginning of the year (from 2017-01-01 till 2017-04-15).\n\nTo limit amount of the vulnerabilities in the lower left corner I made a \"rule for disappearing\": vulnerability may stay in Daily Routine quadrant only for 10 days with value of Danger and Relevance <3.5 or they will disappear.\n\nHere you can see different types of vulnerabilities. These ones are about [race condition that allows attackers to execute arbitrary code in a privileged context via a crafted app](<https://vulners.com/cve/CVE-2017-2478>). (iOS, macOS, tvOS, watchOS):\n\n\n\nAnd these vulnerabilities in Microsoft Edge and WordPress are also dangerous and exploitable, but never get the same level of media attention. Researchers find vulnerabilities in this products on a regular basis and therefore it's not a news. Vulnerabilities of such kind are slowly drifting from Local Disaster quadrant to Daily Routine.\n\n\n\nOf course, \"rule for disappearing\" doesn't work in real life and all vulnerabilities will exist in your infrastructure until you install the updates. If I switch off this rule and switch off all the captions, we will see something like this:\n\nSo, don't forget to fix vulnerabilities in your systems until it's too late:\n\n\n\nThe Greedy Raja covered with golden coins. From the classic Soviet animated film [Golden Antelope](<https://www.youtube.com/watch?v=wpSAJOyLfU8>)\n\nVulnerability Quadrant is a simple and universal way to show the current state for any vulnerability and dynamics of this state. it's possible to highlight most critical vulnerabilities and to identify trends. And it's just fun to watch vulnerabilities crawling on the screen. \n\nProblems and limitations \n- It\u2019s all about CVEs. And we all know, that some vulnerabilities may have multiple CVEs and some may don't have CVEs at all, for example vulnerabilities in SAP products. And they are out of scope right now. \n- Formulas for Danger and Relevance are very subjective. Basically, what factors you choose, such values you will get. However, when you use the same formulas for all vulnerabilities the overall picture remains the same. \n- We can make this instrument much more effective, but we need more information about exploits, malware, statistics and search history from vulnerability databases and so on.\n\n**Q:** Can we use Vulnerability Quadrants to decide which of vulnerabilities are really dangerous for your organization and should be discovered and patched immediately?\n\nWell, yes, but not in the form we have seen earlier. First of all, we should switch off gravity. Vulnerability Danger will not become smaller until you patch the software in your organization. As well as Relevance. And you should consider only vulnerabilities in the software products that are currently in use in your organization.\n\n", "modified": "2017-05-09T21:17:36", "published": "2017-05-09T21:17:36", "id": "AVLEONOV:B5CA8049524C96A911991EE8ADF24F64", "href": "http://feedproxy.google.com/~r/avleonov/~3/nMNWzQgosww/", "title": "Vulnerability Quadrants", "type": "avleonov", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:35:14", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2016-0621", "modified": "2019-03-14T00:00:00", "published": "2016-05-09T00:00:00", "id": "OPENVAS:1361412562310122941", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122941", "title": "Oracle Linux Local Check: ELSA-2016-0621", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2016-0621.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.fi>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://solinor.fi\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122941\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-05-09 14:24:57 +0300 (Mon, 09 May 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2016-0621\");\n script_tag(name:\"insight\", value:\"ELSA-2016-0621 - samba security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2016-0621\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2016-0621.html\");\n script_cve_id(\"CVE-2016-2111\", \"CVE-2016-2112\", \"CVE-2016-2115\", \"CVE-2016-2118\", \"CVE-2016-2110\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.0.33~3.41.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~3.0.33~3.41.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.0.33~3.41.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.0.33~3.41.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.0.33~3.41.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-swat\", rpm:\"samba-swat~3.0.33~3.41.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:21", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2016-0611", "modified": "2019-03-14T00:00:00", "published": "2016-05-09T00:00:00", "id": "OPENVAS:1361412562310122939", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122939", "title": "Oracle Linux Local Check: ELSA-2016-0611", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2016-0611.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.fi>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://solinor.fi\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122939\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-05-09 14:24:55 +0300 (Mon, 09 May 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2016-0611\");\n script_tag(name:\"insight\", value:\"ELSA-2016-0611 - samba security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2016-0611\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2016-0611.html\");\n script_cve_id(\"CVE-2015-5370\", \"CVE-2016-2111\", \"CVE-2016-2112\", \"CVE-2016-2115\", \"CVE-2016-2118\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.6.23~30.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~3.6.23~30.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.6.23~30.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.6.23~30.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.6.23~30.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-doc\", rpm:\"samba-doc~3.6.23~30.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-domainjoin-gui\", rpm:\"samba-domainjoin-gui~3.6.23~30.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-swat\", rpm:\"samba-swat~3.6.23~30.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~3.6.23~30.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-clients\", rpm:\"samba-winbind-clients~3.6.23~30.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-devel\", rpm:\"samba-winbind-devel~3.6.23~30.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-krb5-locator\", rpm:\"samba-winbind-krb5-locator~3.6.23~30.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-glusterfs\", rpm:\"samba-glusterfs~3.6.23~30.0.1.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:25", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-04-13T00:00:00", "id": "OPENVAS:1361412562310871595", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871595", "title": "RedHat Update for samba RHSA-2016:0611-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for samba RHSA-2016:0611-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871595\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-13 05:17:00 +0200 (Wed, 13 Apr 2016)\");\n script_cve_id(\"CVE-2015-5370\", \"CVE-2016-2111\", \"CVE-2016-2112\", \"CVE-2016-2115\",\n \"CVE-2016-2118\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for samba RHSA-2016:0611-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of the\nServer Message Block (SMB) protocol and the related Common Internet File System\n(CIFS) protocol, which allow PC-compatible machines to share files, printers, and\nvarious information.\n\nSecurity Fix(es):\n\n * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A\nremote, authenticated attacker could use these flaws to cause a denial of\nservice against the Samba server (high CPU load or a crash) or, possibly,\nexecute arbitrary code with the permissions of the user running Samba\n(root). This flaw could also be used to downgrade a secure DCE/RPC\nconnection by a man-in-the-middle attacker taking control of an Active\nDirectory (AD) object and compromising the security of a Samba Active\nDirectory Domain Controller (DC). (CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do not\nsupport running Samba as an AD DC, this flaw applies to all roles Samba\nimplements.