Lucene search
K
SambaMost viewed

174 matches found

Samba
Samba
•added 2013/03/19 12:0 a.m.•69 views

World-writeable files may be created in additional shares on a

Description Administrators of the Samba 4.0 Active Directory Domain Controller might unexpectedly find files created world-writeable if additional CIFS file shares are created on the AD DC. By default the AD DC is not vulnerable to this issue, as a specific inheritable ACL is set on the files in...

6CVSS7.1AI score0.02155EPSS
Exploits0
Samba
Samba
•added 2020/10/29 12:0 a.m.•68 views

Missing handle permissions check in SMB1/2/3

Description The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can request file name notification on a directory handle when a condition such as "new file creation" or "file size change" or "file timestamp update" occurs. A missing permissions check on a directory handle...

4.3CVSS5.9AI score0.01521EPSS
Exploits0
Samba
Samba
•added 2004/09/30 12:0 a.m.•68 views

Potential Arbitrary File Access

Summary: A remote attacker may be able to gain access to files which exist outside of the share's defined path. Such files must still be readable by the account used for the connection. Patch Availability The patch for Samba 3.0.2a and earlier releases 3.0.x samba-3.0.2a-reducename.patch can be...

7.5CVSS0.1AI score0.04887EPSS
Exploits1
Samba
Samba
•added 2023/10/10 12:0 a.m.•66 views

Samba AD DC password exposure to privileged

Description In normal operation, passwords and most secrets are never disclosed over LDAP in Active Directory. However, due to a design flaw in Samba's implementation of the DirSync control, Active Directory accounts authorized to do some replication, but not to replicate sensitive attributes, ca...

7.5CVSS6.9AI score0.01151EPSS
Exploits0
Samba
Samba
•added 2022/12/15 12:0 a.m.•66 views

rc4-hmac Kerberos session keys issued

Description Kerberos, the trusted third party authentication system at the heart of Active Directory, issues a session key known to the target server and the client, encrypted to both services in a TGS-REP. The key algorithm chosen for here is then used for the subsequent signed or encrypted...

8.1CVSS8.7AI score0.02772EPSS
Exploits0
Samba
Samba
•added 2021/11/09 12:0 a.m.•65 views

Subsequent DCE/RPC fragment injection vulnerability

Description Samba implements DCE/RPC, and in most cases it is provided over and protected by the underlying SMB transport, with protections like 'SMB signing'. However there are other cases where large DCE/RPC request payloads are exchanged and fragmented into several pieces. If this happens over...

7.5CVSS0.2AI score0.01953EPSS
Exploits0
Samba
Samba
•added 2020/01/21 12:0 a.m.•65 views

Replication of ACLs set to inherit down a

Description A newly delegated right, but more importantly the removal of a delegated right, would not be inherited on any DC other than the one where the change was made. For example: - if a user or group was previously delegated the right to create or modify a subtree say to allow desktop suppor...

5.5CVSS6.2AI score0.01521EPSS
Exploits0
Samba
Samba
•added 2022/01/31 12:0 a.m.•62 views

Out-of-bounds heap read/write vulnerability

Description All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfsfruit. The specific flaw exists within the parsing of EA...

9CVSS0.5AI score0.74042EPSS
Exploits1
Samba
Samba
•added 2022/10/25 12:0 a.m.•60 views

Buffer overflow in Heimdal unwrap_des3()

Description The DES for Samba 4.11 and earlier and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc allocated memory when presented with a maliciously small packet. Examples of where Samba can use GSSAPI include the client and...

6.5CVSS0.0369EPSS
Exploits0
Samba
Samba
•added 2022/07/27 12:0 a.m.•60 views

Samba AD users can crash the server process with an

Description Due to incorrect values used as the limit for a loop and as the 'count' parameter to memcpy, the server, receiving a specially crafted message, leaves an array of structures partially uninitialised, or accesses an arbitrary element beyond the end of an array. Outcomes achievable by an...

