Remote code execution in Samba's WINS

Description Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the "wins support" parameter has been enabled in smb.conf. Patch Availability A patch addressing this defect has been posted to...

CVE-2013-4496: Password lockout not enforced for SAMR password changes

Description Samba versions 3.4.0 and above allow the administrator to implement locking out Samba accounts after a number of bad password attempts. However, all released versions of Samba did not implement this check for password changes, such as are available over multiple SAMR and RAP interface...

Denial of Service Attack on DNS and LDAP server

Description All versions of Samba from 4.8.0 onwards are vulnerable to a denial of service attack when Samba is an Active Directory Domain Controller. Missing input sanitization checks on some of the input parameters to LDB database layer cause the LDAP server and DNS server to crash when followi...

SMB client connections for IPC traffic are not integrity protected

Description Samba has an option called "client signing", this is turned off by default for performance reasons on file transfers. This option is also used when using DCERPC with ncacnnp. In order to get integrity protection for ipc related communication by default the "client ipc signing" option ...

Unauthenticated domain takeover via netlogon ("ZeroLogon")

Description The following applies to Samba used as domain controller only most seriously the Active Directory DC, but also the classic/NT4-style DC. Installations running Samba as a file server only are not directly affected by this flaw, though they may need configuration changes to continue to...

Confidential attribute disclosure from the AD LDAP

Description All versions of the Samba Active Directory LDAP server from 4.0.0 onwards are vulnerable to the disclosure of confidential attribute values, both of attributes where the schema SEARCHFLAGCONFIDENTIAL 0x80 searchFlags bit and where an explicit Access Control Entry has been specified on...

Denial of Service Attack on AD DC DRSUAPI server

Description All versions of Samba from 4.7.0 onwards are vulnerable to a denial of service attack which can crash the "samba" process when Samba is an Active Directory Domain Controller. Missing database output checks on the returned directory attributes from the LDB database layer cause the...

Man in the middle attacks possible with NTLMSSP

Description There are several man in the middle attacks possible with NTLMSSP authentication. E.g. NTLMSSPNEGOTIATESIGN and NTLMSSPNEGOTIATESEAL can be cleared by a man in the middle. This was by protocol design in earlier Windows versions. Windows Server 2003 RTM and Vista RTM introduced a way t...

SMB1/2/3 connections may not require signing where they should

Description There are several code paths where the code doesn't enforce SMB signing: The fixes for CVE-2015-5296 didn't apply the implied signing protection when enforcing encryption for commands like 'smb2mount -e', 'smbcacls -e' and 'smbcquotas -e'. The python binding exported as...

"server signing = mandatory" not enforced

Description Due to a regression introduced in Samba 4.0.0, an explicit "server signing = mandatory" in the global section of the smb.conf was not enforced for clients using the SMB1 protocol. As a result it does not enforce smb signing and allows man in the middle attacks. This problem applies to...

Authenticated users can change other users' password

Description On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts eg Domain...

Symlink race allows access outside share definition.

Description All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition. Samba uses the realpath system call to ensure when a client requests access to a...

Formatstring vulnerability in smbclient

Description The smbclient utility in Samba 3.2.0 - 3.2.12 contains a formatstring vulnerability where commands dealing with file names treat user input as format strings to asprintf. An example is: smb: \ put aa%3Fbb putting file aa%3Fbb as \aa0,000000bb 0,0 kb/s average 0,0 kb/s As is obvious,...

Remote code execution from a writable share.

Description All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. Patch Availability A patch addressing this defect has been...

Use-after-free vulnerability.

Description All versions of Samba from 4.0.0 onwards are vulnerable to a use after free vulnerability, where a malicious SMB1 request can be used to control the contents of heap memory via a deallocated heap pointer. It is possible this may be used to compromise the SMB server. Patch Availability...

SMB3 connections don't keep encryption across DFS redirects

Description Client command line tools like 'smbclient' as well as applications using 'libsmbclient' library have support for requiring encryption. This is activated by the '-e|--encrypt' command line option or the smbcsetOptionSmbEncryptionLevel library call. By default, only SMB1 is used in orde...

Missing TLS certificate validation allows man in the middle attacks

Description Samba has support for TLS/SSL for some protocols: ldap and http, but currently certificates are not validated at all. While we have a "tls cafile" option, the configured certificate is not used to validate the server certificate. This applies to ldaps:// connections triggered by tools...