\n\n * A protocol flaw, publicly referred to as Badlock, was found in the\nSecurity Account Manager Remote Protocol (MS-SAMR) and the Local Security\nAuthority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated\nDCE/RPC connection that a client initiates against a server could be used\nby a man-in-the-middle attacker to impersonate the authenticated user\nagainst the SAMR or LSA service on the server. As a result, the attacker\nwould be able to get read/write access to the Security Account Manager\ndatabase, and use this to reveal all passwords or any other potentially\nsensitive information in that database. (CVE-2016-2118)\n\n * It was discovered that Samba configured as a Domain Controller would\nestablish a secure communication channel with a machine using a spoofed\ncomputer name. A remote attacker able to observe network traffic could use\nthis flaw to obtain session-related information about the spoofed machine.\n(CVE-2016-2111)\n\n * It was found that Samba's LDAP implementation did not enforce integrity\nprotection for LDAP connections. A man-in-the-middle attacker could use\nthis flaw to downgrade LDAP connections to use no integrity protection,\nallowing them to hijack such connections. (CVE-2016-2112)\n\n * It was found that Samba did not enable integrity protection for IPC\ntraffic by default. A man-in-the-middle attacker could use this flaw to\nview and modify the data sent between a Samba server and a client.\n(CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues.\nUpstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter\nof CVE-2015-5370 and Stefan Metzmacher (SerNet) as the original reporter\nof CVE-2016-2118, CVE-2016-2112, and CVE-2016-2115.\");\n script_tag(name:\"affected\", value:\"samba on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:0611-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-April/msg00015.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.6.23~30.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.6.23~30.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.6.23~30.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.6.23~30.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-debuginfo\", rpm:\"samba-debuginfo~3.6.23~30.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~3.6.23~30.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-clients\", rpm:\"samba-winbind-clients~3.6.23~30.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:56", "bulletinFamily": "scanner", "description": "Check the version of libsmbclient", "modified": "2019-03-08T00:00:00", "published": "2016-04-14T00:00:00", "id": "OPENVAS:1361412562310882458", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882458", "title": "CentOS Update for libsmbclient CESA-2016:0621 centos5", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for libsmbclient CESA-2016:0621 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882458\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-14 05:19:02 +0200 (Thu, 14 Apr 2016)\");\n script_cve_id(\"CVE-2016-2110\", \"CVE-2016-2111\", \"CVE-2016-2112\", \"CVE-2016-2115\",\n \"CVE-2016-2118\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for libsmbclient CESA-2016:0621 centos5\");\n script_tag(name:\"summary\", value:\"Check the version of libsmbclient\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of\nthe Server Message Block (SMB) protocol and the related Common Internet File\nSystem (CIFS) protocol, which allow PC-compatible machines to share files,\nprinters, and various information.\n\nSecurity Fix(es):\n\n * A protocol flaw, publicly referred to as Badlock, was found in the\nSecurity Account Manager Remote Protocol (MS-SAMR) and the Local Security\nAuthority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated\nDCE/RPC connection that a client initiates against a server could be used\nby a man-in-the-middle attacker to impersonate the authenticated user\nagainst the SAMR or LSA service on the server. As a result, the attacker\nwould be able to get read/write access to the Security Account Manager\ndatabase, and use this to reveal all passwords or any other potentially\nsensitive information in that database. (CVE-2016-2118)\n\n * Several flaws were found in Samba's implementation of NTLMSSP\nauthentication. An unauthenticated, man-in-the-middle attacker could use\nthis flaw to clear the encryption and integrity flags of a connection,\ncausing data to be transmitted in plain text. The attacker could also force\nthe client or server into sending data in plain text even if encryption was\nexplicitly requested for that connection. (CVE-2016-2110)\n\n * It was discovered that Samba configured as a Domain Controller would\nestablish a secure communication channel with a machine using a spoofed\ncomputer name. A remote attacker able to observe network traffic could use\nthis flaw to obtain session-related information about the spoofed machine.\n(CVE-2016-2111)\n\n * It was found that Samba's LDAP implementation did not enforce integrity\nprotection for LDAP connections. A man-in-the-middle attacker could use\nthis flaw to downgrade LDAP connections to use no integrity protection,\nallowing them to hijack such connections. (CVE-2016-2112)\n\n * It was found that Samba did not enable integrity protection for IPC\ntraffic by default. A man-in-the-middle attacker could use this flaw to\nview and modify the data sent between a Samba server and a client.\n(CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues.\nUpstream acknowledges Stefan Metzmacher (SerNet) as the original reporter\nof CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.\");\n script_tag(name:\"affected\", value:\"libsmbclient on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:0621\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-April/021823.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.0.33~3.41.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~3.0.33~3.41.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.0.33~3.41.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.0.33~3.41.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.0.33~3.41.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-swat\", rpm:\"samba-swat~3.0.33~3.41.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:04", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-04-13T00:00:00", "id": "OPENVAS:1361412562310871594", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871594", "title": "RedHat Update for samba RHSA-2016:0621-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for samba RHSA-2016:0621-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871594\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-13 05:16:54 +0200 (Wed, 13 Apr 2016)\");\n script_cve_id(\"CVE-2016-2110\", \"CVE-2016-2111\", \"CVE-2016-2112\", \"CVE-2016-2115\",\n \"CVE-2016-2118\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for samba RHSA-2016:0621-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of the\nServer Message Block (SMB) protocol and the related Common Internet File System\n(CIFS) protocol, which allow PC-compatible machines to share files, printers, and\nvarious information.\n\nSecurity Fix(es):\n\n * A protocol flaw, publicly referred to as Badlock, was found in the\nSecurity Account Manager Remote Protocol (MS-SAMR) and the Local Security\nAuthority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated\nDCE/RPC connection that a client initiates against a server could be used\nby a man-in-the-middle attacker to impersonate the authenticated user\nagainst the SAMR or LSA service on the server. As a result, the attacker\nwould be able to get read/write access to the Security Account Manager\ndatabase, and use this to reveal all passwords or any other potentially\nsensitive information in that database. (CVE-2016-2118)\n\n * Several flaws were found in Samba's implementation of NTLMSSP\nauthentication. An unauthenticated, man-in-the-middle attacker could use\nthis flaw to clear the encryption and integrity flags of a connection,\ncausing data to be transmitted in plain text. The attacker could also force\nthe client or server into sending data in plain text even if encryption was\nexplicitly requested for that connection. (CVE-2016-2110)\n\n * It was discovered that Samba configured as a Domain Controller would\nestablish a secure communication channel with a machine using a spoofed\ncomputer name. A remote attacker able to observe network traffic could use\nthis flaw to obtain session-related information about the spoofed machine.