SB2018031543 - Improper input validation in samba (Alpine package)

Description

This security bulletin contains information about 1 vulnerability.

1) Improper input validation (CVE-ID: CVE-2018-1050)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when processing RPC requests to the spoolss service. A remote attacker can send a specially crafted RPC request to the affected service and trigger denial of service conditions.

Successful exploitation of the vulnerability requires that the RPC spoolss service services is configured as external daemon.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=d773d4c9846c9af6fff4cf55c1942ce486760f82
• https://git.alpinelinux.org/aports/commit/?id=16426b237661b92cf7fe99957baa2311bf66963e
• https://git.alpinelinux.org/aports/commit/?id=879a3f1333aee0db3a97bc72522daf6f446c9684
• https://git.alpinelinux.org/aports/commit/?id=ccb66a4b1c5776ef7ba3d2b064f4290512ba3c84
• https://git.alpinelinux.org/aports/commit/?id=6245a2ceb9dc360ca5f8beb4419ea14952923a37