The owner_set function in smbcacls.c in smbcacls in Samba 4.0.x before 4.0.16 and 4.1.x before 4.1.6 removes an ACL during use of a --chown or --chgrp option, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging an unintended administrative change.

The remote NewStart CGSL host, running version MAIN 6.02, has samba packages installed that are affected by multiple vulnerabilities:

  - Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow     remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum     (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount     (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2     (lsa_io_trans_names). (CVE-2007-2446)

  - The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute     arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the     username map script smb.conf option is enabled, and allows remote authenticated users to execute     commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file     share management. (CVE-2007-2447)

  - Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29     allows remote attackers to execute arbitrary code via a crafted SMB response. (CVE-2008-1105)

  - Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB     subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating     systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users     to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances     involving user accounts that lack home directories. (CVE-2009-2813)

  - smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote     authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break     notification reply packet. (CVE-2009-2906)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Update to Samba 4.0.21. CVE-2014-3560.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to Samba 4.1.9. Update to Samba 4.1.8 (CVE-2014-0178 samba:
Uninitialized memory exposure)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Samba was updated to 4.1.6, fixing bugs and security issues :

  - Password lockout not enforced for SAMR password changes,     this allowed brute forcing of passwords; CVE-2013-4496;
    (bnc#849224).

  - smbcacls can remove a file or directory ACL by mistake;
    CVE-2013-6442; (bnc#855866).

Also the following bugs were fixed :

  - Call update-apparmor-samba-profile via ExecStartPre too;
    (bnc#867665).

  - Retry named pipe open requests on     STATUS_PIPE_NOT_AVAILABLE; (bso#10484); (bnc#865095).

  - Propagate snapshot enumeration permissions errors to SMB     clients; (bnc#865641).

  - Properly handle empty 'requires_membership_of' entries     in /etc/security/pam_winbind.conf; (bnc#865771).

  - Fix problem with server taking too long to respond to a     MSG_PRINTER_DRVUPGRADE message; (bso#9942);
    (bnc#863748).

  - Fix memory leak in printer_list_get_printer();
    (bso#9993); (bnc#865561).

  - Fix stream_depot VFS module on Btrfs; (bso#10467);
    (bnc#865397).

  - Use libarchive to provide improved smbclient tarmode     functionality; (bso#9667); (bnc#861135).

  - Depend on %version-%release with all manual Provides and     Requires; (bnc#844307).

  - Update to 4.1.5.

  + Fix 100% CPU utilization in winbindd when trying to free     memory in winbindd_reinit_after_fork; (bso#10358);
    (bnc#786677).

  + smbd: Fix memory overwrites; (bso#10415).

  + s3-winbind: Improve performance of     wb_fill_pwent_sid2uid_done(); (bso#2191).

  + ntlm_auth sometimes returns the wrong username to     mod_ntlm_auth_winbind; (bso#10087).

  + s3: smbpasswd: Fix crashes on invalid input;
    (bso#10320).

  + s3: vfs_dirsort module: Allow dirsort to work when     multiple simultaneous directories are open; (bso#10406).

  + Add support for Heimdal's unified krb5 and hdb plugin     system, cope with first element in hdb_method having a     different name in different heimdal versions and fix     INTERNAL ERROR: Signal 11 in the kdc pid; (bso#10418).

  + vfs_btrfs: Fix incorrect zero length server-side copy     request handling; (bso#10424).

  + s3: modules: streaminfo: As we have no VFS function     SMB_VFS_LLISTXATTR we can't cope with a symlink when     lp_posix_pathnames() is true; (bso#10429).

  + smbd: Fix an ancient oplock bug; (bso#10436).

  + Fix crash bug in smb2_notify code; (bso#10442).

  - Remove superfluous obsoletes *-64bit in the ifarch ppc64     case; (bnc#437293).

  - Migrate @GMT token parsing functionality into     vfs_snapper; (bnc#863079).

  + Improve vfs_snapper documentation.

  - Fix Winbind 100% CPU utilization caused by domain list     corruption; (bso#10358); (bnc#786677).

  - Fix memory overwrite in FSCTL_VALIDATE_NEGOTIATE_INFO     handler; (bso#10415); (bnc#862370).

  - Streamline the vendor suffix handling and add support     for SLE 12.

  - Fix zero length server-side copy request handling;
    (bso#10424); (bnc#862558).

  - Set the PID directory to /run/samba on post-12.2     systems.

  - Make use of the tmpfilesdir macro while calling     systemd-tmpfiles.

  - Make winbindd print the interface version when it gets     an INTERFACE_VERSION request; (bnc#726937).

  - Fix vfs_btrfs build on older platforms with duplicate     WRITE_FLUSH definitions; (bnc#860832).