\n(CVE-2016-2111)\n\n * It was found that Samba's LDAP implementation did not enforce integrity\nprotection for LDAP connections. A man-in-the-middle attacker could use\nthis flaw to downgrade LDAP connections to use no integrity protection,\nallowing them to hijack such connections. (CVE-2016-2112)\n\n * It was found that Samba did not enable integrity protection for IPC\ntraffic by default. A man-in-the-middle attacker could use this flaw to\nview and modify the data sent between a Samba server and a client.\n(CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues.\nUpstream acknowledges Stefan Metzmacher (SerNet) as the original reporter\nof CVE-2016-2118, CVE-2016-2110, CVE-2016-2112, and CVE-2016-2115.\");\n script_tag(name:\"affected\", value:\"samba on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:0621-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-April/msg00017.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.0.33~3.41.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~3.0.33~3.41.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.0.33~3.41.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.0.33~3.41.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.0.33~3.41.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-debuginfo\", rpm:\"samba-debuginfo~3.0.33~3.41.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-swat\", rpm:\"samba-swat~3.0.33~3.41.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:00", "bulletinFamily": "scanner", "description": "Check the version of libsmbclient", "modified": "2019-03-08T00:00:00", "published": "2016-04-14T00:00:00", "id": "OPENVAS:1361412562310882457", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882457", "title": "CentOS Update for libsmbclient CESA-2016:0611 centos6", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for libsmbclient CESA-2016:0611 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882457\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-14 05:18:56 +0200 (Thu, 14 Apr 2016)\");\n script_cve_id(\"CVE-2015-5370\", \"CVE-2016-2111\", \"CVE-2016-2112\", \"CVE-2016-2115\",\n \"CVE-2016-2118\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for libsmbclient CESA-2016:0611 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of libsmbclient\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of\nthe Server Message Block (SMB) protocol and the related Common Internet File\nSystem (CIFS) protocol, which allow PC-compatible machines to share files,\nprinters, and various information.\n\nSecurity Fix(es):\n\n * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A\nremote, authenticated attacker could use these flaws to cause a denial of\nservice against the Samba server (high CPU load or a crash) or, possibly,\nexecute arbitrary code with the permissions of the user running Samba\n(root). This flaw could also be used to downgrade a secure DCE/RPC\nconnection by a man-in-the-middle attacker taking control of an Active\nDirectory (AD) object and compromising the security of a Samba Active\nDirectory Domain Controller (DC). (CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do not\nsupport running Samba as an AD DC, this flaw applies to all roles Samba\nimplements.\n\n * A protocol flaw, publicly referred to as Badlock, was found in the\nSecurity Account Manager Remote Protocol (MS-SAMR) and the Local Security\nAuthority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated\nDCE/RPC connection that a client initiates against a server could be used\nby a man-in-the-middle attacker to impersonate the authenticated user\nagainst the SAMR or LSA service on the server. As a result, the attacker\nwould be able to get read/write access to the Security Account Manager\ndatabase, and use this to reveal all passwords or any other potentially\nsensitive information in that database. (CVE-2016-2118)\n\n * It was discovered that Samba configured as a Domain Controller would\nestablish a secure communication channel with a machine using a spoofed\ncomputer name. A remote attacker able to observe network traffic could use\nthis flaw to obtain session-related information about the spoofed machine.\n(CVE-2016-2111)\n\n * It was found that Samba's LDAP implementation did not enforce integrity\nprotection for LDAP connections. A man-in-the-middle attacker could use\nthis flaw to downgrade LDAP connections to use no integrity protection,\nallowing them to hijack such connections. (CVE-2016-2112)\n\n * It was found that Samba did not enable integrity protection for IPC\ntraffic by default. A man-in-the-middle attacker could use this flaw to\nview and modify the data sent between a Samba server and a client.\n(CVE-2016-2115)\n\nRed Hat would like to thank the Samba project for reporting these issues.\nUpstream acknowledges Jouni Knuutinen (Synopsis) as the original reporter\nof CVE-2015-5370 and Stefan Metzmacher (SerNet) as the original reporter\nof CVE-2016-2118, CVE-2016-2112, and CVE-2016-2115.\");\n script_tag(name:\"affected\", value:\"libsmbclient on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:0611\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-April/021815.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.6.23~30.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~3.6.23~30.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.6.23~30.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.6.23~30.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.6.23~30.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-doc\", rpm:\"samba-doc~3.6.23~30.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-domainjoin-gui\", rpm:\"samba-domainjoin-gui~3.6.23~30.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-swat\", rpm:\"samba-swat~3.6.23~30.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~3.6.23~30.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-clients\", rpm:\"samba-winbind-clients~3.6.23~30.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-devel\", rpm:\"samba-winbind-devel~3.6.23~30.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-krb5-locator\", rpm:\"samba-winbind-krb5-locator~3.6.23~30.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-glusterfs\", rpm:\"samba-glusterfs~3.6.23~30.el6_7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:23", "bulletinFamily": "scanner", "description": "Mageia Linux Local Security Checks mgasa-2016-0151", "modified": "2019-03-14T00:00:00", "published": "2016-05-09T00:00:00", "id": "OPENVAS:1361412562310131298", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131298", "title": "Mageia Linux Local Check: mgasa-2016-0151", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2016-0151.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131298\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-05-09 14:18:01 +0300 (Mon, 09 May 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2016-0151\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2016-0151.html\");\n script_cve_id(\"CVE-2015-5370\", \"CVE-2016-2110\", \"CVE-2016-2111\", \"CVE-2016-2112\", \"CVE-2016-2115\", \"CVE-2016-2118\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2016-0151\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.6.25~2.3.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:25", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-04-13T00:00:00", "id": "OPENVAS:1361412562310871597", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871597", "title": "RedHat Update for samba3x RHSA-2016:0613-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for samba3x RHSA-2016:0613-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871597\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-13 05:17:13 +0200 (Wed, 13 Apr 2016)\");\n script_cve_id(\"CVE-2015-5370\", \"CVE-2016-2110\", \"CVE-2016-2111\", \"CVE-2016-2112\",\n \"CVE-2016-2115\", \"CVE-2016-2118\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for samba3x RHSA-2016:0613-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba3x'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of\nthe Server Message Block (SMB) or Common Internet File System (CIFS) protocol,\nwhich allows PC-compatible machines to share files, printers, and other information.