Samba 4.0.x before 4.0.1, in certain Active Directory domain-controller configurations, does not properly interpret Access Control Entries that are based on an objectClass, which allows remote authenticated users to bypass intended restrictions on modifying LDAP directory objects by leveraging (1) objectClass access by a user, (2) objectClass access by a group, or (3) write access to an attribute.

The remote NewStart CGSL host, running version MAIN 6.02, has samba packages installed that are affected by multiple vulnerabilities:

  - Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow     remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum     (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount     (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2     (lsa_io_trans_names). (CVE-2007-2446)

  - The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute     arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the     username map script smb.conf option is enabled, and allows remote authenticated users to execute     commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file     share management. (CVE-2007-2447)

  - Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29     allows remote attackers to execute arbitrary code via a crafted SMB response. (CVE-2008-1105)

  - Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB     subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating     systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users     to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances     involving user accounts that lack home directories. (CVE-2009-2813)

  - smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote     authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break     notification reply packet. (CVE-2009-2906)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of Samba is 4.x earlier than 4.0.1.  It is therefore affected by a flaw when acting as an AD (Active Directory) DC (Domain Controller).  The vulnerability is triggered when a user or group is granted any access to a LDAP directory object based on objectClass or granted write access to any attribute on the object.  This results in an authenticated user automatically being granted write access to the object or all attributes.

Security update for CVE-2013-0172.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of Samba 4.x running on the remote host is earlier than 4.0.1, and is, therefore, potentially affected by a security bypass vulnerability. 

When acting as an Active Directory (AD) Domain Controller (DC), the application can improperly grant write access to an LDAP directory object or its attributes improperly.  This error can be triggered when a user or group is granted any access to an LDAP directory object based on objectClass or is granted write access to any attribute on the object. 

Note that, by default, the application does not make 'authenticated users' a part of the 'pre-windows 2000 compatible access' group, which is the group that typically receives the problematic per-objectClass permission. 

Further note that Nessus has not actually tried to exploit this issue or otherwise determine if the patch or workaround has been applied.

ID	Name	Product	Family	Severity
206855	NewStart CGSL MAIN 6.02 : samba Multiple Vulnerabilities (NS-SA-2024-0054)	Nessus	NewStart CGSL Local Security Checks	critical
9345	Samba 4.x < 4.0.1 Remote Security Bypass	Nessus Network Monitor	Samba	medium
64460	Fedora 16 : samba4-4.0.0-39.alpha16.fc16 (2013-0935)	Nessus	Fedora Local Security Checks	low
64087	Fedora 17 : samba4-4.0.0-59alpha18.fc17 (2013-0859)	Nessus	Fedora Local Security Checks	low
63561	Samba 4.x < 4.0.1 AD DC LDAP Directory Objects Security Bypass	Nessus	Misc.	low

Detections

Analytics

CVE-2013-0172

medium

Tenable Plugins

critical

medium

low

low

low