174 matches found
World-writeable files may be created in additional shares on a
Description Administrators of the Samba 4.0 Active Directory Domain Controller might unexpectedly find files created world-writeable if additional CIFS file shares are created on the AD DC. By default the AD DC is not vulnerable to this issue, as a specific inheritable ACL is set on the files in...
Missing handle permissions check in SMB1/2/3
Description The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can request file name notification on a directory handle when a condition such as "new file creation" or "file size change" or "file timestamp update" occurs. A missing permissions check on a directory handle...
Potential Arbitrary File Access
Summary: A remote attacker may be able to gain access to files which exist outside of the share's defined path. Such files must still be readable by the account used for the connection. Patch Availability The patch for Samba 3.0.2a and earlier releases 3.0.x samba-3.0.2a-reducename.patch can be...
Samba AD DC password exposure to privileged
Description In normal operation, passwords and most secrets are never disclosed over LDAP in Active Directory. However, due to a design flaw in Samba's implementation of the DirSync control, Active Directory accounts authorized to do some replication, but not to replicate sensitive attributes, ca...
rc4-hmac Kerberos session keys issued
Description Kerberos, the trusted third party authentication system at the heart of Active Directory, issues a session key known to the target server and the client, encrypted to both services in a TGS-REP. The key algorithm chosen for here is then used for the subsequent signed or encrypted...
Subsequent DCE/RPC fragment injection vulnerability
Description Samba implements DCE/RPC, and in most cases it is provided over and protected by the underlying SMB transport, with protections like 'SMB signing'. However there are other cases where large DCE/RPC request payloads are exchanged and fragmented into several pieces. If this happens over...
Replication of ACLs set to inherit down a
Description A newly delegated right, but more importantly the removal of a delegated right, would not be inherited on any DC other than the one where the change was made. For example: - if a user or group was previously delegated the right to create or modify a subtree say to allow desktop suppor...
Out-of-bounds heap read/write vulnerability
Description All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfsfruit. The specific flaw exists within the parsing of EA...
Buffer overflow in Heimdal unwrap_des3()
Description The DES for Samba 4.11 and earlier and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc allocated memory when presented with a maliciously small packet. Examples of where Samba can use GSSAPI include the client and...
Samba AD users can crash the server process with an
Description Due to incorrect values used as the limit for a loop and as the 'count' parameter to memcpy, the server, receiving a specially crafted message, leaves an array of structures partially uninitialised, or accesses an arbitrary element beyond the end of an array. Outcomes achievable by an...
SAMR and LSA man in the middle attacks possible
Description The Security Account Manager Remote Protocol MS-SAMR and the Local Security Authority Domain Policy Remote Protocol MS-LSAD are both vulnerable to man in the middle attacks. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call DCERPC protocol. These...
Wrong permissions of group_mapping.ldb
Description The file groupmapping.ldb is created with the permissions 0666. That means everyone is able to edit this file and gain additional access rights while connecting remotely to the Samba server. By manipulating the SID mappings contained in this file, it is also possible to establish a...
Incorrect permission checks when granting/removing
Description Samba versions 3.4.x to 3.6.4 inclusive are affected by a vulnerability that allows arbitrary users to modify privileges on a file server. Security checks were incorrectly applied to the Local Security Authority LSA remote proceedure calls RPC CreateAccount, OpenAccount,...
Empty UDP packet DoS in Samba AD DC nbtd
Description The NetBIOS over TCP/IP name resolution protocol is implemented as a UDP datagram on port 137. The AD DC client and server-side processing code for NBT name resolution will enter a tight loop if a UDP packet with 0 data length is received. The client for this case is only found in the...
Cross-Site Request Forgery in SWAT
Description All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool SWAT. By guessing a user's password and then tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possibl...
Potential Buffer Overrun in smbd
Description A buffer overrun has been located in the code used to support the 'mangling method = hash' smb.conf option. Please be aware that the default setting for this parameter is 'mangling method = hash2' and therefore not vulnerable. Affected Samba 3 installations can avoid this possible...