  - Check for NULL gensec_security in     gensec_security_by_auth_type(); (bnc#860809).

  - Ensure ndr table initialization; (bnc#860648).

  - Add File Server Remote VSS Protocol (FSRVP) server for     SMB share shadow-copies; (fate#313346).

  - s3-dir: Fix the DOS clients against 64-bit smbd's;
    (bso#2662).

  - shadow_copy2: module 'Previous Version' not working in     Windows 7; (bso#10259).

  - s3-passdb: Fix string duplication to pointers;
    (bso#10367).

  - vfs/glusterfs: in case atime is not passed, set it to     the current atime; (bso#10384)

  - s3: winbindd: Move calling setup_domain_child() into     add_trusted_domain(); (bso#10358); (bnc#786677).

  - Default sysconfig daemon options to -D; (bso#10388);
    (bnc#857454).

  - Add /var/cache/samba to the client file list;
    (bnc#846586).

  - Really add the WINBINDDOPTIONS sysconfig variable on     install; (bnc#857454).

  - Correct sysconfig variable names by adding the missing D     char; (bnc#857454).

  - Update to 4.1.4.

  + Fix segfault in smbd; (bso#10284).

  + Fix SMB2 server panic when a smb2 brlock times out;
    (bso#10311).

  - Call stop_on_removal from preun and restart_on_update     and insserv_cleanup from postun on pre-12.3 systems     only; (bnc#857454).

  - BuildRequire gamin-devel instead of unmaintained     fam-devel package on post-12.1 systems.

  - smbd: allow updates on directory write times on open     handles; (bso#9870).

  - lib/util: use proper include for struct stat;
    (bso#10276).

  - s3:winbindd fix use of uninitialized variables;
    (bso#10280).

  - s3-winbindd: Fix DEBUG statement in     winbind_msg_offline(); (bso#10285).

  - s3-lib: Fix %G substitution for domain users in smbd;
    (bso#10286).

  - smbd: Always use UCF_PREP_CREATEFILE for     filename_convert calls to resolve a path for open;
    (bso#10297).

  - smb2_server processing overhead; (bso#10298).

  - ldb: bad if test in ldb_comparison_fold(); (bso#10305).

  - Fix AIO with SMB2 and locks; (bso#10310).

  - smbd: Fix a panic when a smb2 brlock times out;
    (bso#10311).

  - vfs_glusterfs: Enable per client log file; (bso#10337).

  - Add /etc/sysconfig/samba to the main and winbind     package; (bnc#857454).

  - Create /var/run/samba with systemd-tmpfiles on post-12.2     systems; (bnc#856759).

  - Fix broken rc(nmb,smb,winbind) sym links which should     point to the service binary on post-12.2 systems;
    (bnc#856759).

  - Add Snapper VFS module for snapshot manipulation;
    (fate#313347).

  + dbus-1-devel required at build time.

  - Add File Server Remote VSS Protocol (FSRVP) client for     SMB share shadow-copies; (fate#313345).

  - Do not BuildRequire perl ExtUtils::MakeMaker and     Parse::Yapp as they're part of the minimum build     environment.

  - Allow smbcacls to take a '--propagate-inheritance' flag     to indicate that the add, delete, modify and set     operations now support automatic propagation of     inheritable ACE(s); (FATE#316474).

Versions of Samba older than 3.6.23 / 4.0.16 / 4.1.6 are unpatched for the following vulnerabilities:

  - An information disclosure due to an error in the Security Account Manager Remote (SAMR) implementation, which fails to properly validate the lockout state for user accounts after a certain number of bad password attempts. (CVE-2013-4496)

  - An error in the 'smbcacls' command causes the removal of access control lists (ACLs) when used with a '--chown' or '--chgrp' option, which could be leveraged by a remote attacker after an unintended administrative change to bypass intended restrictions. (CVE-2013-6442)

Updated samba4 packages that fix three security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information.

It was found that certain Samba configurations did not enforce the password lockout mechanism. A remote attacker could use this flaw to perform password guessing attacks on Samba user accounts. Note: this flaw only affected Samba when deployed as a Primary Domain Controller.
(CVE-2013-4496)

A flaw was found in Samba's 'smbcacls' command, which is used to set or get ACLs on SMB file shares. Certain command line options of this command would incorrectly remove an ACL previously applied on a file or a directory, leaving the file or directory without the intended ACL. (CVE-2013-6442)

A flaw was found in the way the pam_winbind module handled configurations that specified a non-existent group as required. An authenticated user could possibly use this flaw to gain access to a service using pam_winbind in its PAM configuration when group restriction was intended for access to the service. (CVE-2012-6150)

Red Hat would like to thank the Samba project for reporting CVE-2013-4496 and CVE-2013-6442, and Sam Richardson for reporting CVE-2012-6150. Upstream acknowledges Andrew Bartlett as the original reporter of CVE-2013-4496, and Noel Power as the original reporter of CVE-2013-6442.

