Samba Information Leak Vulnerability (CVE-2018-14628)

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:samba:samba";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.104503");
  script_version("2023-11-30T05:06:26+0000");
  script_tag(name:"last_modification", value:"2023-11-30 05:06:26 +0000 (Thu, 30 Nov 2023)");
  script_tag(name:"creation_date", value:"2023-01-27 08:54:49 +0000 (Fri, 27 Jan 2023)");
  script_tag(name:"cvss_base", value:"4.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:P/I:N/A:N");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-01-24 20:03:00 +0000 (Tue, 24 Jan 2023)");

  script_cve_id("CVE-2018-14628");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Samba Information Leak Vulnerability (CVE-2018-14628)");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("General");
  script_dependencies("smb_nativelanman.nasl", "gb_samba_detect.nasl");
  script_mandatory_keys("samba/smb_or_ssh/detected");

  script_tag(name:"summary", value:"Samba is prone to an information leak vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"Samba is vulnerable to an information leak (compared with the
  established behaviour of Microsoft's Active Directory) when Samba is an Active Directory Domain
  Controller.

  Missing access control checks on the LDAP_SERVER_SHOW_DELETED_OID control in the DSDB database
  layer cause the LDAP server to disclose, to authenticated but not privileged users, the names and
  preserved attributes of deleted objects. (Microsoft AD simply does not return these objects on a
  search).

  No information that was hidden before the deletion is visible, but in Microsoft Active Directory
  the whole object is also not visible without administrative rights, whereas Samba allows read of
  limited set of attributes that are preserved after delete.

  There is no further vulnerability associated with this error, merely an information disclosure.");

  script_tag(name:"affected", value:"Samba versions from 4.0.0 onwards.");

  script_tag(name:"solution", value:"Update to version 4.18.9, 4.19.3 or later.");

  script_xref(name:"URL", value:"https://www.samba.org/samba/history/samba-4.19.3.html");
  script_xref(name:"URL", value:"https://www.samba.org/samba/history/samba-4.18.9.html");
  script_xref(name:"URL", value:"https://www.samba.org/samba/security/CVE-2018-14628.html");
  script_xref(name:"URL", value:"https://bugzilla.samba.org/show_bug.cgi?id=13595");
  script_xref(name:"URL", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1625445");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_in_range_exclusive(version: version, test_version_lo: "4.0.0", test_version_up: "4.18.9")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "4.18.9", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "4.19.0", test_version_up: "4.19.3")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "4.19.3", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);