Multiple vulnerabilities in HPE HP-UX CIFS-Server (Samba)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2015-5252 CVE-2015-5296 CVE-2015-5299 CVE-2014-0178 CVE-2013-4496 CVE-2013-4475 CVE-2013-0213 CVE-2013-0214 CVE-2014-0244 CVE-2014-3493 |
| CWE-ID | CWE-264 CWE-20 CWE-200 CWE-255 CWE-352 CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
HP-UX Common Internet File System (CIFS) Other software / Other software solutions |
| Vendor | HPE |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU32347
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-5252
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships exist, allows remote attackers to bypass intended file-access restrictions via a symlink that points outside of a share.
MitigationInstall update from vendor's website.
Vulnerable software versionsHP-UX Common Internet File System (CIFS): before 03.02.04
External linkshttp://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c05115993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU32348
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-5296
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 supports connections that are encrypted but unsigned, which allows man-in-the-middle attackers to conduct encrypted-to-unencrypted downgrade attacks by modifying the client-server data stream, related to clidfs.c, libsmb_server.c, and smbXcli_base.c.
MitigationInstall update from vendor's website.
Vulnerable software versionsHP-UX Common Internet File System (CIFS): before 03.02.04
External linkshttp://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c05115993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU32349
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-5299
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The shadow_copy2_get_shadow_copy_data function in modules/vfs_shadow_copy2.c in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 does not verify that the DIRECTORY_LIST access right has been granted, which allows remote attackers to access snapshots by visiting a shadow copy directory.
MitigationInstall update from vendor's website.
Vulnerable software versionsHP-UX Common Internet File System (CIFS): before 03.02.04
External linkshttp://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c05115993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU33840
Risk: Low
CVSSv3.1: 1.3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-0178
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to gain access to sensitive information.
Samba 3.6.6 through 3.6.23, 4.0.x before 4.0.18, and 4.1.x before 4.1.8, when a certain vfs shadow copy configuration is enabled, does not properly initialize the SRV_SNAPSHOT_ARRAY response field, which allows remote authenticated users to obtain potentially sensitive information from process memory via a (1) FSCTL_GET_SHADOW_COPY_DATA or (2) FSCTL_SRV_ENUMERATE_SNAPSHOTS request. Per: http://cwe.mitre.org/data/definitions/665.html "CWE-665: Improper Initialization"
MitigationInstall update from vendor's website.
Vulnerable software versionsHP-UX Common Internet File System (CIFS): before 03.02.04
External linkshttp://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c05115993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Credentials management
EUVDB-ID: #VU32565
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-4496
CWE-ID:
CWE-255 - Credentials Management
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce the password-guessing protection mechanism for all interfaces, which makes it easier for remote attackers to obtain access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP attempts.
MitigationInstall update from vendor's website.
Vulnerable software versionsHP-UX Common Internet File System (CIFS): before 03.02.04
External linkshttp://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c05115993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU32622
Risk: Medium
CVSSv3.1: 4.2 [CVSS:3.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-4475
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Samba 3.2.x through 3.6.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS).
MitigationInstall update from vendor's website.
Vulnerable software versionsHP-UX Common Internet File System (CIFS): before 03.02.04
External linkshttp://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c05115993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU32700
Risk: Medium
CVSSv3.1: 4.9 [CVSS:3.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-0213
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to conduct clickjacking attacks via a (1) FRAME or (2) IFRAME element. Per: http://capec.mitre.org/data/definitions/103.html "CAPEC-103: Clickjacking"
MitigationInstall update from vendor's website.
Vulnerable software versionsHP-UX Common Internet File System (CIFS): before 03.02.04
External linkshttp://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c05115993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Cross-site request forgery
EUVDB-ID: #VU32701
Risk: Medium
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-0214
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall update from vendor's website.
Vulnerable software versionsHP-UX Common Internet File System (CIFS): before 03.02.04
External linkshttp://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c05115993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU32523
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-0244
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The sys_recvfrom function in nmbd in Samba 3.6.x before 3.6.24, 4.0.x before 4.0.19, and 4.1.x before 4.1.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a malformed UDP packet.
MitigationInstall update from vendor's website.
Vulnerable software versionsHP-UX Common Internet File System (CIFS): before 03.02.04
External linkshttp://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c05115993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Buffer overflow
EUVDB-ID: #VU32524
Risk: Low
CVSSv3.1: 1.3 [CVSS:3.1/CVSS:3.1/AV:A/AC:L/PR:/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-3493
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to perform service disruption.
The push_ascii function in smbd in Samba 3.6.x before 3.6.24, 4.0.x before 4.0.19, and 4.1.x before 4.1.9 allows remote authenticated users to cause a denial of service (memory corruption and daemon crash) via an attempt to read a Unicode pathname without specifying use of Unicode, leading to a character-set conversion failure that triggers an invalid pointer dereference.
MitigationInstall update from vendor's website.
Vulnerable software versionsHP-UX Common Internet File System (CIFS): before 03.02.04
External linkshttp://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c05115993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