Samba AD users can forge password change requests for
Description Tickets received by the kpasswd service were decrypted without specifying that only that service's own keys should be tried. By setting the ticket's server name to a principal associated with their own account, or by exploiting a fallback where known keys would be tried until a suitab...
LDAP Use-after-free in Samba AD DC Global Catalog with
Description Samba 4.5 and later implements VLV - Virtual List View, and Samba 4.10 and later reimplemented the pagedresults control using similar code. This code is more memory-efficient, storing only a pointer to the object, not the returned object. However this means parts of the original reque...
NULL pointer de-reference and use-after-free
Description Samba has, since Samba 4.5, supported the VLV Active Directory LDAP feature, to allow clients to obtain 'virtual list views' of search results against a Samba AD DC using an LDAP control. The combination of this control, and the ASQ control combines to allow an authenticated user to...
Uninitialized read of a data value
Description The smbd daemon in Samba 3.0.31 - 3.3.5 contains an uninitialized read of a data value that can potentially affect access control. If a user is trying to modify an access control list ACL and is denied permission, this deny may be overridden if the parameter "dos filemode" is set to...
Memory exhaustion DoS against smbd
Description The smbd daemon maintains internal data structures used track active connections to file and printer shares. In certain circumstances an attacker may be able to continually increase the memory usage of an smbd process by issuing a large number of share connection requests. This defect...
Samba AD DC Busy RPC multiple listener DoS
Description Samba as an Active Directory DC operates RPC services from two distinct parts of the codebase. Those services focused on the AD DC are started in the main "samba" process, while services focused on the fileserver and NT4-like DC are started from the new samba-dcerpcd, which is launche...
Server memory information leak via SMB1.
Description Please note that only versions of Samba prior to 4.11.0 are vulnerable to this bug by default. Samba versions 4.11.0 and above disable SMB1 by default, and will only be vulnerable if the administrator has deliberately enabled SMB1 in the smb.conf file. All versions of Samba with SMB1...
Kerberos acceptors need easy access to stable
Description In order to avoid issues like CVE-2020-25717 AD Kerberos accepting services need access to unique, and ideally long-term stable identifiers of a user to perform authorization. The AD PAC provides this, but the most useful information is kept in a buffer which is NDR encoded, which mea...
Negative idmap cache entries can cause incorrect
Description The Samba smbd file server must map Windows group identities SIDs into unix group ids gids. The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could caus...
Misconfigured /etc/passwd file may share folders unexpectedly
Description If a user in /etc/passwd is misconfigured to have an empty home directory :: and the automated homes share is enabled, or an explicit share is created with that username, then any client connecting to that share name will be able to access the whole filesystem from root / on downwards...
Multiple Heap Overflows Allow Remote
Description Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. Patch Availability A patch against Samba 3.0.24 has been posted at http://www.samba.org/samba/security/ Workaround There is no...
Samba AD DC admin tool samba-tool sends passwords in cleartext
Description Active Directory allows passwords to be set and changed over LDAP. Microsoft's implementation imposes a restriction that this may only happen over an encrypted connection, however Samba does not have this restriction currently. Samba's samba-tool client tool likewise has no restrictio...
Buffer Overrun Vulnerability
Description All current released versions of Samba are vulnerable to a buffer overrun vulnerability. The sidparse function and related domsidparse function in the source4 code do not correctly check their input lengths when reading a binary representation of a Windows SID Security ID. This allows...
Samba Spotlight mdssvc RPC Request Infinite
Description When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function slunpackloop did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in ...
Symlink race error can allow directory creation
Description All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS symlink race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available...
Samba AD DC did not do suffienct access and
Description Samba as an Active Directory Domain Controller has to take care to protect a number of sensitive attributes, and to follow a security model from Active Directory that relies totally on the intersection of NT security descriptors and the underlying X.500 Directory Access Protocol as th...
Denial of service - memory corruption
Description All current released versions of Samba are vulnerable to a denial of service caused by memory corruption. Range checks on file descriptors being used in the FDSET macro were not present allowing stack corruption. This can cause the Samba code to crash or to loop attempting to select o...
