CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
70.9%
Samba is prone to a user impersonation vulnerability.
# Copyright (C) 2019 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
CPE = 'cpe:/a:samba:samba';
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.108575");
script_version("2021-09-06T11:01:35+0000");
script_tag(name:"last_modification", value:"2021-09-06 11:01:35 +0000 (Mon, 06 Sep 2021)");
script_tag(name:"creation_date", value:"2019-05-16 10:45:43 +0000 (Thu, 16 May 2019)");
script_tag(name:"cvss_base", value:"6.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:S/C:P/I:P/A:P");
script_tag(name:"severity_vector", value:"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2019-08-14 12:15:00 +0000 (Wed, 14 Aug 2019)");
script_cve_id("CVE-2018-16860");
script_tag(name:"qod_type", value:"remote_banner_unreliable");
script_tag(name:"solution_type", value:"VendorFix");
script_name("Samba AD DC Principal Modification Vulnerability (CVE-2018-16860)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2019 Greenbone Networks GmbH");
script_family("General");
script_dependencies("smb_nativelanman.nasl", "gb_samba_detect.nasl");
script_mandatory_keys("samba/smb_or_ssh/detected");
script_tag(name:"summary", value:"Samba is prone to a user impersonation vulnerability.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key Distribution Center (KDC) for a
non-Kerberos authenticated user (principal in Kerboros parlance). This is useful to allow internal
code paths to be standardized around Kerberos.
S4U2Proxy (constrained-delegation) is an extension of this mechanism allowing this impersonation to a
second service over the network. It allows a privileged server that obtained a S4U2Self ticket to itself
to then assert the identity of that principal to a second service and present itself as that principal
to get services from the second service.
There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal KDC checks the checksum that is
placed on the S4U2Self packet by the server to protect the requested principal against modification, it
does not confirm that the checksum algorithm that protects the user name (principal) in the request is
keyed.");
script_tag(name:"impact", value:"This allows a man-in-the-middle attacker who can intercept the request
to the KDC to modify the packet by replacing the user name (principal) in the request with any desired
user name (principal) that exists in the KDC and replace the checksum protecting that name with a CRC32
checksum (which requires no prior knowledge to compute).
This would allow a S4U2Self ticket requested on behalf of user name (principal) [email protected] to any
service to be changed to a S4U2Self ticket with a user name (principal) of [email protected].
This ticket would then contain the PAC of the modified user name (principal).");
script_tag(name:"affected", value:"All Samba versions since Samba 4.0.");
script_tag(name:"solution", value:"Update to version 4.8.12, 4.9.8, 4.10.3 or later.");
script_xref(name:"URL", value:"https://www.samba.org/samba/security/CVE-2018-16860.html");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if (isnull(port = get_app_port(cpe: CPE)))
exit(0);
if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
exit(0);
version = infos['version'];
if (version_is_less(version: version, test_version: "4.0"))
exit(99);
path = infos['location'];
if (version_in_range(version: version, test_version: "4.0", test_version2: "4.8.11")) {
report = report_fixed_ver(installed_version: version, fixed_version: "4.8.12", install_path: path);
security_message(port: port, data: report);
exit(0);
}
if (version_in_range(version: version, test_version: "4.9.0", test_version2: "4.9.7")) {
report = report_fixed_ver(installed_version: version, fixed_version: "4.9.8", install_path: path);
security_message(port: port, data: report);
exit(0);
}
if (version_in_range(version: version, test_version: "4.10.0", test_version2: "4.10.2")) {
report = report_fixed_ver(installed_version: version, fixed_version: "4.10.3", install_path: path);
security_message(port: port, data: report);
exit(0);
}
exit(99);
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
70.9%