Multiple vulnerabilities in Samba

Published: 2017-09-20

Risk	Low
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2017-12150 CVE-2017-12151 CVE-2017-12163
CWE-ID	CWE-310 CWE-401
Exploitation vector	Local network
Public exploit	N/A
Vulnerable software	Samba Server applications / Directory software, identity management
Vendor	Samba

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Man-in-the-Middle attack

EUVDB-ID: #VU8516

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-12150

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to several Samba tools do not require signing for SMB connections. The affected tools are:
- 'smb2mount -e', 'smbcacls -e' and 'smbcquotas -e',;
- the python binding exported as 'samba.samba3.libsmb_samba_internal' doesn't make use of the "client signing" smb.conf option;
- libgpo as well as 'net ads gpo' doesn't require SMB signing when fetching group policies
- commandline tools like 'smbclient', 'smbcacls' and 'smbcquotas' allow a fallback to an anonymous connection when using the '--use-ccache' option and this happens even if SMB signing is required.

Successful exploitation of the vulnerability may allow an attacker to perform MitM attack and gain access to potentially sensitive information or elevate privileges on the server.

Mitigation

Install patch from vendor's website:
https://www.samba.org/samba/ftp/patches/security/samba-4.4.15-security-2017-09-20.patch
https://www.samba.org/samba/ftp/patches/security/samba-4.5.13-security-2017-09-20.patch
https://www.samba.org/samba/ftp/patches/security/samba-4.6.7-security-2017-09-20.patch

Additionally 4.6.8, 4.5.14 and 4.4.16 have been issued as security releases to correct the defect.

Vulnerable software versions

Samba: 3.0.25c - 4.6.7

CPE2.3

External links

https://www.samba.org/samba/security/CVE-2017-12150.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Man-in-the-Middle attack

EUVDB-ID: #VU8517

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-12151

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a MitM attack.

The vulnerability exists due to absence of encryption across DFS redirects. A remote attacker can read and alter documents, transferred via a client connection.

Mitigation

Update to version 4.6.8, 4.5.14 and 4.4.16or apply patches:
https://www.samba.org/samba/ftp/patches/security/samba-4.4.15-security-2017-09-20.patch
https://www.samba.org/samba/ftp/patches/security/samba-4.5.13-security-2017-09-20.patch
https://www.samba.org/samba/ftp/patches/security/samba-4.6.7-security-2017-09-20.patch

Vulnerable software versions

Samba: 4.1.0 - 4.6.7

CPE2.3

External links

https://www.samba.org/samba/security/CVE-2017-12151.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory leak

EUVDB-ID: #VU8518

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-12163

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to memory information leak over SMB1. A client with write access to a share can cause server memory contents to be written into a file or printer. Some SMB1 write requests were not correctly range checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client supplied data. The client cannot control the area of the server memory that is written to the file (or printer).

Mitigation

Update to version 4.6.8, 4.5.14 and 4.4.16 or apply patches:
https://www.samba.org/samba/ftp/patches/security/samba-4.4.15-security-2017-09-20.patch
https://www.samba.org/samba/ftp/patches/security/samba-4.5.13-security-2017-09-20.patch
https://www.samba.org/samba/ftp/patches/security/samba-4.6.7-security-2017-09-20.patch

Vulnerable software versions

Samba: 1.9.17 - 4.6.7

CPE2.3

External links

https://www.samba.org/samba/security/CVE-2017-12163.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.