\n\nSecurity Fix(es):\n\n * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A\nremote, authenticated attacker could use these flaws to cause a denial of\nservice against the Samba server (high CPU load or a crash) or, possibly,\nexecute arbitrary code with the permissions of the user running Samba\n(root). This flaw could also be used to downgrade a secure DCE/RPC\nconnection by a man-in-the-middle attacker taking control of an Active\nDirectory (AD) object and compromising the security of a Samba Active\nDirectory Domain Controller (DC). (CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do not\nsupport running Samba as an AD DC, this flaw applies to all roles Samba\nimplements.\n\n * A protocol flaw, publicly referred to as Badlock, was found in the\nSecurity Account Manager Remote Protocol (MS-SAMR) and the Local Security\nAuthority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated\nDCE/RPC connection that a client initiates against a server could be used\nby a man-in-the-middle attacker to impersonate the authenticated user\nagainst the SAMR or LSA service on the server. As a result, the attacker\nwould be able to get read/write access to the Security Account Manager\ndatabase, and use this to reveal all passwords or any other potentially\nsensitive information in that database. (CVE-2016-2118)\n\n * Several flaws were found in Samba's implementation of NTLMSSP\nauthentication. An unauthenticated, man-in-the-middle attacker could use\nthis flaw to clear the encryption and integrity flags of a connection,\ncausing data to be transmitted in plain text. The attacker could also force\nthe client or server into sending data in plain text even if encryption was\nexplicitly requested for that connection. (CVE-2016-2110)\n\n * It was discovered that Samba configured as a Domain Controller would\nestablish a secure communication channel with a machine using a spoofed\ncomputer name. A remote attacker able to observe network traffic could use\nthis flaw to obtain session-related information about the spoofed machine.\n(CVE-2016-2111)\n\n * It was found that Samba's LDAP implementation did not enforce integrity\nprotection for LDAP connections. A man-in-the-middle attacker could use\nthis flaw to downgrade LDAP connections to use no integrity protection,\nallowing them to hijack such connections. (CVE-2016-2112)\n\n * It was found that Samba did not enable ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"samba3x on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:0613-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-April/msg00016.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"samba3x\", rpm:\"samba3x~3.6.23~12.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-client\", rpm:\"samba3x-client~3.6.23~12.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-common\", rpm:\"samba3x-common~3.6.23~12.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-debuginfo\", rpm:\"samba3x-debuginfo~3.6.23~12.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-doc\", rpm:\"samba3x-doc~3.6.23~12.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-domainjoin-gui\", rpm:\"samba3x-domainjoin-gui~3.6.23~12.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-swat\", rpm:\"samba3x-swat~3.6.23~12.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-winbind\", rpm:\"samba3x-winbind~3.6.23~12.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-winbind-devel\", rpm:\"samba3x-winbind-devel~3.6.23~12.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:30", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2016-0613", "modified": "2019-03-14T00:00:00", "published": "2016-05-09T00:00:00", "id": "OPENVAS:1361412562310122938", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122938", "title": "Oracle Linux Local Check: ELSA-2016-0613", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2016-0613.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.fi>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://solinor.fi\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122938\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-05-09 14:24:54 +0300 (Mon, 09 May 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2016-0613\");\n script_tag(name:\"insight\", value:\"ELSA-2016-0613 - samba3x security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2016-0613\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2016-0613.html\");\n script_cve_id(\"CVE-2015-5370\", \"CVE-2016-2111\", \"CVE-2016-2112\", \"CVE-2016-2115\", \"CVE-2016-2118\", \"CVE-2016-2110\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"samba3x\", rpm:\"samba3x~3.6.23~12.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba3x-client\", rpm:\"samba3x-client~3.6.23~12.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba3x-common\", rpm:\"samba3x-common~3.6.23~12.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba3x-doc\", rpm:\"samba3x-doc~3.6.23~12.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba3x-domainjoin-gui\", rpm:\"samba3x-domainjoin-gui~3.6.23~12.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba3x-swat\", rpm:\"samba3x-swat~3.6.23~12.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba3x-winbind\", rpm:\"samba3x-winbind~3.6.23~12.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba3x-winbind-devel\", rpm:\"samba3x-winbind-devel~3.6.23~12.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:42", "bulletinFamily": "scanner", "description": "Check the version of samba3x", "modified": "2019-03-08T00:00:00", "published": "2016-04-14T00:00:00", "id": "OPENVAS:1361412562310882456", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882456", "title": "CentOS Update for samba3x CESA-2016:0613 centos5", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for samba3x CESA-2016:0613 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882456\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-14 05:18:51 +0200 (Thu, 14 Apr 2016)\");\n script_cve_id(\"CVE-2015-5370\", \"CVE-2016-2110\", \"CVE-2016-2111\", \"CVE-2016-2112\",\n \"CVE-2016-2115\", \"CVE-2016-2118\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for samba3x CESA-2016:0613 centos5\");\n script_tag(name:\"summary\", value:\"Check the version of samba3x\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of\nthe Server Message Block (SMB) or Common Internet File System (CIFS) protocol,\nwhich allows PC-compatible machines to share files, printers, and other\ninformation.\n\nSecurity Fix(es):\n\n * Multiple flaws were found in Samba's DCE/RPC protocol implementation. A\nremote, authenticated attacker could use these flaws to cause a denial of\nservice against the Samba server (high CPU load or a crash) or, possibly,\nexecute arbitrary code with the permissions of the user running Samba\n(root). This flaw could also be used to downgrade a secure DCE/RPC\nconnection by a man-in-the-middle attacker taking control of an Active\nDirectory (AD) object and compromising the security of a Samba Active\nDirectory Domain Controller (DC). (CVE-2015-5370)\n\nNote: While Samba packages as shipped in Red Hat Enterprise Linux do not\nsupport running Samba as an AD DC, this flaw applies to all roles Samba\nimplements.