5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.019 Low
EPSS
Percentile
88.3%
Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
denial of service attacks (crashes and high cpu consumption)
in the DCE-RPC client and server implementations. In addition,
errors in validation of the DCE-RPC packets can lead to a downgrade
of a secure connection to an insecure one.
While we think it is unlikely, thereโs a nonzero chance for
a remote code execution attack against the client components,
which are used by smbd, winbindd and tools like net, rpcclient and
others. This may gain root access to the attacker.
The above applies all possible server roles Samba can operate in.
Note that versions before 3.6.0 had completely different marshalling
functions for the generic DCE-RPC layer. Itโs quite possible that
that code has similar problems!
The downgrade of a secure connection to an insecure one may
allow an attacker to take control of Active Directory object
handles created on a connection created from an Administrator
account and re-use them on the now non-privileged connection,
compromising the security of the Samba AD-DC.
A patch addressing this defect has been posted to
https://www.samba.org/samba/security/
Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.
Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors,
but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11.
None.
Thanks for Jouni Knuutinen from Synopsys for discovering and
reporting this security bug using the Defensics product.
The analysis of this problem was done by Jeremy Allison of
the Samba Team and Google (https://google.com), and Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team.
They provide the fixes in collaboration with the Samba Team
(https://www.samba.org).
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.019 Low
EPSS
Percentile
88.3%