Samba 4.x < 4.1.22 Multiple Vulnerabilities

According to its banner, the version of Samba is 4.x earlier than 4.1.22. It is therefore affected by the following vulnerabilities :

• A flaw exists in the ‘ldb_wildcard_compare()’ function in ‘lib/ldb/common/ldb_match.c’ that is triggered when handling LDAP requests. This may allow a remote attacker to exhaust available CPU resources. (CVE-2015-3223)
• A flaw exists in the ‘check_reduced_name_with_privilege()’ and ‘check_reduced_name()’ functions in ‘smbd/vfs.c’ that allows traversing outside of a restricted path. The issue is due to users being permitted to follow symlinks pointing to resources in another directory that shares a common path prefix. This may allow a remote attacker to access files outside the exported share path. According to the vendor, exploitation requires that a Samba share “is configured with a path that shares a common path prefix with another directory on the file system”. (CVE-2015-5252)
• A flaw exists that is triggered when handling encrypted client sessions due to missing signing. This may allow a Man-in-the-Middle (MitM) attacker to downgrade the security of the connection, making it easier to break the encryption and monitor or manipulate communication. (CVE-2015-5296)
• A flaw exists in the ‘shadow_copy2_get_shadow_copy_data()’ function in ‘modules/vfs_shadow_copy2.c’ due to missing access control checks when accessing snapshots. This may allow an authenticated, remote attacker to gain knowledge of potentially sensitive information. (CVE-2015-5299)
• An unspecified flaw exists that is triggered when handling LDAP requests. This may allow a remote attacker to disclose uninitialized memory contents. (CVE-2015-5330)
• A flaw exists in ‘libcli/ldap/ldap_message.c’ that is triggered when handling LDAP requests. This may allow a remote attacker to exhaust available memory resources and potentially cause the process to be terminated. (CVE-2015-7540)
• A flaw exists in the ‘samldb_check_user_account_control_acl()’ function in ‘dsdb/samdb/ldb_modules/samldb.c’ that is triggered when operating as an Active Directory domain controller. This may allow a remote attacker to bypass a certain Microsoft patch for Windows AD DCs in the same domain and crash them. (CVE-2015-8467)