All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed. Samba AD users with permission to write to an account can impersonate arbitrary services In Samba, GnuTLS gnutls_rnd can fail and give predictable random values. A flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file instead of client-supplied data. The client cannot control the area of the server memory written to the file . Samba does not validate the Validated-DNS-Host-Name right for the dNSHostName attribute which could permit unprivileged users to write it. A flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP message values freed by a preceding database module, resulting in a use-after-free issue. This issue is only possible when modifying certain privileged attributes, such as userAccountControl. A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des and unwrap_des3 routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service attack. Samba 4.17 introduced following symlinks in user space with the intent to properly check symlink targets to stay within the share that was configured by the administrator. The check does not properly cover a corner case, so that a user can create a symbolic link that will make smbd escape the configured share path. Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability. Windows Kerberos Elevation of Privilege Vulnerability. Netlogon RPC Elevation of Privilege Vulnerability. Samba AD DC using Heimdal can be forced to issue rc4-hmac encrypted Kerberos tickets