NETLOGON Spoofing Vulnerability.

Description It's basically the same as CVE-2015-0005 for Windows: The NETLOGON service in Microsoft Windows Server 2003 SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold and R2, when a Domain Controller is configured, allows remote attackers to spoof the computer name of a...

Unexpected code execution in smbd.

Description All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an unexpected code execution vulnerability in the smbd file server daemon. A malicious client could send packets that may set up the stack in such a way that the freeing of memory in a subsequent anonymous netlogon packet...

Flaws in Kerberos PAC validation can trigger privilege elevation.

Description The winbindd part of Samba offers verification and unpacking of the PAC Privilege Attribute Certificate received via Kerberos. When parsing the PAC, winbindd may write beyond the allocated buffer, however the data involved is from the server private key and so not user-controlled...

Denial of service in Samba Active Directory

Description All versions of Samba from 4.0.0 to 4.3.2 inclusive resp. all ldb versions up to 1.1.23 inclusive are vulnerable to a denial of service attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server in the samba daemon process to become...

Multiple errors in DCE-RPC code.

Description Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to denial of service attacks crashes and high cpu consumption in the DCE-RPC client and server implementations. In addition, errors in validation of the DCE-RPC packets can lead to a downgrade of a secure connection to an...

Private key in key.pem world readable

Description Due to incorrect directory and file permissions a local attacker might obtain the private key that is used for the SSL/TLS encryption for ldaps including STARTTLS on ldap and https network traffic. The attacker is then able to decrypt encrypted network traffic which may contain...

Weak authentication protocol allowed.

Description Samba releases 4.7.0 to 4.8.3 inclusive contain an error which allows authentication using NTLMv1 over an SMB1 transport either directory or via NETLOGON SamLogon calls from a member server, even when NTLMv1 is explicitly disabled on the server. Normally, the use of NTLMv1 is disabled...

CVE-2014-8143: Elevation of privilege to Active Directory Domain Controller

Description Samba's AD DC allows the administrator to delegate creation of user or computer accounts to specific users or groups. However, all released versions of Samba's AD DC did not implement the additional required check on the UFSERVERTRUSTACCOUNT bit in the userAccountControl attributes. A...

The LDAP client and server don't enforce integrity protection

Description Samba uses various LDAP client libraries, a builtin one and/or the system ldap libraries typically openldap. As active directory domain controller Samba also provides an LDAP server. Samba takes care of doing SASL GSS-SPNEGO authentication with Kerberos or NTLMSSP for LDAP connections...

Denial of service attack against Windows

Description Samba, operating as an AD DC, is sometimes operated in a domain with a mix of Samba and Windows Active Directory Domain Controllers. All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as an AD DC in the same domain with Windows DCs, could be used to override the...

Samba client requesting encryption vulnerable

Description Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that signing is negotiated when creating an encrypted client connection to a server. Without this a man-in-the-middle attack could downgrade the connection and connect using the supplied credentials as an unsigned,...

Remote code execution in nmbd

Description All current versions of Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon. A malicious browser can send packets that may overwrite the heap of the target nmbd NetBIOS name services daemon. It may be possible to use this to...

Denial of service - CPU loop

Description All current released versions of Samba are vulnerable to a denial of service on the nmbd NetBIOS name services daemon. A malformed packet can cause the nmbd server to loop the CPU and prevent any further NetBIOS name service. This flaw is not exploitable beyond causing the code to loo...

Server heap memory information leak.

Description All versions of Samba from 3.6.0 onwards are vulnerable to a heap memory information leak, where server allocated heap memory may be returned to the client without being cleared. There is no known vulnerability associated with this error, but uncleared heap memory may contain previous...

Client side SMB2/3 required signing can be downgraded

Description It's possible for an attacker to downgrade the required signing for an SMB2/3 client connection, by injecting the SMB2SESSIONFLAGISGUEST or SMB2SESSIONFLAGISNULL flags. This means that the attacker can impersonate a server being connected to by Samba, and return malicious results. The...

Insufficient input validation on client directory

Description Samba releases 3.2.0 to 4.8.3 inclusive contain an error in libsmbclient that could allow a malicious server to overwrite client heap memory by returning an extra long filename in a directory listing. Patch Availability Patches addressing this issue have been posted to:...

