A remote attacker could create accounts, read part of the credentials file, execute arbitrary
commands, cause a denial of service, write to arbitrary files, gain elevated privileges, or disable logging
of failed login attempts in a brute-force password attack.
Server Message Block (SMB)
is a network protocol native to Windows systems which allows sharing
of files and printers across a network. Samba
is a software package which implements the SMB
protocol on a variety of platforms, providing compatibility
with Windows systems.
Every computer which uses the SMB protocol,
is assigned a NetBIOS name. This name is used to identify
the computer on the network for the purposes of resolving
Samba servers typically run two daemons: smbd,
which provides SMB services, and nmbd, which
provides name service which allows the server to appear in
the Windows Network Neighborhood.
Samba DCE-RPC Packets Handling Buffer Overflow Vulnerability
Samba versions prior to 3.6.22, 4.0.13, and 4.1.3 are prone to a vulnerability,
which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to incorrect checking of the DCE-RPC
fragment length in the client code. The vulnerability can be exploited to cause
a buffer overflow by providing a specially crafted fragment length field.
Samba Insecure File Permissions and Security Bypass Vulnerabilities
Samba versions prior to 3.6.20, 4.0.11, and 4.1.1 do not check the underlying
file or directory access control list when opening an alternate data stream.
This vulnerability can be exploited to disclose information such as contents
of inaccessible alternate streams. In addition, Samba version prior to 4.0.11
and 4.1.1 creates private keys that are used for the SSL/TLS encryption for
ldaps with insecure world-readable permissions. This vulnerability can be
exploited by local users to obtain sensitive information by reading the key file.
By default no version of Samba supports alternate data streams
on files or directories.
By default, the http(s) service is not started, only if the
"server services" option contains "web".
The ldap(s) service is only started if Samba is configured as an
active directory domain controller.
Packet Handling Denial of Service Vulnerability
Samba before 3.5.22, 3.6.17, and 4.0.8 is prone to a vulnerability,
which can be exploited to cause a DoS (Denial of Service).
The vulnerability is caused due to an unspecified error when handling malformed packets
and can be exploited to exhaust memory resources by sending a specially crafted packet.
LSA RPC "take ownership" Privilege Security Bypass Vulnerability
Samba versions 3.4.x before 3.4.17, 3.5.x before 3.5.15, and 3.6.x before 3.6.5 are prone to a vulnerability,
which can be exploited by malicious users to bypass certain security restrictions.
The security issue is caused due to improper application of security checks in the CreateAccount, OpenAccount, AddAccountRights, and RemoveAccountRights remote procedure calls (RPC) within the Local Security Authority (LSA).
This can be exploited to gain "take ownership" privileges
and e.g. change the ownership of arbitrary files and directories on the smdb file server.
Unauthenticated remote code execution vulnerability
A vulnerability in Samba could allow remote, anonymous attackers to execute arbitrary code with root privileges.
The problem occurs in generated code which controls marshalling and unmarshalling of RPC calls over the network, due to the use of a client-supplied
length value when allocating the memory for an array.
Samba 3.6.3, 3.5.13, and 3.4.15 and earlier are affected by this vulnerability.
3.x Multiple Unspecified Remote Vulnerabilities
Samba 3.x is prone to multiple unspecified remote vulnerabilities, including:
An error in 'smbd' that can be exploited to cause a heap-based overflow.
An error when Samba is compiled with '--enable-developer' can lead to a heap-based overflow.
Multiple unspecified stack overflows.
An unspecified heap-based buffer overflow.
Attackers can exploit these issues to execute code within the context of the affected server.
Failed exploit attempts will result in a denial-of-service condition.
A list of all reported vulnerabilities affecting Samba is
The Samba DCE-RPC packets handling buffer overflow vulnerability was reported in
http://secunia.com/advisories/55966/ Secunia Advisory SA55966 and
http://www.samba.org/samba/security/CVE-2013-4496 Samba Security CVE-2013-4496.
The Samba insecure file permissions and security bypass vulnerabilities were reported in
http://secunia.com/advisories/55638/ Secunia Advisory SA55638.
The Packet Handling Denial of Service vulnerability was reported in
http://secunia.com/advisories/54347/ Secunia Advisory SA54347.
The LSA RPC "take ownership" Privilege Security Bypass vulnerability was reported in
http://secunia.com/advisories/48976/ Secunia Advisory SA48976.
The unauthenticated remote code execution vulnerability was reported in a
https://www.samba.org/samba/security/CVE-2012-1182 Samba announcement.
The 3.x Multiple Unspecified Remote vulnerabilities were reported in
http://www.securityfocus.com/bid/36250/ Bugtraq ID 36250.
Low Attack Complexity, Complete Confidentiality Impact, Complete Integrity Impact, Complete Availability Impact