All users of Samba are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically.

It was found that certain Samba configurations did not enforce the password lockout mechanism. A remote attacker could use this flaw to perform password guessing attacks on Samba user accounts. Note: this flaw only affected Samba when deployed as a Primary Domain Controller.
(CVE-2013-4496)

A flaw was found in Samba's 'smbcacls' command, which is used to set or get ACLs on SMB file shares. Certain command line options of this command would incorrectly remove an ACL previously applied on a file or a directory, leaving the file or directory without the intended ACL. (CVE-2013-6442)

A flaw was found in the way the pam_winbind module handled configurations that specified a non-existent group as required. An authenticated user could possibly use this flaw to gain access to a service using pam_winbind in its PAM configuration when group restriction was intended for access to the service. (CVE-2012-6150)

After installing this update, the smb service will be restarted automatically.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2014-0383 advisory.

    - resolves: #1073913 - Fix CVE-2012-6150.
    - resolves: #1073913 - Fix CVE-2013-4496.

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Fix CVE-2013-4496 and CVE-2013-6442.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of Samba running on the remote host is 3.4.x or later but prior to 3.6.23 or 4.0.x or later but prior to 4.0.16 or 4.1.6.  It is, therefore, potentially affected by multiple vulnerabilities :

  - A flaw exists in the Security Account Manager Remote     protocol implementation where it fails to validate the     user lockout state, affecting Samba versions 3.4.x and     later. This could allow a remote attacker to attempt a     brute-force attack to determine a user's password     without being locked out. (CVE-2013-4496)

  - A flaw exists in the 'owner_set' function of the     smbcacls command when changing the owner or group owner     of the object using '-C' / '--chown' or '-G' / '--chgrp'     flags, causing the existing ACL to be removed. This     affects Samba versions 4.0.x and later and could allow     an attacker unrestricted access to the modified object.
    (CVE-2013-6442)

Note that Nessus has relied only on the self-reported version number and has not actually tried to exploit these issues or determine if the associated patches have been applied.

New samba packages are available for Slackware 14.0, 14.1, and
-current to fix security issues.

Samba project reports :

In Samba's SAMR server we neglect to ensure that attempted password changes will update the bad password count, nor set the lockout flags.
This would allow a user unlimited attempts against the password by simply calling ChangePasswordUser2 repeatedly.

This is available without any other authentication.

smbcacls can remove a file or directory ACL by mistake.

ID	Name	Product	Family	Severity
206855	NewStart CGSL MAIN 6.02 : samba Multiple Vulnerabilities (NS-SA-2024-0054)	Nessus	NewStart CGSL Local Security Checks	critical
77268	Fedora 19 : samba-4.0.21-1.fc19 (2014-9132)	Nessus	Fedora Local Security Checks	high
76223	Fedora 20 : samba-4.1.9-3.fc20 (2014-7672)	Nessus	Fedora Local Security Checks	high
75301	openSUSE Security Update : samba (openSUSE-SU-2014:0404-1)	Nessus	SuSE Local Security Checks	medium
8276	Samba < 3.6.23 / 4.0.16 / 4.1.6 Multiple Vulnerabilities	Nessus Network Monitor	Samba	medium
73464	CentOS 6 : samba4 (CESA-2014:0383)	Nessus	CentOS Local Security Checks	medium
73453	Scientific Linux Security Update : samba4 on SL6.x i386/x86_64 (20140409)	Nessus	Scientific Linux Local Security Checks	medium
73452	RHEL 6 : samba4 (RHSA-2014:0383)	Nessus	Red Hat Local Security Checks	medium
73450	Oracle Linux 6 : samba4 (ELSA-2014-0383)	Nessus	Oracle Linux Local Security Checks	critical
73240	Fedora 19 : samba-4.0.16-1.fc19 (2014-3815)	Nessus	Fedora Local Security Checks	medium
73080	Samba 3.4.x < 3.6.23 / 4.0.x < 4.0.16 / 4.1.x < 4.1.6 Multiple Vulnerabilities	Nessus	Misc.	medium
73046	Fedora 20 : samba-4.1.6-1.fc20 (2014-3796)	Nessus	Fedora Local Security Checks	medium
73028	Slackware 14.0 / 14.1 / current : samba (SSA:2014-072-01)	Nessus	Slackware Local Security Checks	medium
72954	FreeBSD : samba -- multiple vulnerabilities (03e48bf5-a96d-11e3-a556-3c970e169bc2)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2013-6442

high

Tenable Plugins

critical

high

high

medium

medium

medium

medium

medium

critical

medium

medium

medium

medium

medium