\n\n * A protocol flaw, publicly referred to as Badlock, was found in the\nSecurity Account Manager Remote Protocol (MS-SAMR) and the Local Security\nAuthority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated\nDCE/RPC connection that a client initiates against a server could be used\nby a man-in-the-middle attacker to impersonate the authenticated user\nagainst the SAMR or LSA service on the server. As a result, the attacker\nwould be able to get read/write access to the Security Account Manager\ndatabase, and use this to reveal all passwords or any other potentially\nsensitive information in that database. (CVE-2016-2118)\n\n * Several flaws were found in Samba's implementation of NTLMSSP\nauthentication. An unauthenticated, man-in-the-middle attacker could use\nthis flaw to clear the encryption and integrity flags of a connection,\ncausing data to be transmitted in plain text. The attacker could also force\nthe client or server into sending data in plain text even if encryption was\nexplicitly requested for that connection. (CVE-2016-2110)\n\n * It was discovered that Samba configured as a Domain Controller would\nestablish a secure communication channel with a machine using a spoofed\ncomputer name. A remote attacker able to observe network traffic could use\nthis flaw to obtain session-related information about the spoofed machine.\n(CVE-2016-2111)\n\n * It was found that Samba's LDAP implementation did not enforce integrity\nprotection for LDAP connections. A man-in-the-middle attacker could use\nthis flaw to downgrade LDAP connections to use no integrity protection,\nallowing them to hijack such connections. (CVE-2016-2112)\n\n * It was found that Samba did not enable integrity protection for IPC\n ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"samba3x on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:0613\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-April/021821.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"samba3x\", rpm:\"samba3x~3.6.23~12.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-client\", rpm:\"samba3x-client~3.6.23~12.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-common\", rpm:\"samba3x-common~3.6.23~12.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-doc\", rpm:\"samba3x-doc~3.6.23~12.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-domainjoin-gui\", rpm:\"samba3x-domainjoin-gui~3.6.23~12.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-swat\", rpm:\"samba3x-swat~3.6.23~12.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-winbind\", rpm:\"samba3x-winbind~3.6.23~12.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-winbind-devel\", rpm:\"samba3x-winbind-devel~3.6.23~12.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:32", "bulletinFamily": "unix", "description": "[3.0.33-3.41.el5]\n- Security Release 'BadLock'\n- resolves: CVE-2016-2110\n- resolves: CVE-2016-2111", "modified": "2016-04-12T00:00:00", "published": "2016-04-12T00:00:00", "id": "ELSA-2016-0621", "href": "http://linux.oracle.com/errata/ELSA-2016-0621.html", "title": "samba security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:38:23", "bulletinFamily": "unix", "description": "[3.6.23-12.0.1]\n- Remove use-after-free talloc_tos() inlined function problem (John Haxby) [orabug 19973497]\n[3.6.23-12]\n- related: #1322685 - Update CVE patchset\n[3.6.23-11]\n- related: #1322685 - Update CVE patchset\n[3.6.23-10]\n- resolves: #1322685 - Fix CVE-2015-5370\n- resolves: #1322685 - Fix CVE-2016-2110\n- resolves: #1322685 - Fix CVE-2016-2111\n- resolves: #1322685 - Fix CVE-2016-2112\n- resolves: #1322685 - Fix CVE-2016-2115\n- resolves: #1322685 - Fix CVE-2016-2118 (Known as Badlock)", "modified": "2016-04-12T00:00:00", "published": "2016-04-12T00:00:00", "id": "ELSA-2016-0613", "href": "http://linux.oracle.com/errata/ELSA-2016-0613.html", "title": "samba3x security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:07", "bulletinFamily": "unix", "description": "[3.6.23-30.0.1]\n- Remove use-after-free talloc_tos() inlined function problem (John Haxby) [orabug 18253258]\n[3.6.23-30]\n- related: #1322686 - Update manpages\n[3.6.23-29]\n- related: #1322686 - Update CVE patchset\n[3.6.23-28]\n- related: #1322686 - Update manpages\n[3.6.23-27]\n- related: #1322686 - Update CVE patchset\n[3.6.23-26]\n- resolves: #1322686 - Fix CVE-2015-5370\n- resolves: #1322686 - Fix CVE-2016-2110\n- resolves: #1322686 - Fix CVE-2016-2111\n- resolves: #1322686 - Fix CVE-2016-2112\n- resolves: #1322686 - Fix CVE-2016-2115\n- resolves: #1322686 - Fix CVE-2016-2118 (Known as Badlock)", "modified": "2016-04-12T00:00:00", "published": "2016-04-12T00:00:00", "id": "ELSA-2016-0611", "href": "http://linux.oracle.com/errata/ELSA-2016-0611.html", "title": "samba security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:54", "bulletinFamily": "software", "description": "Samba and Windows Vulnerabilities\n\n# \n\nMedium\n\n# Vendor\n\nSamba, Microsoft Windows\n\n# Versions Affected\n\n * The following versions of Samba are affected: 3.6.x, 4.0.x, 4.1.x, 4.2.0-4.2.9, 4.3.0-4.3.6, and 4.4.0. \n * The affected Microsoft Windows versions can be viewed here: <https://technet.microsoft.com/library/security/MS16-047>. \n\n# Description\n\nThere are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user. Impact examples of intercepting administrator network traffic include viewing or modifying certain types of private data on Samba servers. Additionally, Samba services are vulnerable to a denial of service from an attacker with remote network connectivity to the Samba service.\n\n# Affected Products and Versions\n\n * The Cloud Foundry team has determined that the project is not exposed to this vulnerability and therefore does not require any upgrades. \n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry team has determined that the project is not exposed to this vulnerability and therefore does not require any upgrades. \n\n# Credit\n\nStefan Metzmacher\n\n# References\n\n * <http://badlock.org/>\n * <https://www.samba.org/samba/security/CVE-2016-2118.html>\n * <https://technet.microsoft.com/library/security/MS16-047>\n * <https://www.samba.org/samba/security/CVE-2015-5370.html>\n * <https://www.samba.org/samba/security/CVE-2016-2110.html>\n * <https://www.samba.org/samba/security/CVE-2016-2111.html>\n * <https://www.samba.org/samba/security/CVE-2016-2112.html>\n * <https://www.samba.org/samba/security/CVE-2016-2113.html>\n * <https://www.samba.org/samba/security/CVE-2016-2114.html>\n * <https://www.samba.org/samba/security/CVE-2016-2115.html>\n", "modified": "2016-04-14T00:00:00", "published": "2016-04-14T00:00:00", "id": "CFOUNDRY:13FFB9F76900A33F4D6751D02C276E8D", "href": "https://www.cloudfoundry.org/blog/samba-and-windows-vulnerabilities/", "title": "Samba and Windows Vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2019-05-29T19:21:55", "bulletinFamily": "unix", "description": "USN-2950-1 fixed vulnerabilities in Samba. The fixes introduced in Samba 4.3.8 caused certain regressions and interoperability issues.\n\nThis update resolves some of these issues by updating to Samba 4.3.9 in Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. Backported regression fixes were added to Samba 3.6.25 in Ubuntu 12.04 LTS.\n\nThis advisory was inadvertently published as USN-2950-2 originally.\n\nOriginal advisory details:\n\nJouni Knuutinen discovered that Samba contained multiple flaws in the DCE/RPC implementation. A remote attacker could use this issue to perform a denial of service, downgrade secure connections by performing a man in the middle attack, or possibly execute arbitrary code. (CVE-2015-5370)\n\nStefan Metzmacher discovered that Samba contained multiple flaws in the NTLMSSP authentication implementation. A remote attacker could use this issue to downgrade connections to plain text by performing a man in the middle attack. (CVE-2016-2110)\n\nAlberto Solino discovered that a Samba domain controller would establish a secure connection to a server with a spoofed computer name. A remote attacker could use this issue to obtain sensitive information. (CVE-2016-2111)\n\nStefan Metzmacher discovered that the Samba LDAP implementation did not enforce integrity protection. A remote attacker could use this issue to hijack LDAP connections by performing a man in the middle attack. (CVE-2016-2112)\n\nStefan Metzmacher discovered that Samba did not validate TLS certificates. A remote attacker could use this issue to spoof a Samba server. (CVE-2016-2113)\n\nStefan Metzmacher discovered that Samba did not enforce SMB signing even if configured to. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2114)\n\nStefan Metzmacher discovered that Samba did not enable integrity protection for IPC traffic. