The (1) CreateAccount, (2) OpenAccount, (3) AddAccountRights, and (4) RemoveAccountRights LSA RPC procedures in smbd in Samba 3.4.x before 3.4.17, 3.5.x before 3.5.15, and 3.6.x before 3.6.5 do not properly restrict modifications to the privileges database, which allows remote authenticated users to obtain the "take ownership" privilege via an LSA connection.

The remote NewStart CGSL host, running version MAIN 6.02, has samba packages installed that are affected by multiple vulnerabilities:

  - Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow     remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum     (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount     (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2     (lsa_io_trans_names). (CVE-2007-2446)

  - The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute     arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the     username map script smb.conf option is enabled, and allows remote authenticated users to execute     commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file     share management. (CVE-2007-2447)

  - Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29     allows remote attackers to execute arbitrary code via a crafted SMB response. (CVE-2008-1105)

  - Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB     subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating     systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users     to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances     involving user accounts that lack home directories. (CVE-2009-2813)

  - smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote     authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break     notification reply packet. (CVE-2009-2906)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of Samba is 3.4.x earlier than 3.4.17, 3.5.x earlier than 3.5.15, or 3.6.x earlier than 3.6.5.  It is therefore affected by a flaw in the application security checks for the 'CreateAccount', 'OpenAccount', 'AddAccountRights', and 'RemoveAccountRights' remote procedure calls in the local security authority.  This may allow a remote attacker to manipulate the ownership of arbitrary files and directories.

The remote Solaris system is missing necessary patches to address security updates :

  - The (1) CreateAccount, (2) OpenAccount, (3)     AddAccountRights, and (4) RemoveAccountRights LSA RPC     procedures in smbd in Samba 3.4.x before 3.4.17, 3.5.x     before 3.5.15, and 3.6.x before 3.6.5 do not properly     restrict modifications to the privileges database, which     allows remote authenticated users to obtain the 'take     ownership' privilege via an LSA connection.
    (CVE-2012-2111)

- docs-xml: fix default name resolve order; (bso#7564).

  - s3-aio-fork: Fix a segfault in vfs_aio_fork; (bso#8836).

  - docs: remove whitespace in example samba.ldif;
    (bso#8789).

  - s3-smbd: move print_backend_init() behind     init_system_info(); (bso#8845).

  - s3-docs: Prepend '/' to filename argument; (bso#8826).

  - Restrict self granting privileges where security=ads for     Samba post-3.3.16; CVE-2012-2111; (bnc#757576).

The remote Oracle Linux 5 / 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2012-0533 advisory.

    - Security Release, fixes CVE-2012-2111

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Updated samba3x and samba packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6 respectively.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information.

A flaw was found in the way Samba handled certain Local Security Authority (LSA) Remote Procedure Calls (RPC). An authenticated user could use this flaw to issue an RPC call that would modify the privileges database on the Samba server, allowing them to steal the ownership of files and directories that are being shared by the Samba server, and create, delete, and modify user accounts, as well as other Samba server administration tasks. (CVE-2012-2111)

Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Ivano Cristofolini as the original reporter.

Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically.

Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information.

A flaw was found in the way Samba handled certain Local Security Authority (LSA) Remote Procedure Calls (RPC). An authenticated user could use this flaw to issue an RPC call that would modify the privileges database on the Samba server, allowing them to steal the ownership of files and directories that are being shared by the Samba server, and create, delete, and modify user accounts, as well as other Samba server administration tasks. (CVE-2012-2111)

Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically.

The remote host is affected by the vulnerability described in GLSA-201206-22 (Samba: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Samba. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with root       privileges, cause a Denial of Service condition, take ownership of shared       files, or bypass file permissions. Furthermore, a local attacker may be       able to cause a Denial of Service condition or obtain sensitive       information in a Samba credentials file.
  Workaround :

    There is no known workaround at this time.

Bump Epoch to match Samba3 Epoch number for updates.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Release, fixes CVE-2012-2111 Fix dependency on (private) libkrb5 symbol. This fixes smbd and nmbd startup issues.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Release, fixes CVE-2012-2111

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Release, fixes CVE-2012-2111 This fixes smbd and nmbd startup issues.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ivano Cristofolini discovered that insufficient security checks in Samba's handling of LSA RPC calls could lead to privilege escalation by gaining the 'take ownership' privilege.

According to its banner, the version of Samba 3.x running on the remote host is earlier than 3.4.17 / 3.5.15 / 3.6.5, and as such, is potentially affected by a security bypass vulnerability. 

Authenticated users are able to modify ownership of files and directories that the user does not own.  Improper security checking related to the Local Security Authority (LSA) remote procedure calls (RPC) 'CreateAccount', 'OpenAccount', 'AddAccountRights' and 'RemoveAccountRights' can allow users these improper permissions. 

Note that Nessus has not actually tried to exploit this issue or otherwise determine if the patch or workaround has been applied.