8.5AI score0.00904EPSS
Exploits0
Samba
Samba
•added 2016/04/12 12:0 a.m.•60 views

SAMR and LSA man in the middle attacks possible

Description The Security Account Manager Remote Protocol MS-SAMR and the Local Security Authority Domain Policy Remote Protocol MS-LSAD are both vulnerable to man in the middle attacks. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call DCERPC protocol. These...

7.5CVSS0.1AI score0.3693EPSS
Exploits0
Samba
Samba
•added 2008/08/27 12:0 a.m.•60 views

Wrong permissions of group_mapping.ldb

Description The file groupmapping.ldb is created with the permissions 0666. That means everyone is able to edit this file and gain additional access rights while connecting remotely to the Samba server. By manipulating the SID mappings contained in this file, it is also possible to establish a...

2.1CVSS6.1AI score0.00533EPSS
Exploits1
Samba
Samba
•added 2012/04/30 12:0 a.m.•59 views

Incorrect permission checks when granting/removing

Description Samba versions 3.4.x to 3.6.4 inclusive are affected by a vulnerability that allows arbitrary users to modify privileges on a file server. Security checks were incorrectly applied to the Local Security Authority LSA remote proceedure calls RPC CreateAccount, OpenAccount,...

6.5CVSS1.7AI score0.04803EPSS
Exploits0
Samba
Samba
•added 2020/07/02 12:0 a.m.•57 views

Empty UDP packet DoS in Samba AD DC nbtd

Description The NetBIOS over TCP/IP name resolution protocol is implemented as a UDP datagram on port 137. The AD DC client and server-side processing code for NBT name resolution will enter a tight loop if a UDP packet with 0 data length is received. The client for this case is only found in the...

7.5CVSS8.1AI score0.03539EPSS
Exploits0
Samba
Samba
•added 2013/01/30 12:0 a.m.•56 views

Cross-Site Request Forgery in SWAT

Description All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool SWAT. By guessing a user's password and then tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possibl...

5.1CVSS6.6AI score0.01906EPSS
Exploits0
Samba
Samba
•added 2004/07/22 12:0 a.m.•56 views

Potential Buffer Overrun in smbd

Description A buffer overrun has been located in the code used to support the 'mangling method = hash' smb.conf option. Please be aware that the default setting for this parameter is 'mangling method = hash2' and therefore not vulnerable. Affected Samba 3 installations can avoid this possible...

5CVSS6.3AI score0.03666EPSS
Exploits0
Samba
Samba
•added 2022/07/27 12:0 a.m.•55 views

Samba AD users can forge password change requests for

Description Tickets received by the kpasswd service were decrypted without specifying that only that service's own keys should be tried. By setting the ticket's server name to a principal associated with their own account, or by exploiting a fallback where known keys would be tried until a suitab...

0.00956EPSS
Exploits0
Samba
Samba
•added 2020/07/02 12:0 a.m.•53 views

LDAP Use-after-free in Samba AD DC Global Catalog with

Description Samba 4.5 and later implements VLV - Virtual List View, and Samba 4.10 and later reimplemented the pagedresults control using similar code. This code is more memory-efficient, storing only a pointer to the object, not the returned object. However this means parts of the original reque...

6.5CVSS7AI score0.02659EPSS
Exploits0
Samba
Samba
•added 2020/07/02 12:0 a.m.•52 views

NULL pointer de-reference and use-after-free

Description Samba has, since Samba 4.5, supported the VLV Active Directory LDAP feature, to allow clients to obtain 'virtual list views' of search results against a Samba AD DC using an LDAP control. The combination of this control, and the ASQ control combines to allow an authenticated user to...

6.5CVSS6.8AI score0.0244EPSS
Exploits0
Samba
Samba
•added 2009/06/23 12:0 a.m.•52 views

Uninitialized read of a data value

Description The smbd daemon in Samba 3.0.31 - 3.3.5 contains an uninitialized read of a data value that can potentially affect access control. If a user is trying to modify an access control list ACL and is denied permission, this deny may be overridden if the parameter "dos filemode" is set to...

