Vulnerability identifier: #VU6632

Vulnerability risk: Medium

CVSSv3.1: 7.8 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-2123

CWE-ID: CWE-191

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Samba
Server applications / Directory software, identity management

Vendor: Samba

Description
The vulnerability allows a remote authenticated user to compromise vulnerable server.

The vulnerability exists due to integer underflow within ndr_pull_dnsp_name routine when processing dnsRecord attribute in LDAP requests. A remote authenticated attacker can send a specially crafted LDAP request to the affected server, trigger heap-based buffer overflow and execute arbitrary code on the target sever.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable server.

Mitigation
The vulnerability is patched in versions: 4.5.3, 4.4.8 and 4.3.13.

Vulnerable software versions

Samba: 4.0.0 - 4.0.26, 4.1.0 - 4.1.22, 4.2.0 - 4.2.14, 4.3.0 - 4.3.12, 4.4.0 - 4.4.11, 4.5.0 - 4.5.2

---

External links
http://www.samba.org/samba/security/CVE-2016-2123.html

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.