DSA-3740-1 samba -- sambaID: oval:org.secpod.oval:def:602704 | Date: (C)2016-12-20 (M)2024-02-15 |
Class: PATCH | Family: unix |
Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2016-2119 Stefan Metzmacher discovered that client-side SMB2/3 required signing can be downgraded, allowing a man-in-the-middle attacker to impersonate a server being connected to by Samba, and return malicious results. CVE-2016-2123 Trend Micro"s Zero Day Initiative and Frederic Besler discovered that the routine ndr_pull_dnsp_name, used to parse data from the Samba Active Directory ldb database, contains an integer overflow flaw, leading to an attacker-controlled memory overwrite. An authenticated user can take advantage of this flaw for remote privilege escalation. CVE-2016-2125 Simo Sorce of Red Hat discovered that the Samba client code always requests a forwardable ticket when using Kerberos authentication. A target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos quot;Ticket Granting Ticketquot; , which can be used to fully impersonate the authenticated user or service. CVE-2016-2126 Volker Lendecke discovered several flaws in the Kerberos PAC validation. A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.