A flaw was found in samba versions 4.0.0 to 4.5.2. The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects. This makes the defect a remote privilege escalation.

The remote NewStart CGSL host, running version MAIN 6.02, has samba packages installed that are affected by multiple vulnerabilities:

  - Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow     remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum     (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount     (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2     (lsa_io_trans_names). (CVE-2007-2446)

  - The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute     arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the     username map script smb.conf option is enabled, and allows remote authenticated users to execute     commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file     share management. (CVE-2007-2447)

  - Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29     allows remote attackers to execute arbitrary code via a crafted SMB response. (CVE-2008-1105)

  - Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB     subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating     systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users     to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances     involving user accounts that lack home directories. (CVE-2009-2813)

  - smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote     authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break     notification reply packet. (CVE-2009-2906)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Versions of Samba 4.3.x prior to 4.3.13, 4.4.x prior to 4.4.8, and 4.5.x prior to 4.5.3 are unpatched, and therefore affected by the following vulnerabilities :

 - An overflow condition exists in the 'ndr_pull_dnsp_name()' function in 'librpc/ndr/ndr_dnsp.c' that is triggered when handling 'dnsRecord' attributes of DNS objects.  With a specially crafted request, an authenticated, remote attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. 
 - A flaw exists related to the client code always requesting a forwardable Kerberos ticket when performing Kerberos authentication.  This may allow a service accepting the 'AP-REQ' from the client to perform the same actions as the client within the Kerberos TGT.
 - A flaw exists in the 'check_pac_checksum()' function in 'auth/kerberos/kerberos_pac.c' that is triggered when handling Kerberos PAC (Privilege Attribute Certificate) validation.  This may allow an authenticated, remote attacker to corrupt memory and crash the winbindd process. 

This update for samba fixes the following issues :

Security issues fixed :

  - CVE-2016-2125: Don't send delegated credentials to all     servers. (bsc#1014441).

  - CVE-2016-2126: Denial of service due to a client     triggered crash in the winbindd parent process.
    (bsc#1014442).

  - CVE-2016-2123: Heap-based Buffer Overflow Remote Code     Execution Vulnerability. (bsc#1014437). This component     is not built into our packages, so we are not affected.

Non security issues fixed :

  - s3/client: obey 'disable netbios' smb.conf param, don't     connect via NBT port; (bsc#1009085)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for samba fixes the following issues :

Security issues fixed :

  - CVE-2016-2125: Don't send delegated credentials to all     servers. (bsc#1014441).

  - CVE-2016-2126: Denial of service due to a client     triggered crash in the winbindd parent process.
    (bsc#1014442).

  - CVE-2016-2123: Heap-based Buffer Overflow Remote Code     Execution Vulnerability. (bsc#1014437). The component     affected is not built in our packages.

Non security issues fixed :

  - s3/client: obey 'disable netbios' smb.conf param, don't     connect via NBT port; (bsc#1009085)

  - Add doc changes for net ads --no-dns-updates switch;
    (bsc#991564)

  - Include vfstest in samba-test; (bsc#1001203).

  - s3/winbindd: using default domain with user@domain.com     format fails (bsc#997833).

  - Fix illegal memory access after memory has been deleted     (bsc#975299).

  - Fix bug in tevent poll backend causing winbind to loop     tightly (bsc#994500).

  - Various fixes for spnego/ntlm (bsc#986675). This update     was imported from the SUSE:SLE-12-SP1:Update update     project.

This update for samba fixes the following issues: Security issues fixed :

  - CVE-2016-2125: Don't send delegated credentials to all     servers. (bsc#1014441).

  - CVE-2016-2126: Denial of service due to a client     triggered crash in the winbindd parent process.
    (bsc#1014442).

  - CVE-2016-2123: Heap-based Buffer Overflow Remote Code     Execution Vulnerability. (bsc#1014437). This issue does     not affect our packages, as the component is not built.
    Non security issues fixed :

  - s3/client: obey 'disable netbios' smb.conf param, don't     connect via NBT port (bsc#1009085)

  - Add doc changes for net ads --no-dns-updates switch     (bsc#991564)

  - Include vfstest in samba-test (bsc#1001203).

  - s3/winbindd: using default domain with user@domain.com     format fails (bsc#997833).

  - Fix illegal memory access after memory has been deleted     (bsc#975299).

  - Fix bug in tevent poll backend causing winbind to loop     tightly (bsc#994500).

  - Various fixes for spnego/ntlm (bsc#986675).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New samba packages are available for Slackware 14.2 and -current to fix security issues.

Samba team reports :

[CVE-2016-2123] Authenticated users can supply malicious dnsRecord attributes on DNS objects and trigger a controlled memory corruption.

[CVE-2016-2125] Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos 'Ticket Granting Ticket' (TGT), which can be used to fully impersonate the authenticated user or service.

[CVE-2016-2126] A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.

This update for samba fixes the following issues: Security issues fixed :

  - CVE-2016-2125: Don't send delegated credentials to all     servers. (bsc#1014441).

  - CVE-2016-2126: Denial of service due to a client     triggered crash in the winbindd parent process.
    (bsc#1014442).

  - CVE-2016-2123: Heap-based Buffer Overflow Remote Code     Execution Vulnerability. (bsc#1014437). The component     affected is not built in our packages. Non security     issues fixed :

  - s3/client: obey 'disable netbios' smb.conf param, don't     connect via NBT port; (bsc#1009085)

  - Add doc changes for net ads --no-dns-updates switch;
    (bsc#991564)

  - Include vfstest in samba-test; (bsc#1001203).

  - s3/winbindd: using default domain with user@domain.com     format fails (bsc#997833).

  - Fix illegal memory access after memory has been deleted     (bsc#975299).

