9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.017 Low
EPSS
Percentile
87.8%
The smbclient utility in Samba 3.2.0 - 3.2.12 contains a
formatstring vulnerability where commands dealing with
file names treat user input as format strings to asprintf.
An example is:
smb: > put aa%3Fbb
putting file aa%3Fbb as \aa0,000000bb (0,0 kb/s) (average 0,0 kb/s)
As is obvious, “aa%3Fbb” is interpreted as a format string.
With a maliciously crafted file name smbclient can be made
to execute code triggered by the server.
The attack from our point of view is rather unlikely because
the malicious filename has to be entered by the user. If smbclient
is used within scripts, an attack becomes possible.
A patch addressing this defect has been posted to
http://www.samba.org/samba/security/
Additionally, Samba 3.2.13 has been issued as a security
release to correct the defect. Samba administrators are
advised to upgrade to 3.2.13 or apply the patch as soon
as possible when.
No workaround is available at this time.
This issue was found and reported to the Samba Team by
Reinhard Nißl <[email protected]> as
https://bugzilla.samba.org/show_bug.cgi?id=6478
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team