CVE-2015-5296 – samba: client requesting encryption vulnerable to downgrade attack
https://notcve.org/view.php?id=CVE-2015-5296
Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 supports connections that are encrypted but unsigned, which allows man-in-the-middle attackers to conduct encrypted-to-unencrypted downgrade attacks by modifying the client-server data stream, related to clidfs.c, libsmb_server.c, and smbXcli_base.c. Samba 3.x y 4.x en versiones anteriores a 4.1.22, 4.2.x en versiones anteriores a 4.2.7 y 4.3.x en versiones anteriores a 4.3.3 admite conexiones que están cifradas pero no firmadas, lo que permite a atacantes man-in-the-middle llevar a cabo un ataque de degradación de cifrado-a-descifrado modificando el flujo de datos cliente-servidor, relacionado con clidfs.c, libsmb_server.c y smbXcli_base.c. A man-in-the-middle vulnerability was found in the way "connection signing" was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. • http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174076.html http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174391.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00019.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.html http://lists.opensuse.org/opensuse-security-announce& • CWE-20: Improper Input Validation CWE-345: Insufficient Verification of Data Authenticity •
CVE-2015-5299 – Samba: Missing access control check in shadow copy code
https://notcve.org/view.php?id=CVE-2015-5299
The shadow_copy2_get_shadow_copy_data function in modules/vfs_shadow_copy2.c in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 does not verify that the DIRECTORY_LIST access right has been granted, which allows remote attackers to access snapshots by visiting a shadow copy directory. La función shadow_copy2_get_shadow_copy_data en modules/vfs_shadow_copy2.c en Samba 3.x y 4.x en versiones anteriores a 4.1.22, 4.2.x en versiones anteriores a 4.2.7 y 4.3.x en versiones anteriores a 4.3.3 no verifica que el privilegio de acceso al DIRECTORY_LIST ha sido concedido, lo que permite a atacantes remotos acceder a instantáneas visitando un directorio shadow copy. A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. • http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174076.html http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174391.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00019.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00032.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.html http://lists.opensuse.org/opensuse-security-announce& • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVE-2015-0240 – Samba < 3.6.2 (x86) - Denial of Service (PoC)
https://notcve.org/view.php?id=CVE-2015-0240
The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x before 3.6.25, 4.0.x before 4.0.25, 4.1.x before 4.1.17, and 4.2.x before 4.2.0rc5 performs a free operation on an uninitialized stack pointer, which allows remote attackers to execute arbitrary code via crafted Netlogon packets that use the ServerPasswordSet RPC API, as demonstrated by packets reaching the _netr_ServerPasswordSet function in rpc_server/netlogon/srv_netlog_nt.c. La implentación del servidor Netlogon en smbd en Samba 3.5.x y 3.6.x anterior a 3.6.25, 4.0.x anterior a 4.0.25, 4.1.x anterior a 4.1.17, y 4.2.x anterior a 4.2.0rc5 realiza una operación libre sobre un puntero de pila no inicializado, lo que permite a atacantes remotos ejecutar código arbitrario a través de paquetes Netlogon manipulados que utilizan la API RPC ServerPasswordSet, tal y como fue demostrado mediante paquetes alcanzando la función _netr_ServerPasswordSet en rpc_server/netlogon/srv_netlog_nt.c. An uninitialized pointer use flaw was found in the Samba daemon (smbd). A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd (by default, the root user). • https://www.exploit-db.com/exploits/36741 http://advisories.mageia.org/MGASA-2015-0084.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00028.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00030.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00035.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00042.html http://lists.opensuse.org/opensuse- • CWE-17: DEPRECATED: Code CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2014-8143
https://notcve.org/view.php?id=CVE-2014-8143
Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allows remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation. Samba 4.0.x anterior a 4.0.24, 4.1.x anterior a 4.1.16, y 4.2.x anterior a 4.2rc4, cuando un Active Directory Domain Controller (AD DC) está configurado, permite a usuarios remotos autenticados configurar el bit de LDB userAccountControl UF_SERVER_TRUST_ACCOUNT, y como consecuencia ganar privilegios, mediante el aprovechamiento de la delegación de autoridad para la creación de cuentas de usuarios o cuentas de ordenadores. • http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00042.html http://secunia.com/advisories/62594 http://www.securityfocus.com/bid/72278 http://www.securitytracker.com/id/1031615 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.416326 http://www.ubuntu.com/usn/USN-2481-1 https://download.samba.org/pub/samba/patches/security/samba-4.0.23-CVE-2014-8143.p • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-3560 – samba: remote code execution in nmbd
https://notcve.org/view.php?id=CVE-2014-3560
NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and 4.1.x before 4.1.11 allows remote attackers to execute arbitrary code via unspecified vectors that modify heap memory, involving a sizeof operation on an incorrect variable in the unstrcpy macro in string_wrappers.h. NetBIOS name services daemon (nmbd) en Samba 4.0.x anterior a 4.0.21 y 4.1.x anterior a 4.1.11 permite a atacantes remotos ejecutar código arbitrario a través de vectores no especificados que modifican la memoria dinámica, involucrando una operación sizeof sobre una variable incorrecta en la macro unstrcpy en string_wrappers.h. A heap-based buffer overflow flaw was found in Samba's NetBIOS message block daemon (nmbd). An attacker on the local network could use this flaw to send specially crafted packets that, when processed by nmbd, could possibly lead to arbitrary code execution with root privileges. • http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136280.html http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136864.html http://lists.opensuse.org/opensuse-updates/2014-08/msg00027.html http://secunia.com/advisories/59583 http://secunia.com/advisories/59610 http://secunia.com/advisories/59976 http://www.samba.org/samba/security/CVE-2014-3560 http://www.securityfocus.com/bid/69021 http://www.securitytracker.com/id/1030663 http://www.ubuntu.com • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •