#VU32623 Cryptographic issues in Samba - CVE-2013-4476
Published: November 13, 2013 / Updated: July 28, 2020
Vulnerability identifier: #VU32623
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2013-4476
CWE-ID: CWE-310
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Samba
Samba
Software vendor:
Samba
Samba
Description
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is provided over SSL, uses world-readable permissions for a private key, which allows local users to obtain sensitive information by reading the key file, as demonstrated by access to the local filesystem on an AD domain controller.
Remediation
Install update from vendor's website.
External links
- http://lists.opensuse.org/opensuse-updates/2013-11/msg00083.html
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00088.html
- http://security.gentoo.org/glsa/glsa-201502-15.xml
- http://www.samba.org/samba/history/samba-4.0.11.html
- http://www.samba.org/samba/history/samba-4.1.1.html
- http://www.samba.org/samba/security/CVE-2013-4476