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2115)\n\nStefan Metzmacher discovered that Samba incorrectly handled the MS-SAMR and MS-LSAD protocols. A remote attacker could use this flaw with a man in the middle attack to impersonate users and obtain sensitive information from the Security Account Manager database. This flaw is known as Badlock. (CVE-2016-2118)\n\nSamba has been updated to 4.3.8 in Ubuntu 14.04 LTS and Ubuntu 15.10. Ubuntu 12.04 LTS has been updated to 3.6.25 with backported security fixes.\n\nIn addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Configuration changes may be required in certain environments.", "modified": "2016-05-04T00:00:00", "published": "2016-05-04T00:00:00", "id": "USN-2950-3", "href": "https://usn.ubuntu.com/2950-3/", "title": "Samba regressions", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T19:21:28", "bulletinFamily": "unix", "description": "USN-2950-1 fixed vulnerabilities in Samba. USN-2950-3 updated Samba to version 4.3.9, which introduced a regression when using the ntlm_auth tool. This update fixes the problem.\n\nOriginal advisory details:\n\nJouni Knuutinen discovered that Samba contained multiple flaws in the DCE/RPC implementation. A remote attacker could use this issue to perform a denial of service, downgrade secure connections by performing a man in the middle attack, or possibly execute arbitrary code. (CVE-2015-5370)\n\nStefan Metzmacher discovered that Samba contained multiple flaws in the NTLMSSP authentication implementation. A remote attacker could use this issue to downgrade connections to plain text by performing a man in the middle attack. (CVE-2016-2110)\n\nAlberto Solino discovered that a Samba domain controller would establish a secure connection to a server with a spoofed computer name. A remote attacker could use this issue to obtain sensitive information. (CVE-2016-2111)\n\nStefan Metzmacher discovered that the Samba LDAP implementation did not enforce integrity protection. A remote attacker could use this issue to hijack LDAP connections by performing a man in the middle attack. (CVE-2016-2112)\n\nStefan Metzmacher discovered that Samba did not validate TLS certificates. A remote attacker could use this issue to spoof a Samba server. (CVE-2016-2113)\n\nStefan Metzmacher discovered that Samba did not enforce SMB signing even if configured to. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2114)\n\nStefan Metzmacher discovered that Samba did not enable integrity protection for IPC traffic. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2115)\n\nStefan Metzmacher discovered that Samba incorrectly handled the MS-SAMR and MS-LSAD protocols. A remote attacker could use this flaw with a man in the middle attack to impersonate users and obtain sensitive information from the Security Account Manager database. This flaw is known as Badlock. (CVE-2016-2118)\n\nSamba has been updated to 4.3.8 in Ubuntu 14.04 LTS and Ubuntu 15.10. Ubuntu 12.04 LTS has been updated to 3.6.25 with backported security fixes.\n\nIn addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Configuration changes may be required in certain environments.", "modified": "2016-05-25T00:00:00", "published": "2016-05-25T00:00:00", "id": "USN-2950-5", "href": "https://usn.ubuntu.com/2950-5/", "title": "Samba regression", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T19:20:43", "bulletinFamily": "unix", "description": "USN-2950-1 fixed vulnerabilities in Samba. The updated Samba packages introduced a compatibility issue with NTLM authentication in libsoup. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nJouni Knuutinen discovered that Samba contained multiple flaws in the DCE/RPC implementation. A remote attacker could use this issue to perform a denial of service, downgrade secure connections by performing a man in the middle attack, or possibly execute arbitrary code. (CVE-2015-5370)\n\nStefan Metzmacher discovered that Samba contained multiple flaws in the NTLMSSP authentication implementation. A remote attacker could use this issue to downgrade connections to plain text by performing a man in the middle attack. (CVE-2016-2110)\n\nAlberto Solino discovered that a Samba domain controller would establish a secure connection to a server with a spoofed computer name. A remote attacker could use this issue to obtain sensitive information. (CVE-2016-2111)\n\nStefan Metzmacher discovered that the Samba LDAP implementation did not enforce integrity protection. A remote attacker could use this issue to hijack LDAP connections by performing a man in the middle attack. (CVE-2016-2112)\n\nStefan Metzmacher discovered that Samba did not validate TLS certificates. A remote attacker could use this issue to spoof a Samba server. (CVE-2016-2113)\n\nStefan Metzmacher discovered that Samba did not enforce SMB signing even if configured to. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2114)\n\nStefan Metzmacher discovered that Samba did not enable integrity protection for IPC traffic. A remote attacker could use this issue to perform a man in the middle attack. (CVE-2016-2115)\n\nStefan Metzmacher discovered that Samba incorrectly handled the MS-SAMR and MS-LSAD protocols. A remote attacker could use this flaw with a man in the middle attack to impersonate users and obtain sensitive information from the Security Account Manager database. This flaw is known as Badlock. (CVE-2016-2118)\n\nSamba has been updated to 4.3.8 in Ubuntu 14.04 LTS and Ubuntu 15.10. Ubuntu 12.04 LTS has been updated to 3.6.25 with backported security fixes.\n\nIn addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Configuration changes may be required in certain environments.", "modified": "2016-05-04T00:00:00", "published": "2016-05-04T00:00:00", "id": "USN-2950-2", "href": "https://usn.ubuntu.com/2950-2/", "title": "libsoup update", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2016-09-04T12:15:18", "bulletinFamily": "unix", "description": "Samba was updated to the 4.2.x codestream, bringing some new features and\n security fixes (bsc#973832, FATE#320709).\n\n These security issues were fixed:\n - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM\n attacks (bsc#936862).\n - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP\n authentication (bsc#973031).\n - CVE-2016-2111: Domain controller netlogon member computer could have\n been spoofed (bsc#973032).\n - CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM\n attack (bsc#973033).\n - CVE-2016-2113: TLS certificate validation were missing (bsc#973034).\n - CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks\n (bsc#973036).\n - CVE-2016-2118: "Badlock" DCERPC impersonation of authenticated account\n were possible (bsc#971965).\n\n Also the following fixes were done:\n - Upgrade on-disk FSRVP server state to new version; (bsc#924519).\n - Fix samba.tests.messaging test and prevent potential tdb corruption by\n removing obsolete now invalid tdb_close call; (bsc#974629).\n - Align fsrvp feature sources with upstream version.\n - Obsolete libsmbsharemodes0 from samba-libs and libsmbsharemodes-devel\n from samba-core-devel; (bsc#973832).\n - s3:utils/smbget: Fix recursive download; (bso#6482).\n - s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem\n with no ACL support; (bso#10489).\n - docs: Add example for domain logins to smbspool man page; (bso#11643).\n - s3-client: Add a KRB5 wrapper for smbspool; (bso#11690).\n - loadparm: Fix memory leak issue; (bso#11708).\n - lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714).\n - ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ...";\n (bso#11719).\n - s3:smbd:open: Skip redundant call to file_set_dosmode when creating a\n new file; (bso#11727).\n - param: Fix str_list_v3 to accept ";" again; (bso#11732).\n - Real memeory leak(buildup) issue in loadparm; (bso#11740).\n - Obsolete libsmbclient from libsmbclient0 and libpdb-devel from\n libsamba-passdb-devel while not providing it; (bsc#972197).\n - Getting and setting Windows ACLs on symlinks can change permissions on\n link\n - Only obsolete but do not provide gplv2/3 package names; (bsc#968973).