3.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
47.6%
Winbind allows for the further restriction of authenticated PAM logins using
the require_membership_of parameter. System administrators may specify a list
of SIDs or groups for which an authenticated user must be a member of. If an
authenticated user does not belong to any of the entries, then login should
fail. Invalid group name entries are ignored.
Samba versions 3.3.10, 3.4.3, 3.5.0 and later incorrectly allow login from
authenticated users if the require_membership_of parameter specifies only
invalid group names.
This is a vulnerability with low impact. All require_membership_of group
names must be invalid for this bug to be encountered.
Patches addressing this issue have been posted to:
http://www.samba.org/samba/security/
Samba versions 3.6.22, 4.0.13, and 4.1.3 have been released to address this
issue.
Ensure that the require_membership_of parameter only refers to SIDs or valid
Active Directory group names.
This problem was found by Noel Power from SUSE who also provided the patch
to fix the issue.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team