5.8CVSS7.2AI score0.04606EPSS
Exploits2
Samba
Samba
•added 2006/07/10 12:0 a.m.•52 views

Memory exhaustion DoS against smbd

Description The smbd daemon maintains internal data structures used track active connections to file and printer shares. In certain circumstances an attacker may be able to continually increase the memory usage of an smbd process by issuing a large number of share connection requests. This defect...

5CVSS0.4AI score0.05503EPSS
Exploits1
Samba
Samba
•added 2023/10/10 12:0 a.m.•50 views

Samba AD DC Busy RPC multiple listener DoS

Description Samba as an Active Directory DC operates RPC services from two distinct parts of the codebase. Those services focused on the AD DC are started in the main "samba" process, while services focused on the fileserver and NT4-like DC are started from the new samba-dcerpcd, which is launche...

6.5CVSS6.9AI score0.01102EPSS
Exploits0
Samba
Samba
•added 2022/07/27 12:0 a.m.•50 views

Server memory information leak via SMB1.

Description Please note that only versions of Samba prior to 4.11.0 are vulnerable to this bug by default. Samba versions 4.11.0 and above disable SMB1 by default, and will only be vulnerable if the administrator has deliberately enabled SMB1 in the smb.conf file. All versions of Samba with SMB1...

0.3AI score0.00999EPSS
Exploits0
Samba
Samba
•added 2021/11/09 12:0 a.m.•50 views

Kerberos acceptors need easy access to stable

Description In order to avoid issues like CVE-2020-25717 AD Kerberos accepting services need access to unique, and ideally long-term stable identifiers of a user to perform authorization. The AD PAC provides this, but the most useful information is kept in a buffer which is NDR encoded, which mea...

8.8CVSS0.01984EPSS
Exploits0
Samba
Samba
•added 2021/04/29 12:0 a.m.•50 views

Negative idmap cache entries can cause incorrect

Description The Samba smbd file server must map Windows group identities SIDs into unix group ids gids. The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could caus...

6.8CVSS6.7AI score0.01616EPSS
Exploits0
Samba
Samba
•added 2009/10/01 12:0 a.m.•50 views

Misconfigured /etc/passwd file may share folders unexpectedly

Description If a user in /etc/passwd is misconfigured to have an empty home directory :: and the automated homes share is enabled, or an explicit share is created with that username, then any client connecting to that share name will be able to access the whole filesystem from root / on downwards...

6CVSS7.5AI score0.02725EPSS
Exploits2
Samba
Samba
•added 2007/05/14 12:0 a.m.•50 views

Multiple Heap Overflows Allow Remote

Description Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. Patch Availability A patch against Samba 3.0.24 has been posted at http://www.samba.org/samba/security/ Workaround There is no...

10CVSS8.2AI score0.77806EPSS
Exploits23
Samba
Samba
•added 2023/03/29 12:0 a.m.•49 views

Samba AD DC admin tool samba-tool sends passwords in cleartext

Description Active Directory allows passwords to be set and changed over LDAP. Microsoft's implementation imposes a restriction that this may only happen over an encrypted connection, however Samba does not have this restriction currently. Samba's samba-tool client tool likewise has no restrictio...

5.9CVSS6AI score0.00484EPSS
Exploits0
Samba
Samba
•added 2010/09/14 12:0 a.m.•49 views

Buffer Overrun Vulnerability

Description All current released versions of Samba are vulnerable to a buffer overrun vulnerability. The sidparse function and related domsidparse function in the source4 code do not correctly check their input lengths when reading a binary representation of a Windows SID Security ID. This allows...

7.5CVSS0.5AI score0.10546EPSS
Exploits0
Samba
Samba
•added 2023/07/19 12:0 a.m.•48 views

Samba Spotlight mdssvc RPC Request Infinite

Description When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function slunpackloop did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in ...

