Denial of service - CPU loop and memory allocation.

Description All current released versions of Samba are vulnerable to a denial of service on an authenticated or guest connection. A malformed packet can cause the smbd server to loop the CPU performing memory allocations and preventing any further service. A connection to a file share, or a local...

SAMR and LSA man in the middle attacks possible

The Security Account Manager Remote Protocol MS-SAMR and the Local Security Authority Domain Policy Remote Protocol MS-LSAD are both vulnerable to man in the middle attacks. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call DCERPC protocol. These protocols ar...

Samba AD DC LDAP server crash (paged searches)

Description A user with read access to the LDAP server can crash the LDAP server process. Depending on the Samba version and the choice of process model, this may crash only the user's own connection. Specifically, while in Samba 4.10 the default is for one process per connected client,...

Possible Buffer Overrun in smbd

Summary: A possible buffer overrun in smbd could lead to code execution by a remote user Patch Availability A patch for Samba 3.0.7 samba-3.0.7-CAN-2004-0882.patch is available from http://www.samba.org/samba/ftp/patches/security/. The patch has been signed with the "Samba Distribution Verificati...

Remote Command Injection Vulnerability

Description This bug was originally reported against the anonymous calls to the SamrChangePassword MS-RPC function in combination with the "username map script" smb.conf option which is not enabled by default. After further investigation by Samba developers, it was determined that the problem was...

Remote DoS against smbd on authenticated

Description Smbd is susceptible to a remote DoS attack by an authenticated remote client. If the client sends a reply to an oplock break notification that Samba does not expect it can cause smbd to spin the CPU repeatedly trying to process the unexpected packet and being unable to finish the...

Format string bug in afsacl.so VFS plugin.

Description NOTE: This security advisory only impacts Samba servers that share AFS file systems to CIFS clients and which have been explicitly instructed in smb.conf to load the afsacl.so VFS module. The source defect results in the name of a file stored on disk being used as the format string in...

Information leak via symlinks of existance of

Description All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this atta...

Samba AD DC Denial of Service in DNS management server (dnsserver)

Description The poorly named dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. An authenticated user can crash the RPC server process via a NULL pointer de-reference. There is no further vulnerability associated with this issue, merely a denial of service. Pat...

Bad password count in AD DC not always effective

Description By default, Samba will remember bad passwords for 30min: eg: $ samba-tool domain passwordsettings show ... Reset account lockout after mins: 30 This is also known as the 'bad password observation window' and is configured in the lockOutObservationWindow attribute on the domain DN or i...

Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum

Description S4U2Self is an extension to Kerberos used in Active Directory to allow a service to request a kerberos ticket to itself from the Kerberos Key Distribution Center KDC for a non-Kerberos authenticated user principal in Kerboros parlance. This is useful to allow internal code paths to be...

A Samba AD DC may provide authenticated users with

Description In AD, Access Control Entries can be assigned based on the objectClass of the object. If a user or a group the user is a member of has any access based on the objectClass, then that user has write access to that object. Additionally, if a user has write access to any attribute on the...

NULL pointer de-reference in Samba AD DC DNS servers

Description During the processing of an DNS zone in the DNS management DCE/RPC server, the internal DNS server or the Samba DLZ plugin for BIND9, if the DSPROPERTYZONEMASTERSERVERS property or DSPROPERTYZONESCAVENGINGSERVERS property is set, the server will follow a NULL pointer and terminate...

Unprivileged adding of CNAME record causing loop

Description All versions of Samba from 4.0.0 onwards are vulnerable to infinite query recursion caused by CNAME loops. Any dns record can be added via ldap by an unprivileged user using the ldbadd tool, so this is a security issue. Patch Availability Patches addressing both these issues have been...

mksmbpasswd shell script may create accounts

Description It has been confirmed that previous versions of Samba 3.0 are susceptible to a password initialization bug that could grant an attacker unauthorized access to a user account created by the mksmbpasswd.sh shell script. Samba administrators not wishing to upgrade to the current version...

RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided

Description This is Samba's response to Microsoft's CVE-2022-3802312. Following RFC8429 and as has been published for CVE-2022-3938, rc4-hmac also known as arcfour-hmac-md5 cryptography in Kerberos is weak, then it follows that the RC4 mode in the NETLOGON Secure Channel DCE/RPC bulk encryption i...

