CVE-2021-44142 – Samba fruit_pwrite Heap-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-44142
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root. El módulo vfs_fruit de Samba usa atributos de archivo extendidos (EA, xattr) para proporcionar "...compatibilidad mejorada con los clientes SMB de Apple e interoperabilidad con un servidor de archivos AFP de Netatalk 3". Samba versiones anteriores a 4.13.17, 4.14.12 y 4.15.5 con vfs_fruit configurado permiten una lectura y escritura fuera de límites de la pila por medio de atributos de archivo extendidos especialmente diseñados. • https://github.com/horizon3ai/CVE-2021-44142 https://github.com/gudyrmik/CVE-2021-44142 https://github.com/hrsman/Samba-CVE-2021-44142 https://bugzilla.samba.org/show_bug.cgi?id=14914 https://kb.cert.org/vuls/id/119678 https://security.gentoo.org/glsa/202309-06 https://www.samba.org/samba/security/CVE-2021-44142.html https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin https://access.redhat • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVE-2021-4034 – Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
https://notcve.org/view.php?id=CVE-2021-4034
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine. • https://github.com/dzonerzy/poc-cve-2021-4034 https://github.com/arthepsy/CVE-2021-4034 https://github.com/berdav/CVE-2021-4034 https://www.exploit-db.com/exploits/50689 https://github.com/PwnFunction/CVE-2021-4034 https://github.com/joeammond/CVE-2021-4034 https://github.com/nikaiw/CVE-2021-4034 https://github.com/ryaagard/CVE-2021-4034 https://github.com/Rvn0xsy/CVE-2021-4034 https://github.com/Ayrx/CVE-2021-4034 https://github.com/zhzyker/CVE-2021-4034& • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVE-2021-4104 – Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
https://notcve.org/view.php?id=CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. • http://www.openwall.com/lists/oss-security/2022/01/18/3 https://access.redhat.com/security/cve/CVE-2021-4104 https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033 https://security.gentoo.org/glsa/202209-02 https://security.gentoo.org/glsa/202310-16 https://security.gentoo.org/glsa/202312-02 https://security.gentoo.org/glsa/202312-04 https://security.netapp.com/advisory/ntap-20211223-0007 https • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVE-2016-2124 – samba: SMB1 client connections can be downgraded to plaintext authentication
https://notcve.org/view.php?id=CVE-2016-2124
A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required. Se ha encontrado un fallo en la forma en que Samba implementa la autenticación SMB1. Un atacante podría usar este fallo para recuperar la contraseña en texto plano enviada a través del cable, incluso si es requerida la autenticación Kerberos • https://bugzilla.redhat.com/show_bug.cgi?id=2019660 https://lists.debian.org/debian-lts-announce/2023/09/msg00013.html https://security.gentoo.org/glsa/202309-06 https://www.samba.org/samba/security/CVE-2016-2124.html https://access.redhat.com/security/cve/CVE-2016-2124 • CWE-287: Improper Authentication •
CVE-2020-25717 – samba: Active Directory (AD) domain user could become root on domain members
https://notcve.org/view.php?id=CVE-2020-25717
A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation. Se encontró un fallo en la forma en que Samba mapea usuarios del dominio a usuarios locales. Un atacante autenticado podría usar este fallo para causar una posible escalada de privilegios • https://bugzilla.redhat.com/show_bug.cgi?id=2019672 https://security.gentoo.org/glsa/202309-06 https://www.samba.org/samba/security/CVE-2020-25717.html https://access.redhat.com/security/cve/CVE-2020-25717 • CWE-20: Improper Input Validation •