SB2013111302 - Cryptographic issues in Samba
Published: November 13, 2013 Updated: July 28, 2020
Security Bulletin ID
SB2013111302
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cryptographic issues (CVE-ID: CVE-2013-4476)
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is provided over SSL, uses world-readable permissions for a private key, which allows local users to obtain sensitive information by reading the key file, as demonstrated by access to the local filesystem on an AD domain controller.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-updates/2013-11/msg00083.html
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00088.html
- http://security.gentoo.org/glsa/glsa-201502-15.xml
- http://www.samba.org/samba/history/samba-4.0.11.html
- http://www.samba.org/samba/history/samba-4.1.1.html
- http://www.samba.org/samba/security/CVE-2013-4476