7.5CVSS6.5AI score0.62015EPSS
Exploits0
Samba
Samba
•added 2022/01/10 12:0 a.m.•48 views

Symlink race error can allow directory creation

Description All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS symlink race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available...

2.5CVSS6AI score0.00376EPSS
Exploits1
Samba
Samba
•added 2021/11/09 12:0 a.m.•48 views

Samba AD DC did not do suffienct access and

Description Samba as an Active Directory Domain Controller has to take care to protect a number of sensitive attributes, and to follow a security model from Active Directory that relies totally on the intersection of NT security descriptors and the underlying X.500 Directory Access Protocol as th...

8.8CVSS8.7AI score0.01581EPSS
Exploits0
Samba
Samba
•added 2011/02/18 12:0 a.m.•48 views

Denial of service - memory corruption

Description All current released versions of Samba are vulnerable to a denial of service caused by memory corruption. Range checks on file descriptors being used in the FDSET macro were not present allowing stack corruption. This can cause the Samba code to crash or to loop attempting to select o...

5CVSS0.1AI score0.04648EPSS
Exploits0
Samba
Samba
•added 2019/10/29 12:0 a.m.•46 views

Samba AD DC check password script does not receive

Description Since Samba Version 4.5.0 a Samba AD DC can use a custom command to verify the password complexity. The command can be specified with the "check password script" smb.conf parameter. This command is called when Samba handles a user password change or a new user password is set. The...

5.4CVSS5.8AI score0.02084EPSS
Exploits0
Samba
Samba
•added 2012/01/29 12:0 a.m.•46 views

Memory leak/Denial of service.

Description Samba versions 3.6.0 to 3.6.2 inclusive are vulnerable to a memory leak that can cause a server denial of service. The Samba smbd daemon that listens for incoming connections leaks a small amount of memory on every connection attempt. Although this is a small leak, it happens on every...

5CVSS6AI score0.03532EPSS
Exploits0
Samba
Samba
•added 2010/03/08 12:0 a.m.•46 views

Allowing all file system access even when

Description This flaw caused all smbd processes to inherit CAPDACOVERRIDE capabilities, allowing all file system access to be allowed even when permissions should have denied access. Please note this security problem does not affect any platform that does not support capabilities and platforms...

8.5CVSS7.9AI score0.03845EPSS
Exploits1
Samba
Samba
•added 2022/12/15 12:0 a.m.•45 views

Kerberos constrained delegation ticket

Description Kerberos constrained delegation, known also as S4U2Proxy, requires that the intermediate service present to the KDC a valid Kerberos ticket including the PAC obtained by the user as evidence that they had authenticated, so that a new ticket can be issued for the target server. The...

7.2CVSS0.1AI score0.04488EPSS
Exploits0
Samba
Samba
•added 2020/01/21 12:0 a.m.•45 views

Crash after failed character conversion at

Description If samba is set with "log level = 3" or above then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process such ...

6.5CVSS6.7AI score0.03151EPSS
Exploits0
Samba
Samba
•added 2011/07/26 12:0 a.m.•45 views

Cross-Site Request Forgery in SWAT

Description All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool SWAT. By tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possible to manipulate SWAT. In order to be...

6.8CVSS7.2AI score0.10046EPSS
Exploits6
Samba
Samba
•added 2007/02/05 12:0 a.m.•45 views

Buffer overrun in NSS host lookup Winbind

Description NOTE: This security advisory only affects Sun Solaris systems running Samba's winbindd daemon and configured to make use of the nsswinbind.so.1 library for gethostbyname and getipnodebyname name resolution queries. For example, /etc/nsswitch.conf ... ipnodes: files winbind hosts: file...

