SB2013111403 - Cryptographic issues in samba (Alpine package)
Published: November 14, 2013
Security Bulletin ID
SB2013111403
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cryptographic issues (CVE-ID: CVE-2013-4476)
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is provided over SSL, uses world-readable permissions for a private key, which allows local users to obtain sensitive information by reading the key file, as demonstrated by access to the local filesystem on an AD domain controller.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=145836360ec3811eac5629311303d891a9088ce4
- https://git.alpinelinux.org/aports/commit/?id=facd113ce1db85be7279f8170bbc8f8857372575
- https://git.alpinelinux.org/aports/commit/?id=ce1d3eb25cf80502fc9c9b6604f7efb372ff2ac8
- https://git.alpinelinux.org/aports/commit/?id=d8fa59f0ddf835f8d9c7c0b2b45a1a626c8898c6