Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DLA-2668.NASL
HistoryJun 01, 2021 - 12:00 a.m.

Debian DLA-2668-1 : samba security update

2021-06-0100:00:00
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
23

7.7 High

AI Score

Confidence

Low

JSON

Several vulnerabilities were discovered in Samba, SMB/CIFS file, print, and login server for Unix

CVE-2019-10218

A flaw was found in the samba client, where a malicious server can supply a pathname to the client with separators. This could allow the client to access files and folders outside of the SMB network pathnames. An attacker could use this vulnerability to create files outside of the current working directory using the privileges of the client user.

CVE-2019-14833

A flaw was found in Samba, in the way it handles a user password change or a new password for a samba user. The Samba Active Directory Domain Controller can be configured to use a custom script to check for password complexity. This configuration can fail to verify password complexity when non-ASCII characters are used in the password, which could lead to weak passwords being set for samba users, making it vulnerable to dictionary attacks.

CVE-2019-14847

A flaw was found in samba where an attacker can crash AD DC LDAP server via dirsync resulting in denial of service. Privilege escalation is not possible with this issue.

CVE-2019-14861

Samba have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones.
Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permissions on the DNS partition allow creation of new records by authenticated users. This is used for example to allow machines to self-register in DNS. If a DNS record was created that case-insensitively matched the name of the zone, the ldb_qsort() and dns_name_compare() routines could be confused into reading memory prior to the list of DNS entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so following invalid memory as a pointer.

CVE-2019-14870

Samba have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set.

CVE-2019-14902

There is an issue in samba, where the removal of the right to create or modify a subtree would not automatically be taken away on all domain controllers.

CVE-2019-14907

samba have an issue where if it is set with ‘log level = 3’ (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless).

CVE-2021-20254

A flaw was found in samba. The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user. The highest threat from this vulnerability is to data confidentiality and integrity.

For Debian 9 stretch, these problems have been fixed in version 2:4.5.16+dfsg-1+deb9u4.

We recommend that you upgrade your samba packages.

For the detailed security status of samba please refer to its security tracker page at: https://security-tracker.debian.org/tracker/samba

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-2668-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(150107);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/16");

  script_cve_id(
    "CVE-2019-10218",
    "CVE-2019-14833",
    "CVE-2019-14847",
    "CVE-2019-14861",
    "CVE-2019-14870",
    "CVE-2019-14902",
    "CVE-2019-14907",
    "CVE-2021-20254"
  );

  script_name(english:"Debian DLA-2668-1 : samba security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"Several vulnerabilities were discovered in Samba, SMB/CIFS file,
print, and login server for Unix

CVE-2019-10218

A flaw was found in the samba client, where a malicious server can
supply a pathname to the client with separators. This could allow the
client to access files and folders outside of the SMB network
pathnames. An attacker could use this vulnerability to create files
outside of the current working directory using the privileges of the
client user.

CVE-2019-14833

A flaw was found in Samba, in the way it handles a user password
change or a new password for a samba user. The Samba Active Directory
Domain Controller can be configured to use a custom script to check
for password complexity. This configuration can fail to verify
password complexity when non-ASCII characters are used in the
password, which could lead to weak passwords being set for samba
users, making it vulnerable to dictionary attacks.

CVE-2019-14847

A flaw was found in samba where an attacker can crash AD DC LDAP
server via dirsync resulting in denial of service. Privilege
escalation is not possible with this issue.

CVE-2019-14861

Samba have an issue, where the (poorly named) dnsserver RPC pipe
provides administrative facilities to modify DNS records and zones.
Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the
default permissions on the DNS partition allow creation of new records
by authenticated users. This is used for example to allow machines to
self-register in DNS. If a DNS record was created that
case-insensitively matched the name of the zone, the ldb_qsort() and
dns_name_compare() routines could be confused into reading memory
prior to the list of DNS entries when responding to
DnssrvEnumRecords() or DnssrvEnumRecords2() and so following invalid
memory as a pointer.

CVE-2019-14870

Samba have an issue, where the S4U (MS-SFU) Kerberos delegation model
includes a feature allowing for a subset of clients to be opted out of
constrained delegation in any way, either S4U2Self or regular Kerberos
authentication, by forcing all tickets for these clients to be
non-forwardable. In AD this is implemented by a user attribute
delegation_not_allowed (aka not-delegated), which translates to
disallow-forwardable. However the Samba AD DC does not do that for
S4U2Self and does set the forwardable flag even if the impersonated
client has the not-delegated flag set.

CVE-2019-14902

There is an issue in samba, where the removal of the right to create
or modify a subtree would not automatically be taken away on all
domain controllers.

CVE-2019-14907

samba have an issue where if it is set with 'log level = 3' (or above)
then the string obtained from the client, after a failed character
conversion, is printed. Such strings can be provided during the
NTLMSSP authentication exchange. In the Samba AD DC in particular,
this may cause a long-lived process(such as the RPC server) to
terminate. (In the file server case, the most likely target, smbd,
operates as process-per-client and so a crash there is harmless).

