#VU6632 Integer underflow in Samba - CVE-2016-2123

Cybersecurity Help s.r.o.

Published: 2017-05-23

Vulnerability identifier: #VU6632

Vulnerability risk: Medium

CVSSv4.0: 7.6 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Green]

CVE-ID: CVE-2016-2123

CWE-ID: CWE-191

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Samba
Server applications / Directory software, identity management

Vendor: Samba

Description
The vulnerability allows a remote authenticated user to compromise vulnerable server.

The vulnerability exists due to integer underflow within ndr_pull_dnsp_name routine when processing dnsRecord attribute in LDAP requests. A remote authenticated attacker can send a specially crafted LDAP request to the affected server, trigger heap-based buffer overflow and execute arbitrary code on the target sever.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable server.

Mitigation
The vulnerability is patched in versions: 4.5.3, 4.4.8 and 4.3.13.

Vulnerable software versions

Samba: 4.0.0 - 4.0.26, 4.1.0 - 4.1.22, 4.2.0 - 4.2.14, 4.3.0 - 4.3.12, 4.4.0 rc4 - 4.4.11, 4.5.0 - 4.5.2

External links
https://www.samba.org/samba/security/CVE-2016-2123.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Integer underflow in samba (Alpine package)

Slackware Linux update for samba

Arch Linux update for samba

Multiple vulnerabilities in Samba

Ubuntu update for Samba