4.6CVSS5.5AI score0.0072EPSS
Exploits1
Samba
Samba
•added 2023/07/19 12:0 a.m.•44 views

Spotlight server-side Share Path Disclosure

Description As part of the Spotlight protocol, the initial request returns a path associated with the sharename targeted by the RPC request. Samba returns the real server-side share path at this point, as well as returning the absolute server-side path of results in search queries by clients. Kno...

5.3CVSS6.6AI score0.01185EPSS
Exploits0
Samba
Samba
•added 2008/11/27 12:0 a.m.•44 views

Potential leak of arbitrary memory contents

Description Samba 3.0.29 and beyond contain a change to deal with gcc 4 optimizations. Part of the change modified range checking for client-generated offsets of secondary trans, trans2 and nttrans requests. These requests are used to transfer arbitrary amounts of memory from clients to servers a...

8.5CVSS1.3AI score0.04331EPSS
Exploits1
Samba
Samba
•added 2004/11/08 12:0 a.m.•44 views

Potential Remote Denial of Service

Summary: A remote attacker could cause and smbd process to consume abnormal amounts of system resources due to an input validation error when matching filenames containing wildcard characters. Patch Availability A patch for Samba 3.0.7 samba-3.0.7-CAN-2004-0930.patch is available from...

5CVSS0.9AI score0.04906EPSS
Exploits1
Samba
Samba
•added 2023/10/10 12:0 a.m.•43 views

SMB clients can truncate files with

Description The SMB protocol allows opening files where the client requests read-only access, but then implicitly truncating the opened file if the client specifies a separate OVERWRITE create disposition. This operation requires write access to the file, and in the default Samba configuration th...

6.5CVSS6.7AI score0.01174EPSS
Exploits0
Samba
Samba
•added 2004/12/16 12:0 a.m.•43 views

Possible remote code execution

Description Remote exploitation of an integer overflow vulnerability in the smbd daemon included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x prior to and including 3.0.9 could allow an attacker to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges...

10CVSS2.7AI score0.13196EPSS
Exploits0
Samba
Samba
•added 2023/10/10 12:0 a.m.•42 views

smbd allows client access to unix domain sockets

Description The SMB 1/2/3 protocols allow clients to connect to named pipes via the IPC$ Inter-Process Communication share for the process of inter-process communication between SMB clients and servers. Since Samba 4.16.0, Samba internally connects client pipe names to unix domain sockets within ...

9.8CVSS7AI score0.02409EPSS
Exploits1
Samba
Samba
•added 2019/04/08 12:0 a.m.•42 views

Save registry file outside share as unprivileged user

Description Samba contains an RPC endpoint emulating the Windows registry service API. One of the requests, "winregSaveKey", is susceptible to a path/symlink traversal vulnerability. Unprivileged users can use it to create a new registry hive file anywhere they have unix permissions to create a n...

5.5CVSS5.4AI score0.03392EPSS
Exploits0
Samba
Samba
•added 2007/11/15 12:0 a.m.•42 views

Stack buffer overflow in nmbd's logon

Description Samba developers have discovered what is believed to be a non-exploitable buffer over in nmbd during the processing of GETDC logon server requests. This code is only used when the Samba server is configured as a Primary or Backup Domain Controller. Patch Availability A patch addressin...

9.3CVSS8.3AI score0.05888EPSS
Exploits1
Samba
Samba
•added 2023/07/19 12:0 a.m.•41 views

SMB2 packet signing not enforced

Description SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. SMB2 packet signing is a mechanism that ensures the integrity and authenticity of data exchanged between a clien...

5.9CVSS6.4AI score0.0039EPSS
Exploits0
Samba
Samba
•added 2020/07/02 12:0 a.m.•41 views

Parsing and packing of NBT and DNS packets

Description The NetBIOS over TCP/IP name resolution protocol is framed using the same format as DNS, and Samba's packing code for both uses DNS name compression. An attacker can choose a name which, when the name is included in the reply, causes the DNS name compression algorithm to walk a very...

7.8CVSS7.6AI score0.03874EPSS
Exploits0
Total number of security vulnerabilities174