Synopsis
The remote Samba server is affected by a multiple security issues.
Description
According to its banner, the version of Samba is 4.x earlier than 4.1.22. It is therefore affected by the following vulnerabilities :
- A flaw exists in the 'ldb_wildcard_compare()' function in 'lib/ldb/common/ldb_match.c' that is triggered when handling LDAP requests. This may allow a remote attacker to exhaust available CPU resources. (CVE-2015-3223)
- A flaw exists in the 'check_reduced_name_with_privilege()' and 'check_reduced_name()' functions in 'smbd/vfs.c' that allows traversing outside of a restricted path. The issue is due to users being permitted to follow symlinks pointing to resources in another directory that shares a common path prefix. This may allow a remote attacker to access files outside the exported share path. According to the vendor, exploitation requires that a Samba share "is configured with a path that shares a common path prefix with another directory on the file system". (CVE-2015-5252)
- A flaw exists that is triggered when handling encrypted client sessions due to missing signing. This may allow a Man-in-the-Middle (MitM) attacker to downgrade the security of the connection, making it easier to break the encryption and monitor or manipulate communication. (CVE-2015-5296)
- A flaw exists in the 'shadow_copy2_get_shadow_copy_data()' function in 'modules/vfs_shadow_copy2.c' due to missing access control checks when accessing snapshots. This may allow an authenticated, remote attacker to gain knowledge of potentially sensitive information. (CVE-2015-5299)
- An unspecified flaw exists that is triggered when handling LDAP requests. This may allow a remote attacker to disclose uninitialized memory contents. (CVE-2015-5330)
- A flaw exists in 'libcli/ldap/ldap_message.c' that is triggered when handling LDAP requests. This may allow a remote attacker to exhaust available memory resources and potentially cause the process to be terminated. (CVE-2015-7540)
- A flaw exists in the 'samldb_check_user_account_control_acl()' function in 'dsdb/samdb/ldb_modules/samldb.c' that is triggered when operating as an Active Directory domain controller. This may allow a remote attacker to bypass a certain Microsoft patch for Windows AD DCs in the same domain and crash them. (CVE-2015-8467)
Solution
Upgrade Samba to version 4.1.22 or later.
Plugin Details
Nessus ID: 87768, 89144, 89376
Risk Information
Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:samba:samba
Patch Publication Date: 8/12/2004
Vulnerability Publication Date: 8/12/2004
Reference Information
CVE: CVE-2015-3223, CVE-2015-5252, CVE-2015-5296, CVE-2015-5299, CVE-2015-5330, CVE-2015-7540, CVE-2015-8467
BID: 79729, 79731, 79732, 79733, 79734, 79735, 79736