Ivano Cristofolini discovered that Samba incorrectly handled some Local Security Authority (LSA) remote procedure calls (RPC). A remote, authenticated attacker could exploit this to grant administrative privileges to arbitrary users. The administrative privileges could be used to bypass permission checks performed by the Samba server.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update of Samba fixes one security issue and several bugs.

The security fix is :

  - Ensure that users cannot hand out their own privileges     to everyone, only administrators are allowed to do that.
    (CVE-2012-2111) The non-security bug fixes merged from     upstream Samba are :

  - Fix default name resolve order. (docs-xml, bso#7564).

  - Fix a segfault in vfs_aio_fork. (s3-aio-fork, bso#8836).

  - Remove whitespace in example samba.ldif. (docs,     bso#8789)

  - Move print_backend_init() behind init_system_info().
    (s3-smbd, bso#8845)

  - Prepend '/' to filename argument. (s3-docs, bso#8826)

This update of Samba includes the following fixes for two security issues :

  - Ensure that users cannot hand out their own privileges     to everyone, only administrators are allowed to do that.
    (CVE-2012-2111)

  - mount.cifs no longer allows unprivileged users to mount     onto dirs that are not accessible to them.
    (CVE-2012-1586)

A vulnerability has been found and corrected in samba :

Security checks were incorrectly applied to the Local Security Authority (LSA) remote proceedure calls (RPC) CreateAccount, OpenAccount, AddAccountRights and RemoveAccountRights allowing any authenticated user to modify the privileges database (CVE-2012-2111).

The updated packages have been patched to correct this issue.

The Samba project reports :

Samba versions 3.4.x to 3.6.4 inclusive are affected by a vulnerability that allows arbitrary users to modify privileges on a file server.

Security checks were incorrectly applied to the Local Security Authority (LSA) remote proceedure calls (RPC) CreateAccount, OpenAccount, AddAccountRights and RemoveAccountRights allowing any authenticated user to modify the privileges database.

This is a serious error, as it means that authenticated users can connect to the LSA and grant themselves the 'take ownership' privilege. This privilege is used by the smbd file server to grant the ability to change ownership of a file or directory which means users could take ownership of files or directories they do not own.

ID	Name	Product	Family	Severity
206855	NewStart CGSL MAIN 6.02 : samba Multiple Vulnerabilities (NS-SA-2024-0054)	Nessus	NewStart CGSL Local Security Checks	critical
9344	Samba 3.x < 3.4.17 / 3.5.x < 3.5.15 / 3.6.x < 3.6.5 Remote Security Bypass	Nessus Network Monitor	Samba	medium
80761	Oracle Solaris Third-Party Patch Update : samba (cve_2012_2111_access_controls)	Nessus	Solaris Local Security Checks	medium
74613	openSUSE Security Update : samba (openSUSE-SU-2012:0583-1)	Nessus	SuSE Local Security Checks	medium
68521	Oracle Linux 5 / 6 : samba / and / samba3x (ELSA-2012-0533)	Nessus	Oracle Linux Local Security Checks	high
67088	CentOS 5 / 6 : samba / samba3x (CESA-2012:0533)	Nessus	CentOS Local Security Checks	medium
61308	Scientific Linux Security Update : samba and samba3x on SL5.x, SL6.x i386/x86_64 (20120430)	Nessus	Scientific Linux Local Security Checks	medium
59675	GLSA-201206-22 : Samba: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
59024	Fedora 17 : evolution-mapi-3.4.1-3.fc17 / openchange-1.0-6.fc17 / samba4-4.0.0-47alpha18.fc17 (2012-7317)	Nessus	Fedora Local Security Checks	medium
58983	Fedora 16 : samba-3.6.5-85.fc16 (2012-7006)	Nessus	Fedora Local Security Checks	medium
58982	Fedora 15 : samba-3.5.15-74.fc15.1 (2012-6999)	Nessus	Fedora Local Security Checks	medium
58971	Fedora 17 : samba-3.6.5-85.fc17.1 (2012-6981)	Nessus	Fedora Local Security Checks	medium
58969	Debian DSA-2463-1 : samba - missing permission checks	Nessus	Debian Local Security Checks	medium
58949	Samba 3.x < 3.4.17 / 3.5.15 / 3.6.5 Security Bypass	Nessus	Misc.	medium
58948	Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : samba vulnerability (USN-1434-1)	Nessus	Ubuntu Local Security Checks	medium
58943	SuSE 11.2 Security Update : Samba (SAT Patch Number 6211)	Nessus	SuSE Local Security Checks	medium
58941	SuSE 11.1 Security Update : Samba (SAT Patch Number 6210)	Nessus	SuSE Local Security Checks	medium
58940	RHEL 5 / 6 : samba and samba3x (RHSA-2012:0533)	Nessus	Red Hat Local Security Checks	medium
58939	Mandriva Linux Security Advisory : samba (MDVSA-2012:067)	Nessus	Mandriva Local Security Checks	medium
58937	FreeBSD : samba -- incorrect permission checks vulnerability (0fa15e08-92ec-11e1-a94a-00215c6a37bb)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2012-2111

high

Tenable Plugins

critical

medium

medium

medium

high

medium

medium

critical

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium