Man in the middle attacks possible with NTLMSSP

Description There are several man in the middle attacks possible with NTLMSSP authentication. E.g. NTLMSSPNEGOTIATESIGN and NTLMSSPNEGOTIATESEAL can be cleared by a man in the middle. This was by protocol design in earlier Windows versions. Windows Server 2003 RTM and Vista RTM introduced a way t...

The LDAP client and server don't enforce integrity protection

Description Samba uses various LDAP client libraries, a builtin one and/or the system ldap libraries typically openldap. As active directory domain controller Samba also provides an LDAP server. Samba takes care of doing SASL GSS-SPNEGO authentication with Kerberos or NTLMSSP for LDAP connections...

SMB client connections for IPC traffic are not integrity protected

Description Samba has an option called "client signing", this is turned off by default for performance reasons on file transfers. This option is also used when using DCERPC with ncacnnp. In order to get integrity protection for ipc related communication by default the "client ipc signing" option ...

"server signing = mandatory" not enforced

Description Due to a regression introduced in Samba 4.0.0, an explicit "server signing = mandatory" in the global section of the smb.conf was not enforced for clients using the SMB1 protocol. As a result it does not enforce smb signing and allows man in the middle attacks. This problem applies to...

Missing TLS certificate validation allows man in the middle attacks

Description Samba has support for TLS/SSL for some protocols: ldap and http, but currently certificates are not validated at all. While we have a "tls cafile" option, the configured certificate is not used to validate the server certificate. This applies to ldaps:// connections triggered by tools...

SAMR and LSA man in the middle attacks possible

Description The Security Account Manager Remote Protocol MS-SAMR and the Local Security Authority Domain Policy Remote Protocol MS-LSAD are both vulnerable to man in the middle attacks. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call DCERPC protocol. These...

Out-of-bounds read in internal DNS server

Description All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as an AD DC and choose to run the internal DNS server, are vulnerable to an out-of-bounds read issue during DNS TXT record handling caused by users with permission to modify DNS records. A malicious client can uploa...

Incorrect ACL get/set allowed on symlink path.

Description All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to a malicious client overwriting the ownership of ACLs using symlinks. An authenticated malicious client can use SMB1 UNIX extensions to create a symlink to a file or directory, and then use non-UNIX SMB1 calls to...

Remote DoS in Samba (AD) LDAP server.

Description All versions of Samba from 4.0.0 to 4.1.21 inclusive are vulnerable to an anonymous memory exhaustion attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server provided by the AD DC in the samba daemon process to consume unlimited memory an...

Samba client requesting encryption vulnerable

Description Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that signing is negotiated when creating an encrypted client connection to a server. Without this a man-in-the-middle attack could downgrade the connection and connect using the supplied credentials as an unsigned,...

Denial of service in Samba Active Directory

Description All versions of Samba from 4.0.0 to 4.3.2 inclusive resp. all ldb versions up to 1.1.23 inclusive are vulnerable to a denial of service attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server in the samba daemon process to become...

Denial of service attack against Windows

Description Samba, operating as an AD DC, is sometimes operated in a domain with a mix of Samba and Windows Active Directory Domain Controllers. All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as an AD DC in the same domain with Windows DCs, could be used to override the...

Missing access control check in shadow copy

Description All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to a missing access control check in the vfsshadowcopy2 module. When looking for the shadow copy directory under the share path the current accessing user should have DIRECTORYLIST access rights in order to view the...

Insufficient symlink verification in smbd.

Description All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to a bug in symlink verification, which under certain circumstances could allow client access to files outside the exported share path. If a Samba share is configured with a path that shares a common path prefix with...

Remote memory read in Samba LDAP server.

Description All versions of Samba from 4.0.0 to 4.3.2 inclusive resp. all ldb versions up to 1.1.23 inclusive are vulnerable to a remote memory read attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server in the samba daemon process to return heap...

Unexpected code execution in smbd.

Description All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an unexpected code execution vulnerability in the smbd file server daemon. A malicious client could send packets that may set up the stack in such a way that the freeing of memory in a subsequent anonymous netlogon packet...

CVE-2014-8143: Elevation of privilege to Active Directory Domain Controller

Description Samba's AD DC allows the administrator to delegate creation of user or computer accounts to specific users or groups. However, all released versions of Samba's AD DC did not implement the additional required check on the UFSERVERTRUSTACCOUNT bit in the userAccountControl attributes. A...

