This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.EULEROS_SA-2021-1625.NASLEulerOS Virtualization 2.9.1 : samba (EulerOS-SA-2021-1625)
8.8 High
AI Score
Confidence
High
According to the versions of the samba packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
-
A flaw was found in samba’s DNS server. An authenticated user could use this flaw to the RPC server to crash. This RPC server, which also serves protocols other than dnsserver, will be restarted after a short delay, but it is easy for an authenticated non administrative attacker to crash it again as soon as it returns. The Samba DNS server itself will continue to operate, but many RPC services will not.(CVE-2020-14383)
-
As Samba internally opens an underlying file system handle on a directory when a client requests an open, even for FILE_READ_ATTRIBUTES then if the underlying file system permissions don't allow "r" (read) access for the connected user, then the handle open request will be denied."(CVE-2020-14318)
-
A null pointer dereference flaw was found in samba’s Winbind service in versions before 4.11.15, before 4.12.9 and before 4.13.1. A local user could use this flaw to crash the winbind service causing denial of service.(CVE-2020-14323)
-
A flaw was found in the AD DC NBT server in all Samba versions before 4.10.17, before 4.11.11 and before 4.12.4. A samba user could send an empty UDP packet to cause the samba server to crash.(CVE-2020-14303)
-
A flaw was found in all Samba versions before 4.10.17, before 4.11.11 and before 4.12.4 in the way it processed NetBios over TCP/IP. This flaw allows a remote attacker could to cause the Samba server to consume excessive CPU use, resulting in a denial of service. This highest threat from this vulnerability is to system availability.(CVE-2020-10745)
-
A use-after-free flaw was found in all samba LDAP server versions before 4.10.17, before 4.11.11, before 4.12.4 used in a AC DC configuration. A Samba LDAP user could use this flaw to crash samba.(CVE-2020-10760)
-
A NULL pointer dereference, or possible use-after-free flaw was found in Samba AD LDAP server in versions before 4.10.17, before 4.11.11 and before 4.12.4.
Although some versions of Samba shipped with Red Hat Enterprise Linux do not support Samba in AD mode, the affected code is shipped with the libldb package. This flaw allows an authenticated user to possibly trigger a use-after-free or NULL pointer dereference. The highest threat from this vulnerability is to system availability.(CVE-2020-10730) -
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.(CVE-2020-1472)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(147497);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/11");
script_cve_id(
"CVE-2020-10730",
"CVE-2020-10745",
"CVE-2020-10760",
"CVE-2020-14303",
"CVE-2020-14318",
"CVE-2020-14323",
"CVE-2020-14383",
"CVE-2020-1472"
);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2020/09/21");
script_xref(name:"CISA-NCAS", value:"AA22-011A");
script_xref(name:"CEA-ID", value:"CEA-2020-0129");
script_xref(name:"CEA-ID", value:"CEA-2020-0101");
script_xref(name:"CEA-ID", value:"CEA-2021-0025");
script_xref(name:"CEA-ID", value:"CEA-2021-0008");
script_xref(name:"CEA-ID", value:"CEA-2020-0121");
script_xref(name:"CEA-ID", value:"CEA-2023-0016");
script_name(english:"EulerOS Virtualization 2.9.1 : samba (EulerOS-SA-2021-1625)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the samba packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :
- A flaw was found in samba's DNS server. An
authenticated user could use this flaw to the RPC
server to crash. This RPC server, which also serves
protocols other than dnsserver, will be restarted after
a short delay, but it is easy for an authenticated non
administrative attacker to crash it again as soon as it
returns. The Samba DNS server itself will continue to
operate, but many RPC services will
not.(CVE-2020-14383)
- As Samba internally opens an underlying file system
handle on a directory when a client requests an open,
even for FILE_READ_ATTRIBUTES then if the underlying
file system permissions don't allow "r"
(read) access for the connected user, then the handle
open request will be denied."(CVE-2020-14318)
- A null pointer dereference flaw was found in samba's
Winbind service in versions before 4.11.15, before
4.12.9 and before 4.13.1. A local user could use this
flaw to crash the winbind service causing denial of
service.(CVE-2020-14323)
- A flaw was found in the AD DC NBT server in all Samba
versions before 4.10.17, before 4.11.11 and before
4.12.4. A samba user could send an empty UDP packet to
cause the samba server to crash.(CVE-2020-14303)
- A flaw was found in all Samba versions before 4.10.17,
before 4.11.11 and before 4.12.4 in the way it
processed NetBios over TCP/IP. This flaw allows a
remote attacker could to cause the Samba server to
consume excessive CPU use, resulting in a denial of
service. This highest threat from this vulnerability is
to system availability.(CVE-2020-10745)
- A use-after-free flaw was found in all samba LDAP
server versions before 4.10.17, before 4.11.11, before
4.12.4 used in a AC DC configuration. A Samba LDAP user
could use this flaw to crash samba.(CVE-2020-10760)
- A NULL pointer dereference, or possible use-after-free
flaw was found in Samba AD LDAP server in versions
before 4.10.17, before 4.11.11 and before 4.12.4.
Although some versions of Samba shipped with Red Hat
Enterprise Linux do not support Samba in AD mode, the
affected code is shipped with the libldb package. This
flaw allows an authenticated user to possibly trigger a
use-after-free or NULL pointer dereference. The highest
threat from this vulnerability is to system
availability.(CVE-2020-10730)
- An elevation of privilege vulnerability exists when an
attacker establishes a vulnerable Netlogon secure
channel connection to a domain controller, using the
Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon
Elevation of Privilege Vulnerability'.(CVE-2020-1472)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1625
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8b064a1a");
script_set_attribute(attribute:"solution", value:
"Update the affected samba packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1472");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2021/03/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/03/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libsmbclient");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libwbclient");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:samba-client");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:samba-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:samba-common-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:samba-libs");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.9.1");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.9.1") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.9.1");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["libsmbclient-4.11.6-6.h11.eulerosv2r9",
"libwbclient-4.11.6-6.h11.eulerosv2r9",
"samba-client-4.11.6-6.h11.eulerosv2r9",
"samba-common-4.11.6-6.h11.eulerosv2r9",
"samba-common-tools-4.11.6-6.h11.eulerosv2r9",
"samba-libs-4.11.6-6.h11.eulerosv2r9"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "samba");
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| huawei | euleros | libsmbclient | p-cpe:/a:huawei:euleros:libsmbclient |
| huawei | euleros | libwbclient | p-cpe:/a:huawei:euleros:libwbclient |
| huawei | euleros | samba-client | p-cpe:/a:huawei:euleros:samba-client |
| huawei | euleros | samba-common | p-cpe:/a:huawei:euleros:samba-common |
| huawei | euleros | samba-common-tools | p-cpe:/a:huawei:euleros:samba-common-tools |
| huawei | euleros | samba-libs | p-cpe:/a:huawei:euleros:samba-libs |
| huawei | euleros | uvp | cpe:/o:huawei:euleros:uvp:2.9.1 |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10730
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10745
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10760
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14303
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14318
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14323
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14383
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472
www.nessus.org/u?8b064a1a
Related
