Gentoo update for Samba



Published: 2024-02-19
Risk High
Patch available YES
Number of vulnerabilities 11
CVE-ID CVE-2018-14628
CVE-2022-2127
CVE-2023-3347
CVE-2023-3961
CVE-2023-4091
CVE-2023-4154
CVE-2023-34966
CVE-2023-34967
CVE-2023-34968
CVE-2023-42669
CVE-2023-42670
CWE-ID CWE-284
CWE-125
CWE-254
CWE-285
CWE-264
CWE-200
CWE-835
CWE-843
CWE-399
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Gentoo Linux
Operating systems & Components / Operating system

net-fs/samba
Operating systems & Components / Operating system package or component

Vendor Gentoo

Security Bulletin

This security bulletin contains information about 11 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU83535

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-14628

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to improper access restrictions when Samba is an Active Directory Domain Controller. When a domain was provisioned with an unpatched Samba version, the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object instead of being very strict (as on a Windows provisioned domain). This means also non privileged users can use the LDAP_SERVER_SHOW_DELETED_OID control in order to view, the names and preserved attributes of deleted objects.

Mitigation

Update the affected packages.
net-fs/samba to version: 4.18.9

Vulnerable software versions

Gentoo Linux: All versions

net-fs/samba: before 4.18.9

External links

http://security.gentoo.org/glsa/202402-28


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds read

EUVDB-ID: #VU78577

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2127

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information or perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in winbindd_pam_auth_crap.c in winbind AUTH_CRAP when performing NTLM authentication. A remote attacker can trigger an out-of-bounds read error and gain access to sensitive information or crash the server.

Mitigation

Update the affected packages.
net-fs/samba to version: 4.18.9

Vulnerable software versions

Gentoo Linux: All versions

net-fs/samba: before 4.18.9

External links

http://security.gentoo.org/glsa/202402-28


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Security features bypass

EUVDB-ID: #VU78573

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-3347

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to SMB2 packet signing feature is not enforced if the server is configured with the "server signing = required" option or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. A remote attacker can intercept and manipulate data.

Mitigation

Update the affected packages.
net-fs/samba to version: 4.18.9

Vulnerable software versions

Gentoo Linux: All versions

net-fs/samba: before 4.18.9

External links

http://security.gentoo.org/glsa/202402-28


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper Authorization

EUVDB-ID: #VU81875

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-3961

CWE-ID: CWE-285 - Improper Authorization

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation when handling client pipe names. A remote attacker can provide a specially crafted pipe name containing directory traversal characters and force Samba to connect to Unix domain sockets outside of the private directory meant to restrict the services a client could connect to.The connection to Unix domain sockets is performed as root, which means that if client sends a pipe name that resolved to an external service using an existing Unix domain socket, the client is able to connect to it without any filesystem restrictions.

Mitigation

Update the affected packages.
net-fs/samba to version: 4.18.9

Vulnerable software versions

Gentoo Linux: All versions

net-fs/samba: before 4.18.9

External links

http://security.gentoo.org/glsa/202402-28


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU81872

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4091

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to truncate read-only files.

The vulnerability exists due to an error in the way SMB protocol implementation in Samba handles file operations. A remote user can request read-only access to files and then truncate them to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes".

Mitigation

Update the affected packages.
net-fs/samba to version: 4.18.9

Vulnerable software versions

Gentoo Linux: All versions

net-fs/samba: before 4.18.9

External links

http://security.gentoo.org/glsa/202402-28


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Information disclosure

EUVDB-ID: #VU81874

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4154

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to a design error in Samba's implementation of the DirSync control, which can allow replication of critical domain passwords and secrets by Active Directory accounts authorized to do some replication, but not to replicate sensitive attributes. A remote user can obtain sensitive information from the AD DC and compromise the Active Directory.

Mitigation

Update the affected packages.
net-fs/samba to version: 4.18.9

Vulnerable software versions

Gentoo Linux: All versions

net-fs/samba: before 4.18.9

External links

http://security.gentoo.org/glsa/202402-28


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Infinite loop

EUVDB-ID: #VU78574

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-34966

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when parsing Spotlight mdssvc RPC packets. A remote attacker can consume all available system resources and cause denial of service conditions on servers where Spotlight is explicitly enabled globally or on individual shares with "spotlight = yes".

Mitigation

Update the affected packages.
net-fs/samba to version: 4.18.9

Vulnerable software versions

Gentoo Linux: All versions

net-fs/samba: before 4.18.9

External links

http://security.gentoo.org/glsa/202402-28


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Type Confusion

EUVDB-ID: #VU78575

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-34967

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a type confusion error when parsing Spotlight mdssvc RPC packets. A remote attacker can send specially crafted data to the server, trigger a type confusion error and crash the server.

Mitigation

Update the affected packages.
net-fs/samba to version: 4.18.9

Vulnerable software versions

Gentoo Linux: All versions

net-fs/samba: before 4.18.9

External links

http://security.gentoo.org/glsa/202402-28


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Information disclosure

EUVDB-ID: #VU78576

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-34968

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can send a specially crafted RPC request to the server and obtain real server-side share path.

Mitigation

Update the affected packages.
net-fs/samba to version: 4.18.9

Vulnerable software versions

Gentoo Linux: All versions

net-fs/samba: before 4.18.9

External links

http://security.gentoo.org/glsa/202402-28


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Resource management error

EUVDB-ID: #VU81871

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-42669

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to inclusion of the "rpcecho" server into production build, which can call sleep() on AD DC. A remote user can request the server block using the "rpcecho" server and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages.
net-fs/samba to version: 4.18.9

Vulnerable software versions

Gentoo Linux: All versions

net-fs/samba: before 4.18.9

External links

http://security.gentoo.org/glsa/202402-28


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Resource management error

EUVDB-ID: #VU81867

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-42670

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when Samba RPC server is under load, which can lead to incorrect start of servers not built for the AD DC. A remote user can cause a high load to Samba RPC server and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages.
net-fs/samba to version: 4.18.9

Vulnerable software versions

Gentoo Linux: All versions

net-fs/samba: before 4.18.9

External links

http://security.gentoo.org/glsa/202402-28


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###