Remote code execution in nmbd

Description All current versions of Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon. A malicious browser can send packets that may overwrite the heap of the target nmbd NetBIOS name services daemon. It may be possible to use this to...

Denial of service - Server crash/memory corruption

Description All current released versions of Samba are vulnerable to a denial of service on the smbd file server daemon. Valid unicode path names stored on disk can cause smbd to crash if an authenticated client attempts to read them using a non-unicode request. The crash is caused by memory bein...

Denial of service - CPU loop

Description All current released versions of Samba are vulnerable to a denial of service on the nmbd NetBIOS name services daemon. A malformed packet can cause the nmbd server to loop the CPU and prevent any further NetBIOS name service. This flaw is not exploitable beyond causing the code to loo...

Potential DOS in Samba internal DNS server

Description Samba versions 4.0.0 and above have a flaw in DNS protocol handling in the internal DNS server. The server will not check the "reply" flag in the DNS packet header when processing a request. That makes it vulnerable to reply to a spoofed reply packet with another reply. Two affected...

Uninitialized memory exposure.

Description In preparing a response to an authenticated FSCTLGETSHADOWCOPYDATA or FSCTLSRVENUMERATESNAPSHOTS client request, affected versions of Samba do not initialize 8 bytes of the 16 byte SRVSNAPSHOTARRAY response field. The uninitialized buffer is sent back to the client. A non-default VFS...

smbcacls will remove the ACL on a file

Description Samba versions 4.0.0 and above have a flaw in the smbcacls command. If smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" command options it will remove the existing ACL on the object being modified, leaving the file or directory unprotected. Patch Availability Patches...

CVE-2013-4496: Password lockout not enforced for SAMR password changes

Description Samba versions 3.4.0 and above allow the administrator to implement locking out Samba accounts after a number of bad password attempts. However, all released versions of Samba did not implement this check for password changes, such as are available over multiple SAMR and RAP interface...

pam_winbind login without require_membership_of restrictions

Description Winbind allows for the further restriction of authenticated PAM logins using the requiremembershipof parameter. System administrators may specify a list of SIDs or groups for which an authenticated user must be a member of. If an authenticated user does not belong to any of the entrie...

DCE-RPC fragment length field is incorrectly checked.

Description Samba versions 3.4.0 and above versions 3.4.0 - 3.4.17, 3.5.0 - 3.5.22, 3.6.0 - 3.6.21, 4.0.0 - 4.0.12 and including 4.1.2 are vulnerable to buffer overrun exploits in the client processing of DCE-RPC packets. This is due to incorrect checking of the DCE-RPC fragment length in the...

Private key in key.pem world readable

Description Due to incorrect directory and file permissions a local attacker might obtain the private key that is used for the SSL/TLS encryption for ldaps including STARTTLS on ldap and https network traffic. The attacker is then able to decrypt encrypted network traffic which may contain...

ACLs are not checked on opening an alternate

Description Samba versions 3.2.0 and above all versions of 3.2.x, 3.3.x, 3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x do not check the underlying file or directory ACL when opening an alternate data stream. According to the SMB1 and SMB2+ protocols the ACL on an underlying file or directory should contro...

Denial of service - CPU loop and memory allocation.

Description All current released versions of Samba are vulnerable to a denial of service on an authenticated or guest connection. A malformed packet can cause the smbd server to loop the CPU performing memory allocations and preventing any further service. A connection to a file share, or a local...

A writable configured share might get read only

Description Due to a assignment vs equality bug a share reference might get overwritten. This can lead to 'read only = no' from another share to leak into a 'read only = yes' share for a subsequent connections. This is a re-evaluation of an already fixed bug. Workaround Update to 3.6.6 and higher...

World-writeable files may be created in additional shares on a

Description Administrators of the Samba 4.0 Active Directory Domain Controller might unexpectedly find files created world-writeable if additional CIFS file shares are created on the AD DC. By default the AD DC is not vulnerable to this issue, as a specific inheritable ACL is set on the files in...

Cross-Site Request Forgery in SWAT

Description All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool SWAT. By guessing a user's password and then tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possibl...

Clickjacking in SWAT

Description All current released versions of Samba are vulnerable to clickjacking in the Samba Web Administration Tool SWAT. When the SWAT pages are integrated into a malicious web page via a frame or iframe and then overlaid by other content, an attacker could trick an administrator to potential...