  - Fix bug in tevent poll backend causing winbind to loop     tightly (bsc#994500).

  - Various fixes for spnego/ntlm (bsc#986675).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for samba fixes the following issues: Security issues fixed :

  - CVE-2016-2125: Don't send delegated credentials to all     servers. (bsc#1014441).

  - CVE-2016-2126: Denial of service due to a client     triggered crash in the winbindd parent process.
    (bsc#1014442).

  - CVE-2016-2123: Heap-based Buffer Overflow Remote Code     Execution Vulnerability. (bsc#1014437). This component     is not built into our packages, so we are not affected.
    Non security issues fixed :

  - s3/client: obey 'disable netbios' smb.conf param, don't     connect via NBT port; (bsc#1009085)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Samba running on the remote host is 4.3.x prior to 4.3.13, 4.4.x prior to 4.4.8, or 4.5.x prior to 4.5.3. It is, therefore, affected by multiple vulnerabilities :

  - An overflow condition exists in the ndr_pull_dnsp_name()     function in ndr_dnsp.c that is triggered when handling     'dnsRecord' attributes of DNS objects. An authenticated,     remote attacker can exploit this, via a specially     crafted request, to cause a heap-based buffer overflow,     resulting in a denial of service condition or the     execution of arbitrary code. (CVE-2016-2123)

  - A flaw exists in the client code when performing     Kerberos authentication due to always requesting a     forwardable Kerberos ticket. An adjacent attacker can     exploit this to cause a service accepting the AP-REQ     from the client to perform the same actions as the     client within the Kerberos TGT, allowing the attacker to     impersonate an authenticated user or service.
    (CVE-2016-2125)

  - A denial of service vulnerability exists in the     check_pac_checksum() function in kerberos_pac.c due to     improper handling of the arcfour-hmac-md5 PAC     (Privilege Attribute Certificate) checksum. An     authenticated, remote attacker can exploit this to     corrupt memory, resulting in a crash of the winbindd     process. (CVE-2016-2126)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3158-1 advisory.

    Frederic Besler and others discovered that the ndr_pull_dnsp_nam function in Samba contained an integer     overflow. An authenticated attacker could use this to gain administrative privileges. This issue only     affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-2123)

    Simo Sorce discovered that that Samba clients always requested a forwardable ticket when using Kerberos     authentication. An attacker could use this to impersonate an authenticated user or service.
    (CVE-2016-2125)

    Volker Lendecke discovered that Kerberos PAC validation implementation in Samba contained multiple     vulnerabilities. An authenticated attacker could use this to cause a denial of service or gain     administrative privileges. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10.
    (CVE-2016-2126)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues :

  - CVE-2016-2119     Stefan Metzmacher discovered that client-side SMB2/3     required signing can be downgraded, allowing a     man-in-the-middle attacker to impersonate a server being     connected to by Samba, and return malicious results.

  - CVE-2016-2123     Trend Micro's Zero Day Initiative and Frederic Besler     discovered that the routine ndr_pull_dnsp_name, used to     parse data from the Samba Active Directory ldb database,     contains an integer overflow flaw, leading to an     attacker-controlled memory overwrite. An authenticated     user can take advantage of this flaw for remote     privilege escalation.

  - CVE-2016-2125     Simo Sorce of Red Hat discovered that the Samba client     code always requests a forwardable ticket when using     Kerberos authentication. A target server, which must be     in the current or trusted domain/realm, is given a valid     general purpose Kerberos 'Ticket Granting Ticket' (TGT),     which can be used to fully impersonate the authenticated     user or service.

  - CVE-2016-2126     Volker Lendecke discovered several flaws in the Kerberos     PAC validation. A remote, authenticated, attacker can     cause the winbindd process to crash using a legitimate     Kerberos ticket due to incorrect handling of the PAC     checksum. A local service with access to the winbindd     privileged pipe can cause winbindd to cache elevated     access permissions.

ID	Name	Product	Family	Severity
206855	NewStart CGSL MAIN 6.02 : samba Multiple Vulnerabilities (NS-SA-2024-0054)	Nessus	NewStart CGSL Local Security Checks	critical
9857	Samba 4.3.x < 4.3.13 / 4.4.x < 4.4.8 / 4.5.x < 4.5.3 Multiple Vulnerabilities	Nessus Network Monitor	Samba	high
96294	openSUSE Security Update : samba (openSUSE-2017-12)	Nessus	SuSE Local Security Checks	high
96293	openSUSE Security Update : samba (openSUSE-2017-11)	Nessus	SuSE Local Security Checks	high
96261	SUSE SLES12 Security Update : samba (SUSE-SU-2016:3299-1)	Nessus	SuSE Local Security Checks	high
96166	Slackware 14.2 / current : samba (SSA:2016-363-02)	Nessus	Slackware Local Security Checks	high
96164	FreeBSD : samba -- multiple vulnerabilities (e4bc323f-cc73-11e6-b704-000c292e4fd8)	Nessus	FreeBSD Local Security Checks	high
96149	SUSE SLED12 / SLES12 Security Update : samba (SUSE-SU-2016:3272-1)	Nessus	SuSE Local Security Checks	high
96148	SUSE SLED12 / SLES12 Security Update : samba (SUSE-SU-2016:3271-1)	Nessus	SuSE Local Security Checks	high
96142	Samba 4.3.x < 4.3.13 / 4.4.x < 4.4.8 / 4.5.x < 4.5.3 Multiple Vulnerabilities	Nessus	Misc.	high
95949	Ubuntu 14.04 LTS / 16.04 LTS : Samba vulnerabilities (USN-3158-1)	Nessus	Ubuntu Local Security Checks	high
95936	Debian DSA-3740-1 : samba - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2016-2123

high

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high

high

high