\n - Enable clustering (CTDB) support; (bsc#966271).\n - s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703);\n (bsc#964023).\n - vfs_fruit: Fix renaming directories with open files; (bso#11065).\n - Fix MacOS finder error 36 when copying folder to Samba; (bso#11347).\n - s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks;\n (bso#11400).\n - Fix copying files with vfs_fruit when using vfs_streams_xattr without\n stream prefix and type suffix; (bso#11466).\n - s3:libsmb: Correctly initialize the list head when keeping a list of\n primary followed by DFS connections; (bso#11624).\n - Reduce the memory footprint of empty string options; (bso#11625).\n - lib/async_req: Do not install async_connect_send_test; (bso#11639).\n - docs: Fix typos in man vfs_gpfs; (bso#11641).\n - smbd: make "hide dot files" option work with "store dos attributes =\n yes"; (bso#11645).\n - smbcacls: Fix uninitialized variable; (bso#11682).\n - s3:smbd: Ignore initial allocation size for directory creation;\n (bso#11684).\n - Changing log level of two entries to from 1 to 3; (bso#9912).\n - vfs_gpfs: Re-enable share modes; (bso#11243).\n - wafsamba: Also build libraries with RELRO protection; (bso#11346).\n - ctdb: Strip trailing spaces from nodes file; (bso#11365).\n - s3-smbd: Fix old DOS client doing wildcard delete - gives a attribute\n type of zero; (bso#11452).\n - nss_wins: Do not run into use after free issues when we access memory\n allocated on the globals and the global being reinitialized; (bso#11563).\n - async_req: Fix non-blocking connect(); (bso#11564).\n - auth: gensec: Fix a memory leak; (bso#11565).\n - lib: util: Make non-critical message a warning; (bso#11566).\n - Fix winbindd crashes with samlogon for trusted domain user; (bso#11569);\n (bsc#949022).\n - smbd: Send SMB2 oplock breaks unencrypted; (bso#11570).\n - ctdb: Open the RO tracking db with perms 0600 instead of 0000;\n (bso#11577).\n - manpage: Correct small typo error; (bso#11584).\n - s3: smbd: If EA's are turned off on a share don't allow an SMB2 create\n containing them; (bso#11589).\n - Backport some valgrind fixes from upstream master; (bso#11597).\n - s3: smbd: have_file_open_below() fails to enumerate open files below an\n open directory handle; (bso#11615).\n - docs: Fix some typos in the idmap config section of man 5 smb.conf;\n (bso#11619).\n\n", "modified": "2016-04-13T00:08:02", "published": "2016-04-13T00:08:02", "id": "SUSE-SU-2016:1022-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00020.html", "type": "suse", "title": "Security update for samba (important)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:14:50", "bulletinFamily": "unix", "description": "samba was updated to fix seven security issues.\n\n These security issues were fixed:\n - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM\n attacks (bsc#936862).\n - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP\n authentication (bsc#973031).\n - CVE-2016-2111: Domain controller netlogon member computer could have\n been spoofed (bsc#973032).\n - CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM\n attack (bsc#973033).\n - CVE-2016-2113: TLS certificate validation were missing (bsc#973034).\n - CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks\n (bsc#973036).\n - CVE-2016-2118: "Badlock" DCERPC impersonation of authenticated account\n were possible (bsc#971965).\n\n These non-security issues were fixed:\n - bsc#967017: Fix leaking memory in libsmbclient in cli_set_mntpoint\n function\n - Getting and setting Windows ACLs on symlinks can change permissions on\n link\n\n", "modified": "2016-04-13T00:11:56", "published": "2016-04-13T00:11:56", "id": "SUSE-SU-2016:1023-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00021.html", "type": "suse", "title": "Security update for samba (important)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:30:16", "bulletinFamily": "unix", "description": "samba was updated to fix seven security issues.\n\n These security issues were fixed:\n - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM\n attacks (bsc#936862).\n - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP\n authentication (bsc#973031).\n - CVE-2016-2111: Domain controller netlogon member computer could have\n been spoofed (bsc#973032).\n - CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM\n attack (bsc#973033).\n - CVE-2016-2113: TLS certificate validation were missing (bsc#973034).\n - CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks\n (bsc#973036).\n - CVE-2016-2118: "Badlock" DCERPC impersonation of authenticated account\n were possible (bsc#971965).\n\n These non-security issues were fixed:\n - bsc#974629: Fix samba.tests.messaging test and prevent potential tdb\n corruption by removing obsolete now invalid tdb_close call.\n - bsc#973832: Obsolete libsmbsharemodes0 from samba-libs and\n libsmbsharemodes-devel from samba-core-devel.\n - bsc#972197: Obsolete libsmbclient from libsmbclient0 and libpdb-devel\n from libsamba-passdb-devel while not providing it.\n - Getting and setting Windows ACLs on symlinks can change permissions on\n link\n - bsc#924519: Upgrade on-disk FSRVP server state to new version.\n - bsc#968973: Only obsolete but do not provide gplv2/3 package names.\n - bso#6482: s3:utils/smbget: Fix recursive download.\n - bso#10489: s3: smbd: posix_acls: Fix check for setting u:g:o entry on a\n filesystem with no ACL support.\n - bso#11643: docs: Add example for domain logins to smbspool man page.\n - bso#11690: s3-client: Add a KRB5 wrapper for smbspool.\n - bso#11708: loadparm: Fix memory leak issue.\n - bso#11714: lib/tsocket: Work around sockets not supporting FIONREAD.\n - bso#11719: ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped\n ...".\n - bso#11727: s3:smbd:open: Skip redundant call to file_set_dosmode when\n creating a new file.\n - bso#11732: param: Fix str_list_v3 to accept ";" again.\n - bso#11740: Real memeory leak(buildup) issue in loadparm.\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "modified": "2016-04-13T14:07:57", "published": "2016-04-13T14:07:57", "id": "OPENSUSE-SU-2016:1025-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00023.html", "title": "Security update for samba (important)", "type": "suse", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "slackware": [{"lastseen": "2019-05-30T07:36:54", "bulletinFamily": "unix", "description": "New samba packages are available for Slackware 14.0, 14.1, and -current to\nfix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/samba-4.2.11-i486-1_slack14.1.txz: Upgraded.\n This update fixes the security issues known as "badlock" (or "sadlock"),\n which may allow man-in-the-middle or denial-of-service attacks:\n CVE-2015-5370 (Multiple errors in DCE-RPC code)\n CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)\n CVE-2016-2111 (NETLOGON Spoofing Vulnerability)\n CVE-2016-2112 (LDAP client and server don't enforce integrity)\n CVE-2016-2113 (Missing TLS certificate validation)\n CVE-2016-2114 ("server signing = mandatory" not enforced)\n CVE-2016-2115 (SMB IPC traffic is not integrity protected)\n CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5370\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2110\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2111\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2112\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2113\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2114\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2115\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2118\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/samba-4.2.11-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/samba-4.2.11-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/samba-4.2.11-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/samba-4.2.11-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/samba-4.4.2-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/samba-4.4.2-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n2380bc0ddc5f60c28312bcd7b56ab2be samba-4.2.11-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\nd6189a5d2293af40767bc3805d649144 