NULL pointer de-reference in Samba AD DC LDAP server

Description During the processing of an LDAP search before Samba's AD DC returns the LDAP entries to the client, the entries are cached in a single memory object with a maximum size of 256MB. When this size is reached, the Samba process providing the LDAP service will follow the NULL pointer,...

Combination of parameters and permissions can allow user

Description On a Samba SMB server for all versions of Samba from 4.9.0 clients are able to escape outside the share root directory if certain configuration parameters set in the smb.conf file. The problem is reproducable if the 'wide links' option is explicitly set to 'yes' and either 'unix...

Potential Buffer Overrun in SWAT

Description The internal routine used by the Samba Web Administration Tool SWAT v3.0.2 and later to decode the base64 data during HTTP basic authentication is subject to a buffer overrun caused by an invalid base64 character. It is recommended that all Samba v3.0.2 or later installations running...

Change parameter "wide links" to default to "no";

Description The problem comes from a combination of two features in Samba, each of which on their own are useful to Administrators, but in combination allow users to access any file on the system that their logged in username has permissions to read this is not a privilege escalation problem. By...

Remote code execution vulnerability in smbd

Description Samba versions up to 3.4.0 do not ensure that AndX offsets of the smb daemon smbd are increasing strictly monotonically. Therefore a remote code execution vulnerability exists in the smbd service. A remote attacker could use the vulnerability to launch an exploit over a network...

Double-free in Samba AD DC KDC with PKINIT

Description When configured to accept smart-card authentication, Samba's KDC will call tallocfree twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ. This is only possible after authentication with a trusted certificate. talloc is...

Memory Corruption Vulnerability

Description Samba versions 3.3.12 and all versions previous to this are affected by a memory corruption vulnerability. Samba versions 3.4.0 and all releases since this version are NOT affected by this problem. In particular, the current stable Samba version 3.5.3 is NOT affected by this problem...

Use after free in Samba AD DC RPC server

Description In DCE/RPC it is possible to share the handles cookies for resource state between multiple connections via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials...

Incorrect primary group assignment for

Description The idmapad.so library provides an nssinfo extension to Winbind for retrieving a user's home directory path, login shell and primary group id from an Active Directory domain controller. This functionality is enabled by defining the "winbind nss info" smb.conf option to either "sfu" or...

Samba AD users can induce a use-after-free in the

Description Some database modules make a shallow copy of an LDAP add/delete message so they can make modifications to its elements without affecting the original message. Each element in a message points to an array of values, and these arrays are shared between the original message and the copy...

World writable files in Samba AD DC private/ dir

Description During the creation of a new Samba AD DC, files are created in a the private/ subdirectory of our install location. This directory is typically mode 0700, that is owner root only access. However in some upgraded installations it will have other permissions, such as 0755, because this...

Cross-Site Scripting vulnerability in SWAT

Description All current released versions of Samba are vulnerable to a cross-site scripting issue in the Samba Web Administration Tool SWAT. On the "Change Password" field, it is possible to insert arbitrary content into the "user" field. This issue is only exploitable if CVE-2011-2522 has not be...

Unprivileged user can crash winbind

Description winbind in version 3.6 and later implements a request to translate multiple Windows SIDs into names in one request. This was done for performance reasons: Active Directory domain controllers can do multiple SID to name translations in one RPC call. It was an obvious extension to also...

Heap corruption via crafted DN strings

Description A DN may be represented in string form with arbitrary amounts of space around the component values. These spaces are supposed to be ignored, but invalid DNs strings with spaces may instead cause a zero byte to be written into out-of-bounds memory. An LDAP bind request can send a strin...

Use-after-free in Samba AD DC LDAP Server with ASQ

Description Samba has, since Samba 4.0, supported the Paged Results LDAP feature, to allow clients to obtain pages of search results against a Samba AD DC using an LDAP control. Since Samba 4.7.11 and 4.8.6 a Denial of Service prevention has been in place in this module, to age out old client...

"root" credential remote code execution.

Description Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the "root" user from an anonymous connection. The code generator for Samba's remote procedure call RPC code contained an error which caused it to generate code...

