CVE-2016-2126 – samba: Flaws in Kerberos PAC validation can trigger privilege elevation
https://notcve.org/view.php?id=CVE-2016-2126
Samba version 4.0.0 up to 4.5.2 is vulnerable to privilege elevation due to incorrect handling of the PAC (Privilege Attribute Certificate) checksum. A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions. Samba versiones 4.0.0 hasta 4.5.2, es vulnerable a la elevación de privilegios debido al manejo incorrecto de la suma de comprobación PAC (Certificado de Atributo de Privilegio). Un atacante autenticado y remoto puede hacer que el proceso winbindd se bloquee usando un ticket de Kerberos legítimo. • http://rhn.redhat.com/errata/RHSA-2017-0494.html http://rhn.redhat.com/errata/RHSA-2017-0495.html http://rhn.redhat.com/errata/RHSA-2017-0662.html http://rhn.redhat.com/errata/RHSA-2017-0744.html http://www.securityfocus.com/bid/94994 http://www.securitytracker.com/id/1037495 https://access.redhat.com/errata/RHSA-2017:1265 https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43730 https://www.samba.org/samba/security/CVE-2016-2126.html https://access.redhat • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2016-2123 – Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2016-2123
A flaw was found in samba versions 4.0.0 to 4.5.2. The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects. This makes the defect a remote privilege escalation. • http://www.securityfocus.com/bid/94970 http://www.securitytracker.com/id/1037493 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2123 https://www.samba.org/samba/security/CVE-2016-2123.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVE-2016-2119 – samba: Client side SMB2/3 required signing can be downgraded
https://notcve.org/view.php?id=CVE-2016-2119
libcli/smb/smbXcli_base.c in Samba 4.x before 4.2.14, 4.3.x before 4.3.11, and 4.4.x before 4.4.5 allows man-in-the-middle attackers to bypass a client-signing protection mechanism, and consequently spoof SMB2 and SMB3 servers, via the (1) SMB2_SESSION_FLAG_IS_GUEST or (2) SMB2_SESSION_FLAG_IS_NULL flag. ibcli/smb/smbXcli_base.c en Samba 4.x en versiones anteriores a 4.2.14, 4.3.x en versiones anteriores a 4.3.11 y 4.4.x en versiones anteriores a 4.4.5 permite a atacantes man-in-the-middle eludir el mecanismo de protección de firmado de cliente y consecuentemente suplantar los servidores SMB2 y SMB3, a través de los indicadores (1) SMB2_SESSION_FLAG_IS_GUEST o (2) SMB2_SESSION_FLAG_IS_NULL. A flaw was found in the way Samba initiated signed DCE/RPC connections. A man-in-the-middle attacker could use this flaw to downgrade the connection to not use signing and therefore impersonate the server. • http://lists.opensuse.org/opensuse-updates/2016-07/msg00060.html http://rhn.redhat.com/errata/RHSA-2016-1486.html http://rhn.redhat.com/errata/RHSA-2016-1487.html http://rhn.redhat.com/errata/RHSA-2016-1494.html http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html http://www.securityfocus.com/bid/91700 http://www.securitytracker.com/id/1036244 https://security.gentoo.org/glsa/201805-07 https://www.samba.org/samba/security/CVE-2016-2119.html https • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2016-2114 – samba: Samba based active directory domain controller does not enforce smb signing
https://notcve.org/view.php?id=CVE-2016-2114
The SMB1 protocol implementation in Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "server signing = mandatory" setting, which allows man-in-the-middle attackers to spoof SMB servers by modifying the client-server data stream. La implementación del protocolo SMB1 en Samba 4.x en versiones anteriores a 4.2.11, 4.3.x en versiones anteriores a 4.3.8 y 4.4.x en versiones anteriores a 4.4.2 no reconoce el ajuste "server signing = mandatory", lo que permite a atacantes man-in-the-middle suplantar servidores SMB modificando el flujo de datos cliente-servidor. It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. • http://badlock.org http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182185.html http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182272.html http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182288.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00048.html http://rhn.redhat.com/errata/RHSA-2016-0612.html http://rhn.redhat.com/errata/RHSA-2016-06 • CWE-254: 7PK - Security Features CWE-300: Channel Accessible by Non-Endpoint •
CVE-2016-2113 – samba: Server certificates not validated at client side
https://notcve.org/view.php?id=CVE-2016-2113
Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof LDAPS and HTTPS servers and obtain sensitive information via a crafted certificate. Samba 4.x en versiones anteriores a 4.2.11, 4.3.x en versiones anteriores a 4.3.8 y 4.4.x en versiones anteriores a 4.4.2 no verifica certificados X.509 de servidores TLS, lo que permite a atacantes man-in-the-middle suplantar servidores LDAPS y HTTPS y obtener información sensible a través de un certificado manipulado. It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. • http://badlock.org http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182185.html http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182272.html http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182288.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00022.html http://lists.opensuse.or • CWE-295: Improper Certificate Validation CWE-310: Cryptographic Issues •