samba-4.2.11-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n7d31cf705ccf10346fb0718bc4d9ee3d samba-4.2.11-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\na3db506941de422e75f18a854d82c95f samba-4.2.11-x86_64-1_slack14.1.txz\n\nSlackware -current package:\nef51645624e6707f01060ba491ec3dfd n/samba-4.4.2-i586-1.txz\n\nSlackware x86_64 -current package:\n2ad90a74923e18b3c3616ef66fc6237a n/samba-4.4.2-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg samba-4.2.11-i486-1_slack14.0.txz\n\nThen, if Samba is running restart it:\n\n > /etc/rc.d/rc.samba restart", "modified": "2016-04-15T13:48:27", "published": "2016-04-15T13:48:27", "id": "SSA-2016-106-02", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.458012", "title": "samba", "type": "slackware", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:22:44", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3548-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nApril 13, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : samba\nCVE ID : CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112\n CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118\n\nSeveral vulnerabilities have been discovered in Samba, a SMB/CIFS file,\nprint, and login server for Unix. The Common Vulnerabilities and\nExposures project identifies the following issues:\n\nCVE-2015-5370\n\n Jouni Knuutinen from Synopsys discovered flaws in the Samba DCE-RPC\n code which can lead to denial of service (crashes and high cpu\n consumption) and man-in-the-middle attacks.\n\nCVE-2016-2110\n\n Stefan Metzmacher of SerNet and the Samba Team discovered that the\n feature negotiation of NTLMSSP does not protect against downgrade\n attacks.\n\nCVE-2016-2111\n\n When Samba is configured as domain controller, it allows remote\n attackers to spoof the computer name of a secure channel's endpoint,\n and obtain sensitive session information. This flaw corresponds to\n the same vulnerability as CVE-2015-0005 for Windows, discovered by\n Alberto Solino from Core Security.\n\nCVE-2016-2112\n\n Stefan Metzmacher of SerNet and the Samba Team discovered that a\n man-in-the-middle attacker can downgrade LDAP connections to avoid\n integrity protection.\n\nCVE-2016-2113\n\n Stefan Metzmacher of SerNet and the Samba Team discovered that\n man-in-the-middle attacks are possible for client triggered LDAP\n connections and ncacn_http connections.\n\nCVE-2016-2114\n\n Stefan Metzmacher of SerNet and the Samba Team discovered that Samba\n does not enforce required smb signing even if explicitly configured.\n\nCVE-2016-2115\n\n Stefan Metzmacher of SerNet and the Samba Team discovered that SMB\n connections for IPC traffic are not integrity-protected.\n\nCVE-2016-2118\n\n Stefan Metzmacher of SerNet and the Samba Team discovered that a\n man-in-the-middle attacker can intercept any DCERPC traffic between\n a client and a server in order to impersonate the client and obtain\n the same privileges as the authenticated user account.\n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 2:3.6.6-6+deb7u9. The oldstable distribution is not affected\nby CVE-2016-2113 and CVE-2016-2114.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 2:4.2.10+dfsg-0+deb8u1. The issues were addressed by upgrading\nto the new upstream version 4.2.10, which includes additional changes\nand bugfixes. The depending libraries ldb, talloc, tdb and tevent\nrequired as well an update to new upstream versions for this update.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2:4.3.7+dfsg-1.\n\nPlease refer to\n\n https://www.samba.org/samba/latest_news.html#4.4.2\nhttps://www.samba.org/samba/history/samba-4.2.0.html\nhttps://www.samba.org/samba/history/samba-4.2.10.html\n\nfor further details (in particular for new options and defaults).\n\nWe'd like to thank Andreas Schneider and Guenther Deschner (Red Hat),\nStefan Metzmacher and Ralph Boehme (SerNet) and Aurelien Aptel (SUSE)\nfor the massive backporting work required to support Samba 3.6 and Samba\n4.2 and Andrew Bartlett (Catalyst), Jelmer Vernooij and Mathieu Parent\nfor their help in preparing updates of Samba and the underlying\ninfrastructure libraries.\n\nWe recommend that you upgrade your samba packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2016-04-13T20:42:21", "published": "2016-04-13T20:42:21", "id": "DEBIAN:DSA-3548-1:02A5F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00123.html", "title": "[SECURITY] [DSA 3548-1] samba security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2019-05-29T19:20:32", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nMultiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). ([CVE-2015-5370 __](<https://access.redhat.com/security/cve/CVE-2015-5370>))\n\nA protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. ([CVE-2016-2118 __](<https://access.redhat.com/security/cve/CVE-2016-2118>))\n\nSeveral flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. ([CVE-2016-2110 __](<https://access.redhat.com/security/cve/CVE-2016-2110>))\n\nIt was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. ([CVE-2016-2111 __](<https://access.redhat.com/security/cve/CVE-2016-2111>))\n\nIt was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. ([CVE-2016-2112 __](<https://access.redhat.com/security/cve/CVE-2016-2112>))\n\nIt was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. ([CVE-2016-2113 __](<https://access.redhat.com/security/cve/CVE-2016-2113>))\n\nIt was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. ([CVE-2016-2114 __](<https://access.redhat.com/security/cve/CVE-2016-2114>))\n\nIt was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. ([CVE-2016-2115 __](<https://access.redhat.com/security/cve/CVE-2016-2115>)) \n\n\n \n**Affected Packages:** \n\n\nsamba\n\n \n**Issue Correction:** \nRun _yum update samba_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n ctdb-tests-4.2.10-6.33.amzn1.i686 \n libsmbclient-devel-4.2.10-6.33.amzn1.i686 \n samba-common-tools-4.2.10-6.33.amzn1.i686 \n samba-client-4.2.10-6.33.amzn1.i686 \n samba-winbind-4.2.10-6.33.amzn1.i686 \n ctdb-devel-4.2.10-6.33.amzn1.i686 \n samba-winbind-krb5-locator-4.2.10-6.33.amzn1.i686 \n libsmbclient-4.2.10-6.33.amzn1.i686 \n samba-4.2.10-6.33.amzn1.i686 \n samba-client-libs-4.2.10-6.33.amzn1.i686 \n samba-libs-4.2.10-6.33.amzn1.i686 \n samba-common-libs-4.2.10-6.33.amzn1.i686 \n samba-devel-4.2.10-6.33.amzn1.i686 \n samba-test-devel-4.2.10-6.33.amzn1.i686 \n samba-winbind-modules-4.2.10-6.33.amzn1.i686 \n samba-test-libs-4.2.10-6.33.amzn1.i686 \n samba-debuginfo-4.2.10-6.33.amzn1.i686 \n samba-python-4.2.10-6.33.amzn1.i686 \n ctdb-4.2.10-6.33.amzn1.i686 \n libwbclient-devel-4.2.10-6.33.amzn1.i686 \n samba-winbind-clients-4.2.10-6.33.amzn1.i686 \n libwbclient-4.2.10-6.33.amzn1.i686 \n samba-test-4.2.10-6.33.amzn1.i686 \n \n noarch: \n samba-pidl-4.2.10-6.33.amzn1.noarch \n samba-common-4.2.10-6.33.amzn1.noarch \n \n src: \n samba-4.2.10-6.33.amzn1.src \n \n x86_64: \n libwbclient-4.2.10-6.33.amzn1.x86_64 \n samba-test-devel-4.2.10-6.33.amzn1.x86_64 \n samba-client-4.2.10-6.33.amzn1.x86_64 \n samba-test-libs-4.2.10-6.33.amzn1.x86_64 \n libwbclient-devel-4.2.10-6.33.amzn1.x86_64 \n samba-4.2.10-6.33.amzn1.x86_64 \n ctdb-4.2.10-6.33.amzn1.x86_64 \n samba-winbind-krb5-locator-4.2.10-6.33.amzn1.x86_64 \n samba-common-libs-4.2.10-6.33.amzn1.x86_64 \n ctdb-devel-4.2.10-6.33.amzn1.x86_64 \n libsmbclient-devel-4.2.10-6.33.amzn1.x86_64 \n samba-python-4.2.10-6.33.amzn1.x86_64 \n samba-client-libs-4.2.10-6.33.amzn1.x86_64 \n samba-winbind-modules-4.2.10-6.33.amzn1.x86_64 \n samba-libs-4.2.10-6.33.amzn1.x86_64 \n samba-devel-4.2.10-6.33.amzn1.x86_64 \n samba-winbind-clients-4.2.10-6.33.amzn1.x86_64 \n libsmbclient-4.2.10-6.33.amzn1.x86_64 \n samba-winbind-4.2.10-6.33.amzn1.x86_64 \n samba-common-tools-4.2.10-6.33.amzn1.x86_64 \n samba-debuginfo-4.2.10-6.33.amzn1.x86_64 \n ctdb-tests-4.2.10-6.33.amzn1.x86_64 \n samba-test-4.2.10-6.33.amzn1.x86_64 \n \n \n", "modified": "2016-04-13T11:45:00", "published": "2016-04-13T11:45:00", "id": "ALAS-2016-686", "href": "https://alas.aws.amazon.com/ALAS-2016-686.html", "title": "Critical: samba", "type": "amazon", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
