#VU101 Security restrictions bypass


Published: 2016-07-08 | Updated: 2018-11-22

Vulnerability identifier: #VU101

Vulnerability risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-2119

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Samba
Server applications / Directory software, identity management
Oracle Solaris
Operating systems & Components / Operating system
Oracle Linux
Operating systems & Components / Operating system

Vendor: Samba
Oracle

Description
The vulnerability allows a remote attacker to downgrade client signing security controls on the target system.

The vulnerability exists due to state error in Samba. A remote unauthenticated attacker can downgrade the required signing for an SMB2/3 client connection by injecting the SMB2_SESSION_FLAG_IS_GUEST or SMB2_SESSION_FLAG_IS_NULL flags.

Successful exploitation of this vulnerability may result in disclosure of system information.

Mitigation
The vendor has issued a fix (4.2.14, 4.3.11, 4.4.5).

Vulnerable software versions

Samba: 4.0.0, 4.4.4

Oracle Solaris: 11.3

Oracle Linux: 6 - 7

External links
http://www.samba.org/samba/security/CVE-2016-2119.html
http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for Samba
Ubuntu update for Samba
Amazon Linux AMI update for samba
Red Hat update for samba
Red Hat update for samba
Security restrictions bypass in samba (Alpine package)
Slackware Linux update for samba