CVE-2021-20254

A flaw was found in samba. The Samba smbd file server must map Windows
group identities (SIDs) into unix group ids (gids). The code that
performs this had a flaw that could allow it to read data beyond the
end of the array in the case where a negative cache entry had been
added to the mapping cache. This could cause the calling code to
return those values into the process token that stores the group
membership for a user. The highest threat from this vulnerability is
to data confidentiality and integrity.

For Debian 9 stretch, these problems have been fixed in version
2:4.5.16+dfsg-1+deb9u4.

We recommend that you upgrade your samba packages.

For the detailed security status of samba please refer to its security
tracker page at: https://security-tracker.debian.org/tracker/samba

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues.");
  script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2021/05/msg00023.html");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/stretch/samba");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/samba");
  script_set_attribute(attribute:"solution", value:
"Upgrade the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14870");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-20254");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/05/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/06/01");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ctdb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnss-winbind");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libpam-winbind");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libparse-pidl-perl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libsmbclient");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libsmbclient-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libwbclient-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libwbclient0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-samba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:registry-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba-common-bin");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba-dsdb-modules");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba-testsuite");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba-vfs-modules");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:smbclient");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:winbind");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"9.0", prefix:"ctdb", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"libnss-winbind", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"libpam-winbind", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"libparse-pidl-perl", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"libsmbclient", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"libsmbclient-dev", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"libwbclient-dev", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"libwbclient0", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"python-samba", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"registry-tools", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"samba", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"samba-common", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"samba-common-bin", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"samba-dev", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"samba-dsdb-modules", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"samba-libs", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"samba-testsuite", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"samba-vfs-modules", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"smbclient", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;
if (deb_check(release:"9.0", prefix:"winbind", reference:"2:4.5.16+dfsg-1+deb9u4")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
debiandebian_linuxctdbp-cpe:/a:debian:debian_linux:ctdb
debiandebian_linuxlibnss-winbindp-cpe:/a:debian:debian_linux:libnss-winbind
debiandebian_linuxlibpam-winbindp-cpe:/a:debian:debian_linux:libpam-winbind
debiandebian_linuxlibparse-pidl-perlp-cpe:/a:debian:debian_linux:libparse-pidl-perl
debiandebian_linuxlibsmbclientp-cpe:/a:debian:debian_linux:libsmbclient
debiandebian_linuxlibsmbclient-devp-cpe:/a:debian:debian_linux:libsmbclient-dev
debiandebian_linuxlibwbclient-devp-cpe:/a:debian:debian_linux:libwbclient-dev
debiandebian_linuxlibwbclient0p-cpe:/a:debian:debian_linux:libwbclient0
debiandebian_linuxpython-sambap-cpe:/a:debian:debian_linux:python-samba
debiandebian_linuxregistry-toolsp-cpe:/a:debian:debian_linux:registry-tools
Rows per page:
1-10 of 211

