CVE-2012-2111

high

Description

The (1) CreateAccount, (2) OpenAccount, (3) AddAccountRights, and (4) RemoveAccountRights LSA RPC procedures in smbd in Samba 3.4.x before 3.4.17, 3.5.x before 3.5.15, and 3.6.x before 3.6.5 do not properly restrict modifications to the privileges database, which allows remote authenticated users to obtain the "take ownership" privilege via an LSA connection.

References

http://www.ubuntu.com/usn/USN-1434-1

http://www.securitytracker.com/id?1026988

http://www.samba.org/samba/security/CVE-2012-2111

http://www.mandriva.com/security/advisories?name=MDVSA-2012:067

http://www.debian.org/security/2012/dsa-2463

http://www.collax.com/produkte/AllinOne-server-for-small-businesses#id2565578

http://secunia.com/advisories/49030

http://secunia.com/advisories/49017

http://secunia.com/advisories/48999

http://secunia.com/advisories/48996

http://secunia.com/advisories/48984

http://secunia.com/advisories/48976

http://rhn.redhat.com/errata/RHSA-2012-0533.html

http://osvdb.org/81648

http://marc.info/?l=bugtraq&m=134323086902585&w=2

http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00023.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079677.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079670.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079662.html

Details

Source: Mitre, NVD

Published: 2012-04-30

Updated: 2018-01-05

Risk Information

CVSS v2

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High