| VID |
23327 |
| Severity |
40 |
| Port |
139 |
| Protocol |
TCP |
| Class |
Samba |
| Detailed Description |
The version of Samba running on the remote host is 4.13.x prior to 4.13.14, 4.14.x prior to 4.14.10, or 4.15.x prior to 4.15.2. It is, therefore, potentially affected by multiple vulnerabilities as referenced in the vendor advisory.
- An attacker can downgrade a negotiated SMB1 client connection and its
capabitilities. Kerberos authentication is only possible with the
SMB2/3 protocol or SMB1 using the NT1 dialect and the extended
security (spnego) capability. Without mandatory SMB signing the
protocol can be downgraded to an older insecure dialect like CORE,
COREPLUS/CORE+, LANMAN1 or LANMAN2. Even if SMB signing is required
it's still possible to downgrade to the NT1 dialect if extended
security (spnego) is not negotiated.
The attacker is able to get the plaintext password sent over the
wire even if Kerberos authentication was required. (CVE-2016-2124)
- Samba as an Active Directory Domain Controller is able to support an
RODC, which is meant to have minimal privileges in a domain.
However, in accepting a ticket from a Samba or Windows RODC, Samba
was not confirming that the RODC is authorized to print such a ticket,
via the msDS-NeverRevealGroup and msDS-RevealOnDemandGroup (typically
"Allowed RODC Replication Group" and "Denied RODC Replciation
Group").
This would allow an RODC to print administrator tickets. (CVE-2020-25718)
- In DCE/RPC it is possible to share the handles (cookies for resource
state) between multiple connections via a mechanism called
'association groups'. These handles can reference connections to our
sam.ldb database. However while the database was correctly shared, the
user credentials state was only pointed at, and when one connection
within that association group ended, the database would be left
pointing at an invalid 'struct session_info'.
The most likely outcome here is a crash, but it is possible that the
use-after-free could instead allow different user state to be pointed
at and this might allow more privileged access. (CVE-2021-3738)
* References:
https://www.samba.org/samba/history/security.html
https://www.samba.org/samba/security/CVE-2016-2124.html
https://www.samba.org/samba/security/CVE-2020-25717.html
https://www.samba.org/samba/security/CVE-2020-25718.html
https://www.samba.org/samba/security/CVE-2020-25719.html
https://www.samba.org/samba/security/CVE-2020-25721.html
https://www.samba.org/samba/security/CVE-2020-25722.html
https://www.samba.org/samba/security/CVE-2021-3738.html
https://www.samba.org/samba/security/CVE-2021-23192.html
* Platforms Affected:
Samba Project, Samba versions 4.14.x prior to 4.14.10
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of Samba 4.14.10 or later, available from the Samba Web site at https://www.samba.org/samba/download/ |
| Related URL |
CVE-2016-2124,CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2021-23192,CVE-2021-3738 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