Related

debian 2
osv 9
openvas 47
mageia 2
fedora 6
nessus 51
cisa 3
ibm 6
freebsd 3
altlinux 9
ubuntu 5
suse 4
archlinux 1
redhat 3
oraclelinux 2
veracode 3
samba 5
cve 4
redhatcve 7
amazon 2
symantec 4
alpinelinux 6
debiancve 5
prion 4
ubuntucve 5
f5 1
debian
debian
[SECURITY] [DLA 2668-1] samba security update
2021-05-29 11:11:27
[SECURITY] [DLA 3563-1] samba security update
2023-09-14 14:43:24
osv
osv
samba - security update
2021-05-29 00:00:00
samba - security update
2023-09-12 00:00:00
CVE-2019-14833
2019-11-06 10:15:10
openvas
openvas
Debian: Security Advisory (DLA-2668-1)
2021-05-30 00:00:00
Mageia: Security Advisory (MGASA-2019-0397)
2022-01-28 00:00:00
Fedora: Security Advisory for samba (FEDORA-2020-6bd386c7eb)
2020-02-02 00:00:00
mageia
mageia
Updated samba packages fix security vulnerabilities
2019-12-19 16:44:26
Updated samba packages fix security vulnerabilities
2020-01-28 10:52:40
fedora
fedora
[SECURITY] Fedora 31 Update: samba-4.11.6-0.fc31
2020-02-02 01:37:17
[SECURITY] Fedora 31 Update: samba-4.11.3-0.fc31
2019-12-12 01:55:33
[SECURITY] Fedora 30 Update: samba-4.10.13-0.fc30
2020-02-08 01:39:00
nessus
nessus
EulerOS Virtualization for ARM 64 3.0.2.0 : samba (EulerOS-SA-2020-1526)
2020-05-01 00:00:00
EulerOS Virtualization 3.0.2.2 : samba (EulerOS-SA-2020-2199)
2020-10-21 00:00:00
EulerOS 2.0 SP3 : samba (EulerOS-SA-2020-2110)
2020-09-28 00:00:00
cisa
cisa
Samba Releases Security Updates
2019-10-29 00:00:00
Samba Releases Security Updates
2019-12-10 00:00:00
Samba Releases Security Updates
2020-01-21 00:00:00
ibm
ibm
Security Bulletin: IBM WebSphere Message Broker Hypervisor Edition V8.0 require customer action for security vulnerabilities in Red Hat Linux
2019-12-23 02:52:00
Security Bulletin: Action required for IBM Integration Bus Hypervisor Edition V9.0 for security vulnerabilities in Red Hat Linux
2020-01-10 08:15:41
Security Bulletin: Vulnerabilities in Samba affect IBM Spectrum Protect Plus (CVE-2019-14833, CVE-2019-14847, CVE-2019-10218)
2020-02-22 00:27:53
freebsd
freebsd
samba -- multiple vulnerabilities
2019-09-29 00:00:00
samba -- multiple vulnerabilities
2019-12-10 00:00:00
samba -- multiple vulnerabilities
2020-01-14 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 8 package samba-DC version 4.9.15-alt1
2019-11-05 00:00:00
Security fix for the ALT Linux 10 package samba version 4.10.10-alt1
2019-10-29 00:00:00
Security fix for the ALT Linux 8 package samba version 4.9.15-alt1
2019-11-05 00:00:00
ubuntu
ubuntu
Samba vulnerabilities
2019-10-29 00:00:00
Samba vulnerabilities
2019-12-10 00:00:00
Samba vulnerabilities
2019-10-29 00:00:00
suse
suse
Security update for samba (important)
2019-11-09 00:00:00
Security update for samba (important)
2019-11-05 00:00:00
Security update for samba (important)
2019-12-22 00:00:00
archlinux
archlinux
[ASA-201911-6] samba: multiple issues
2019-11-03 00:00:00
redhat
redhat
(RHSA-2020:0943) Moderate: samba security and bug fix update
2020-03-23 13:41:48
(RHSA-2020:1878) Moderate: samba security, bug fix, and enhancement update
2020-04-28 09:26:30
(RHSA-2020:3981) Moderate: samba security, bug fix, and enhancement update
2020-09-29 07:48:33
oraclelinux
oraclelinux
samba security, bug fix, and enhancement update
2020-05-05 00:00:00
samba security, bug fix, and enhancement update
2020-10-06 00:00:00
veracode
veracode
Authorization Bypass
2020-08-06 21:39:03
Dictionary Attacks
2020-08-06 21:35:35
Denial Of Service (DoS)
2021-05-31 10:33:57
samba
samba
Replication of ACLs set to inherit down a
2020-01-21 00:00:00
User with "get changes" permission can
2019-10-29 00:00:00
Client code can return filenames containing
2019-10-29 00:00:00
cve
cve
CVE-2019-14902
2020-01-21 18:15:00
CVE-2019-14833
2019-11-06 10:15:00
CVE-2019-14847
2019-11-06 10:15:00
redhatcve
redhatcve
CVE-2019-14907
2020-01-21 10:09:13
CVE-2019-14870
2020-04-01 02:39:59
CVE-2019-10218
2020-04-03 14:01:57
amazon
amazon
Medium: samba
2020-10-22 18:38:00
Medium: samba
2020-11-14 01:23:00
symantec
symantec
Samba CVE-2019-14833 Remote Security Bypass Vulnerability
2019-10-29 00:00:00
Samba CVE-2019-14861 Remote Denial of Service Vulnerability
2019-12-10 00:00:00
Samba CVE-2019-14870 Remote Security Bypass Vulnerability
2019-12-10 00:00:00
alpinelinux
alpinelinux
CVE-2019-14833
2019-11-06 10:15:00
CVE-2019-14861
2019-12-10 23:15:00
CVE-2019-14870
2019-12-10 23:15:00
debiancve
debiancve
CVE-2019-14833
2019-11-06 10:15:00
CVE-2019-14902
2020-01-21 18:15:00
CVE-2019-14847
2019-11-06 10:15:00
prion
prion
Default credentials
2019-11-06 10:15:00
Code injection
2020-01-21 18:15:00
Code injection
2019-11-06 10:15:00
ubuntucve
ubuntucve
CVE-2019-14902
2020-01-21 00:00:00
CVE-2019-14861
2019-12-10 00:00:00
CVE-2019-14907
2020-01-21 00:00:00
f5
f5
K95010211 : Samba vulnerability CVE-2019-14907
2020-03-30 00:00:00

7.7 High

AI Score

Confidence

Low

JSON
Related for DEBIAN_DLA-2668.NASL
debian2osv9openvas47mageia2fedora6nessus51cisa3ibm6freebsd3altlinux9ubuntu5suse4archlinux1redhat3oraclelinux2veracode3samba5cve4redhatcve7amazon2symantec4alpinelinux6debiancve5prion4ubuntucve5f51