Samba AD DC check password script does not receive
Description Since Samba Version 4.5.0 a Samba AD DC can use a custom command to verify the password complexity. The command can be specified with the "check password script" smb.conf parameter. This command is called when Samba handles a user password change or a new user password is set. The...
Memory leak/Denial of service.
Description Samba versions 3.6.0 to 3.6.2 inclusive are vulnerable to a memory leak that can cause a server denial of service. The Samba smbd daemon that listens for incoming connections leaks a small amount of memory on every connection attempt. Although this is a small leak, it happens on every...
Allowing all file system access even when
Description This flaw caused all smbd processes to inherit CAPDACOVERRIDE capabilities, allowing all file system access to be allowed even when permissions should have denied access. Please note this security problem does not affect any platform that does not support capabilities and platforms...
Kerberos constrained delegation ticket
Description Kerberos constrained delegation, known also as S4U2Proxy, requires that the intermediate service present to the KDC a valid Kerberos ticket including the PAC obtained by the user as evidence that they had authenticated, so that a new ticket can be issued for the target server. The...
Crash after failed character conversion at
Description If samba is set with "log level = 3" or above then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process such ...
Cross-Site Request Forgery in SWAT
Description All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool SWAT. By tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possible to manipulate SWAT. In order to be...
Buffer overrun in NSS host lookup Winbind
Description NOTE: This security advisory only affects Sun Solaris systems running Samba's winbindd daemon and configured to make use of the nsswinbind.so.1 library for gethostbyname and getipnodebyname name resolution queries. For example, /etc/nsswitch.conf ... ipnodes: files winbind hosts: file...
Spotlight server-side Share Path Disclosure
Description As part of the Spotlight protocol, the initial request returns a path associated with the sharename targeted by the RPC request. Samba returns the real server-side share path at this point, as well as returning the absolute server-side path of results in search queries by clients. Kno...
Potential leak of arbitrary memory contents
Description Samba 3.0.29 and beyond contain a change to deal with gcc 4 optimizations. Part of the change modified range checking for client-generated offsets of secondary trans, trans2 and nttrans requests. These requests are used to transfer arbitrary amounts of memory from clients to servers a...
Potential Remote Denial of Service
Summary: A remote attacker could cause and smbd process to consume abnormal amounts of system resources due to an input validation error when matching filenames containing wildcard characters. Patch Availability A patch for Samba 3.0.7 samba-3.0.7-CAN-2004-0930.patch is available from...
SMB clients can truncate files with
Description The SMB protocol allows opening files where the client requests read-only access, but then implicitly truncating the opened file if the client specifies a separate OVERWRITE create disposition. This operation requires write access to the file, and in the default Samba configuration th...
Possible remote code execution
Description Remote exploitation of an integer overflow vulnerability in the smbd daemon included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x prior to and including 3.0.9 could allow an attacker to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges...
smbd allows client access to unix domain sockets
Description The SMB 1/2/3 protocols allow clients to connect to named pipes via the IPC$ Inter-Process Communication share for the process of inter-process communication between SMB clients and servers. Since Samba 4.16.0, Samba internally connects client pipe names to unix domain sockets within ...
Save registry file outside share as unprivileged user
Description Samba contains an RPC endpoint emulating the Windows registry service API. One of the requests, "winregSaveKey", is susceptible to a path/symlink traversal vulnerability. Unprivileged users can use it to create a new registry hive file anywhere they have unix permissions to create a n...
Stack buffer overflow in nmbd's logon
Description Samba developers have discovered what is believed to be a non-exploitable buffer over in nmbd during the processing of GETDC logon server requests. This code is only used when the Samba server is configured as a Primary or Backup Domain Controller. Patch Availability A patch addressin...
SMB2 packet signing not enforced
Description SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. SMB2 packet signing is a mechanism that ensures the integrity and authenticity of data exchanged between a clien...
Parsing and packing of NBT and DNS packets
Description The NetBIOS over TCP/IP name resolution protocol is framed using the same format as DNS, and Samba's packing code for both uses DNS name compression. An attacker can choose a name which, when the name is included in the reply, causes the DNS name compression algorithm to walk a very...