A Samba AD DC may provide authenticated users with

Description In AD, Access Control Entries can be assigned based on the objectClass of the object. If a user or a group the user is a member of has any access based on the objectClass, then that user has write access to that object. Additionally, if a user has write access to any attribute on the...

Incorrect permission checks when granting/removing

Description Samba versions 3.4.x to 3.6.4 inclusive are affected by a vulnerability that allows arbitrary users to modify privileges on a file server. Security checks were incorrectly applied to the Local Security Authority LSA remote proceedure calls RPC CreateAccount, OpenAccount,...

"root" credential remote code execution.

Description Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the "root" user from an anonymous connection. The code generator for Samba's remote procedure call RPC code contained an error which caused it to generate code...

Remote code execution vulnerability in smbd

Description Samba versions up to 3.4.0 do not ensure that AndX offsets of the smb daemon smbd are increasing strictly monotonically. Therefore a remote code execution vulnerability exists in the smbd service. A remote attacker could use the vulnerability to launch an exploit over a network...

Memory leak/Denial of service.

Description Samba versions 3.6.0 to 3.6.2 inclusive are vulnerable to a memory leak that can cause a server denial of service. The Samba smbd daemon that listens for incoming connections leaks a small amount of memory on every connection attempt. Although this is a small leak, it happens on every...

Cross-Site Request Forgery in SWAT

Description All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool SWAT. By tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possible to manipulate SWAT. In order to be...

Cross-Site Scripting vulnerability in SWAT

Description All current released versions of Samba are vulnerable to a cross-site scripting issue in the Samba Web Administration Tool SWAT. On the "Change Password" field, it is possible to insert arbitrary content into the "user" field. This issue is only exploitable if CVE-2011-2522 has not be...

Denial of service - memory corruption

Description All current released versions of Samba are vulnerable to a denial of service caused by memory corruption. Range checks on file descriptors being used in the FDSET macro were not present allowing stack corruption. This can cause the Samba code to crash or to loop attempting to select o...

Buffer Overrun Vulnerability

Description All current released versions of Samba are vulnerable to a buffer overrun vulnerability. The sidparse function and related domsidparse function in the source4 code do not correctly check their input lengths when reading a binary representation of a Windows SID Security ID. This allows...

Memory Corruption Vulnerability

Description Samba versions 3.3.12 and all versions previous to this are affected by a memory corruption vulnerability. Samba versions 3.4.0 and all releases since this version are NOT affected by this problem. In particular, the current stable Samba version 3.5.3 is NOT affected by this problem...

Allowing all file system access even when

Description This flaw caused all smbd processes to inherit CAPDACOVERRIDE capabilities, allowing all file system access to be allowed even when permissions should have denied access. Please note this security problem does not affect any platform that does not support capabilities and platforms...

Change parameter "wide links" to default to "no";

Description The problem comes from a combination of two features in Samba, each of which on their own are useful to Administrators, but in combination allow users to access any file on the system that their logged in username has permissions to read this is not a privilege escalation problem. By...

Misconfigured /etc/passwd file may share folders unexpectedly

Description If a user in /etc/passwd is misconfigured to have an empty home directory :: and the automated homes share is enabled, or an explicit share is created with that username, then any client connecting to that share name will be able to access the whole filesystem from root / on downwards...

Information disclosure by setuid mount.cifs

Description The mount.cifs program allows a user to pass in the name of a credentials file or a file containing a password via several different means. When installed as a setuid program, it does not check to see whether the user would have had access to this file prior to gaining root privileges...

Remote DoS against smbd on authenticated

Description Smbd is susceptible to a remote DoS attack by an authenticated remote client. If the client sends a reply to an oplock break notification that Samba does not expect it can cause smbd to spin the CPU repeatedly trying to process the unexpected packet and being unable to finish the...

Uninitialized read of a data value

Description The smbd daemon in Samba 3.0.31 - 3.3.5 contains an uninitialized read of a data value that can potentially affect access control. If a user is trying to modify an access control list ACL and is denied permission, this deny may be overridden if the parameter "dos filemode" is set to...

Formatstring vulnerability in smbclient

Description The smbclient utility in Samba 3.2.0 - 3.2.12 contains a formatstring vulnerability where commands dealing with file names treat user input as format strings to asprintf. An example is: smb: \ put aa%3Fbb putting file aa%3Fbb as \aa0,000000bb 0,0 kb/s average 0,0 kb/s As is obvious,...