Out of bounds read in AD DC LDAP server

Description A string in an LDAP attribute that contains multiple consecutive leading spaces can lead to a memmove of out of bounds memory in ldbhandlerfold. ldbhandlerfold is used by case insensitive strings - that is most string attributes - in Active Directory. As the search expression is...

LDAP Denial of Service (stack overflow) in

Description LDAP is encoded as ASN.1, and LDAP filters are defined recursively as Filter ::= CHOICE and 0 SET OF Filter, or 1 SET OF Filter, not 2 Filter, This recursion is mirrored in Samba's recursive decent parser, which consumes around 600 bytes of stack per filter sent by the client. In Samb...

Samba AD users can bypass certain restrictions

Description The KDC and the kpasswd service share a single account and set of keys. In certain cases, this makes the two services susceptible to confusion. When a user's password has expired, that user is requested to change their password. Until doing so, the user is restricted to only acquiring...

Samba Spotlight mdssvc RPC Request Type

Description When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the function...

Clickjacking in SWAT

Description All current released versions of Samba are vulnerable to clickjacking in the Samba Web Administration Tool SWAT. When the SWAT pages are integrated into a malicious web page via a frame or iframe and then overlaid by other content, an attacker could trick an administrator to potential...

Information disclosure by setuid mount.cifs

Description The mount.cifs program allows a user to pass in the name of a credentials file or a file containing a password via several different means. When installed as a setuid program, it does not check to see whether the user would have had access to this file prior to gaining root privileges...

A user in an AD Domain could become root on

Description Windows Active Directory AD domains have by default a feature to allow users to create computer accounts, controlled by ms-DS-MachineAccountQuota. In addition some presumably trusted users have the right to create new users or computers in both Samba and Windows Active Directory...

Boundary failure in GETDC mailslot

Description Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect is only be exploited when the "domain logons" parameter has been enabled in smb.conf. Patch Availability A patch addressing this defect has been posted to...

A writable configured share might get read only

Description Due to a assignment vs equality bug a share reference might get overwritten. This can lead to 'read only = no' from another share to leak into a 'read only = yes' share for a subsequent connections. This is a re-evaluation of an already fixed bug. Workaround Update to 3.6.6 and higher...

Potential access to "/" in setups with

Description When connecting to a share called "" empty string using an older version of smbclient before 3.0.28 for example with: 'smbclient //server/ -U user%pass' access to the root filesystem is granted with the privileges of the authenticated user. This only happens in setups with registry...

SMB1 client connections can be downgraded to plaintext authentication

Description An attacker can downgrade a negotiated SMB1 client connection and its capabitilities. Kerberos authentication is only possible with the SMB2/3 protocol or SMB1 using the NT1 dialect and the extended security spnego capability. Without mandatory SMB signing the protocol can be downgrad...

Local SID/Name translation bug can result

Description When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol...

Use after free during DNS zone scavenging

Description Samba 4.9 introduced an off-by-default feature to tombstone dynamically created DNS records that had reached their expiry time. This feature is controlled by the smb.conf option: dns zone scavenging = yes There is a use-after-free issue in this code, essentially due to a call to reall...

Boundary failure when parsing SMB responses

Description Secunia Research reported a vulnerability that allows for the execution of arbitrary code in smbd. This defect is is a result of an incorrect buffer size when parsing SMB replies in the routine receivesmbraw. Patch Availability A patch addressing this defect has been posted to...

Samba AD DC using Heimdal can be forced to

Description Kerberos, the trusted third party authentication system at the heart of Active Directory, issues a ticket using a key known to the target server but nobody else, returned to the client in a TGS-REP. This key needs to be of a type understood only by the KDC and target server. However,...

Samba AD users with permission to write to

Description The Samba AD DC includes checks when adding service principals names SPNs to an account to ensure that SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an account modification re-adds an SPN that was previously present on that...

An authenticated user can crash the DCE/RPC DNS with

Description Some DNS records such as MX and NS records usually contain data in the additional section. Samba's dnsserver RPC pipe which is an administrative interface not used in the DNS server itself made an error in handling the case where there are no records present: instead of noticing the...

Orpheus' Lyre mutual authentication validation bypass

All versions of Samba from 4.0.0 include an embedded copy of Heimdal Kerberos. Heimdal has made a security release, which disclosed: Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation This is a critical vulnerability. In krb5extractticket the KDC-REP service name must be obtained...