CVE-2017-12150 – samba: Some code path don't enforce smb signing, when they should
https://notcve.org/view.php?id=CVE-2017-12150
It was found that samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8 did not enforce "SMB signing" when certain configuration options were enabled. A remote attacker could launch a man-in-the-middle attack and retrieve information in plain-text. Se ha descubierto que Samba en versiones anteriores a la 4.4.16, versiones 4.5.x anteriores a la 4.5.14 y versiones 4.6.x anteriores a la 4.6.8 no cumple "SMB signing" cuando están habilitadas determinadas opciones de configuración. Un atacante remoto podría lanzar un ataque Man-in-the-Middle (MitM) y recuperar información en texto plano. It was found that samba did not enforce "SMB signing" when certain configuration options were enabled. • http://www.securityfocus.com/bid/100918 http://www.securitytracker.com/id/1039401 https://access.redhat.com/errata/RHSA-2017:2789 https://access.redhat.com/errata/RHSA-2017:2790 https://access.redhat.com/errata/RHSA-2017:2791 https://access.redhat.com/errata/RHSA-2017:2858 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12150 https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03775en_us https://security.netapp.com/advisory/ntap-20170 • CWE-300: Channel Accessible by Non-Endpoint •
CVE-2017-12163 – Samba: Server memory information leak over SMB1
https://notcve.org/view.php?id=CVE-2017-12163
An information leak flaw was found in the way SMB1 protocol was implemented by Samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8. A malicious client could use this flaw to dump server memory contents to a file on the samba share or to a shared printer, though the exact area of server memory cannot be controlled by the attacker. Se ha descubierto una vulnerabilidad de fuga de información en la manera en la que Samba, en versiones anteriores a la 4.4.16, versiones 4.5.x anteriores a la 4.5.14 y versiones 4.6.x anteriores a la 4.6.8, implementó el protocolo SMB1. Un cliente malicioso podría utilizar esta vulnerabilidad para volcar los contenidos de la memoria del servidor en un archivo en el almacenamiento de samba o en una impresora compartida, aunque el atacante no pueda controlar el área exacta de memoria del servidor. An information leak flaw was found in the way SMB1 protocol was implemented by Samba. • http://www.securityfocus.com/bid/100925 http://www.securitytracker.com/id/1039401 https://access.redhat.com/errata/RHSA-2017:2789 https://access.redhat.com/errata/RHSA-2017:2790 https://access.redhat.com/errata/RHSA-2017:2791 https://access.redhat.com/errata/RHSA-2017:2858 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12163 https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03775en_us https://security.netapp.com/advisory/ntap-20170 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-11103
https://notcve.org/view.php?id=CVE-2017-11103
Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated. Heimdal en versiones anteriores a la 7.4 permite que atacantes remotos suplanten servicios con ataques Orpheus' Lyre ya que obtiene nombres de servicios principales, de manera que viola la especificación del protocolo Kerberos 5. • http://www.debian.org/security/2017/dsa-3912 http://www.h5l.org/advisories.html?show=2017-07-11 http://www.securityfocus.com/bid/99551 http://www.securitytracker.com/id/1038876 http://www.securitytracker.com/id/1039427 https://github.com/heimdal/heimdal/releases/tag/heimdal-7.4.0 https://support.apple.com/HT208112 https://support.apple.com/HT208144 https://support.apple.com/HT208221 https://www.freebsd.org/security/advisories/FreeBSD-SA-17:05.heimdal.asc https://ww • CWE-345: Insufficient Verification of Data Authenticity •
CVE-2017-9461 – samba: fd_open_atomic infinite loop due to wrong handling of dangling symlinks
https://notcve.org/view.php?id=CVE-2017-9461
smbd in Samba before 4.4.10 and 4.5.x before 4.5.6 has a denial of service vulnerability (fd_open_atomic infinite loop with high CPU usage and memory consumption) due to wrongly handling dangling symlinks. smbd en Samba versiones anteriores a 4.4.10 y 4.5.x versiones anteriores a 4.5.6, tienen una vulnerabilidad de denegación de servicio (fd_open_atomic infinite loop con un alto uso de CPU y consumo de memoria) debido a un manejo inadecuado de los enlaces simbólicos colgantes. A flaw was found in the way Samba handled dangling symlinks. An authenticated malicious Samba client could use this flaw to cause the smbd daemon to enter an infinite loop and use an excessive amount of CPU and memory. • http://www.securityfocus.com/bid/99455 https://access.redhat.com/errata/RHSA-2017:1950 https://access.redhat.com/errata/RHSA-2017:2338 https://access.redhat.com/errata/RHSA-2017:2778 https://bugs.debian.org/864291 https://bugzilla.samba.org/show_bug.cgi?id=12572 https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=10c3e3923022485c720f322ca4f0aca5d7501310 https://lists.debian.org/debian-lts-announce/2019/04/msg00013.html https://access.redhat.com/security/cve/CVE-2017-9461 https: • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2017-7494 – Samba Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2017-7494
Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. Samba desde la versión 3.5.0 y anteriores a 4.6.4, versiones 4.5.10 y 4.4.14, son vulnerables a la ejecución de código remota, lo que permite que un cliente malicioso cargar una biblioteca compartida en un recurso compartido editable, y luego causar que el servidor lo cargue y ejecute. A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root. Samba contains a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share and then cause the server to load and execute it. • https://github.com/opsxcq/exploit-CVE-2017-7494 https://www.exploit-db.com/exploits/42060 https://www.exploit-db.com/exploits/42084 https://github.com/joxeankoret/CVE-2017-7494 https://github.com/homjxi0e/CVE-2017-7494 https://github.com/0xm4ud/noSAMBAnoCRY-CVE-2017-7494 https://github.com/incredible1yu/CVE-2017-7494 https://github.com/00mjk/exploit-CVE-2017-7494 https://github.com/Zer0d0y/Samba-CVE-2017-7494 https://github.com/adjaliya/-CVE-2017-7494-Samba-Exploit-PO • CWE-94: Improper Control of Generation of Code ('Code Injection') •