Remote memory read in Samba LDAP server.

Description All versions of Samba from 4.0.0 to 4.3.2 inclusive resp. all ldb versions up to 1.1.23 inclusive are vulnerable to a remote memory read attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server in the samba daemon process to return heap...

Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer

Description The Samba routine ndrpulldnspname contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndrpulldnspname parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory...

Denial of Service Attack on external print server.

Description All versions of Samba from 3.6.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler servic...

Remote DoS in Samba (AD) LDAP server.

Description All versions of Samba from 4.0.0 to 4.1.21 inclusive are vulnerable to an anonymous memory exhaustion attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server provided by the AD DC in the samba daemon process to consume unlimited memory an...

Unconditional privilege delegation to Kerberos servers in trusted realms

Description The Samba client code always requests a forwardable Kerberos ticket when performing Kerberos authentication by passing the GSSCDELEGFLAG to the gssinitseccontext GSSAPI function. The use of GSSCDELEGFLAG, if accepted by the Kerberos KDC, results in passing the forwardable TGT to the...

Potential DOS in Samba internal DNS server

Description Samba versions 4.0.0 and above have a flaw in DNS protocol handling in the internal DNS server. The server will not check the "reply" flag in the DNS packet header when processing a request. That makes it vulnerable to reply to a spoofed reply packet with another reply. Two affected...

Denial of service - Server crash/memory corruption

Description All current released versions of Samba are vulnerable to a denial of service on the smbd file server daemon. Valid unicode path names stored on disk can cause smbd to crash if an authenticated client attempts to read them using a non-unicode request. The crash is caused by memory bein...

smbcacls will remove the ACL on a file

Description Samba versions 4.0.0 and above have a flaw in the smbcacls command. If smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" command options it will remove the existing ACL on the object being modified, leaving the file or directory unprotected. Patch Availability Patches...

Server memory information leak over SMB1

Description All versions of Samba are vulnerable to a server memory information leak bug over SMB1 if a client can write data to a share. Some SMB1 write requests were not correctly range checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be...

Insufficient symlink verification in smbd.

Description All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to a bug in symlink verification, which under certain circumstances could allow client access to files outside the exported share path. If a Samba share is configured with a path that shares a common path prefix with...

Incorrect ACL get/set allowed on symlink path.

Description All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to a malicious client overwriting the ownership of ACLs using symlinks. An authenticated malicious client can use SMB1 UNIX extensions to create a symlink to a file or directory, and then use non-UNIX SMB1 calls to...

pam_winbind login without require_membership_of restrictions

Description Winbind allows for the further restriction of authenticated PAM logins using the requiremembershipof parameter. System administrators may specify a list of SIDs or groups for which an authenticated user must be a member of. If an authenticated user does not belong to any of the entrie...

Uninitialized memory exposure.

Description In preparing a response to an authenticated FSCTLGETSHADOWCOPYDATA or FSCTLSRVENUMERATESNAPSHOTS client request, affected versions of Samba do not initialize 8 bytes of the 16 byte SRVSNAPSHOTARRAY response field. The uninitialized buffer is sent back to the client. A non-default VFS...

Missing access control check in shadow copy

Description All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to a missing access control check in the vfsshadowcopy2 module. When looking for the shadow copy directory under the share path the current accessing user should have DIRECTORYLIST access rights in order to view the...

Out-of-bounds read in internal DNS server

Description All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as an AD DC and choose to run the internal DNS server, are vulnerable to an out-of-bounds read issue during DNS TXT record handling caused by users with permission to modify DNS records. A malicious client can uploa...

ACLs are not checked on opening an alternate

Description Samba versions 3.2.0 and above all versions of 3.2.x, 3.3.x, 3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x do not check the underlying file or directory ACL when opening an alternate data stream. According to the SMB1 and SMB2+ protocols the ACL on an underlying file or directory should contro...

DCE-RPC fragment length field is incorrectly checked.

Description Samba versions 3.4.0 and above versions 3.4.0 - 3.4.17, 3.5.0 - 3.5.22, 3.6.0 - 3.6.21, 4.0.0 - 4.0.12 and including 4.1.2 are vulnerable to buffer overrun exploits in the client processing of DCE-RPC packets. This is due to incorrect checking of the DCE-RPC fragment length in the...