7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.015 Low
EPSS
Percentile
86.9%
The NetBIOS over TCP/IP name resolution protocol is implemented
as a UDP datagram on port 137.
The AD DC client and server-side processing code for NBT name resolution
will enter a tight loop if a UDP packet with 0 data length is
received. The client for this case is only found in the AD DC side of
the codebase, not that used by the the member server or file server.
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba Samba 4.10.17, 4.11.11, and 4.12.4 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)
The NBT server (UDP port 137) is provided by nmbd in the
file-server configuration, which is not impacted by this issue.
In the AD DC, the NBT server can be disabled with
‘disable netbios = yes’.
Originally reported by Martin von Wittich
<[email protected]> and Wilko Meyer <[email protected]>
of IServ GmbH.
Patches provided by Gary Lockyer of Catalyst and the Samba Team.
Advisory written by Andrew Bartlett of Catalyst and the Samba Team.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.015 Low
EPSS
Percentile
86.9%