A remote attacker could create accounts, read part of the credentials file, execute arbitrary
commands, cause a denial of service, write to arbitrary files, gain elevated privileges, or disable logging
of failed login attempts in a brute-force password attack.
Server Message Block (SMB)
is a network protocol native to Windows systems which allows sharing
of files and printers across a network. Samba
is a software package which implements the SMB
protocol on a variety of platforms, providing compatibility
with Windows systems.
Every computer which uses the SMB protocol,
is assigned a NetBIOS name. This name is used to identify
the computer on the network for the purposes of resolving
Samba servers typically run two daemons: smbd,
which provides SMB services, and nmbd, which
provides name service which allows the server to appear in
the Windows Network Neighborhood.
Unauthenticated remote code execution vulnerability
A vulnerability in Samba could allow remote, anonymous attackers to execute arbitrary code with root privileges.
The problem occurs in generated code which controls marshalling and unmarshalling of RPC calls over the network, due to the use of a client-supplied
length value when allocating the memory for an array.
Samba 3.6.3, 3.5.13, and 3.4.15 and earlier are affected by this vulnerability.
Any Batched Request Handling Buffer Overflow Vulnerability
Samba before 3.4.0 is prone to a vulnerability,
which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an error in process.c when handling Any Batched (AndX) request packets and can be exploited to cause a heap-based buffer overflow.
SWAT Cross-Site Scripting and Request Forgery Vulnerabilities
Samba before 3.5.10 is prone to two vulnerabilities,
which can be exploited by malicious people to conduct cross-site scripting and request forgery attacks.
Successful exploitation of the vulnerabilities requires that SWAT is enabled (not default).
"FD_SET" Memory Corruption Vulnerability
Samba before 3.5.7 is prone to a memory-corruption vulnerability.
An attacker can exploit this issue to crash the application or cause the application to enter an infinite loop.
sid_parse buffer overflow
A buffer overflow vulnerability in the sid_parse
function allows a client to execute arbitrary commands by
sending a long, specially crafted Windows SID represented
in binary. Samba versions prior to 3.5.5 are affected by
SMB1 Packets Chaining Memory Corruption
A memory corruption vulnerability has been reported in Samba before 3.3.13.
The vulnerability is due to improper validation when chaining SMB1 packets.
Remote attackers could exploit this vulnerability by sending a crafted SMB message to a target SMB server.
Successful exploitation would allow for arbitrary code injection and execution which might allow the attacker to take complete control of a target host.
Code injection that does not result in execution could crash the target system,
and result in a Denial of Service condition.
Vulnerabilities fixed in 3.4.8 and 3.5.2
Samba before 3.4.8 and 3.5.2 is prone to multiple remote denial-of-service vulnerabilities.
An attacker can exploit these issues to crash the application, denying service to legitimate users.
client/mount.cifs.c Local Denial of Service Vulnerability
Samba 3.4.5 and prior are prone to a local denial-of-service vulnerability.
A local attacker can exploit this issue to corrupt system files, resulting in a denial-of-service condition.
Symlink Directory Traversal Vulnerability
Samba is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploits would allow an attacker to access files outside of the Samba user's root directory
to obtain sensitive information and perform other attacks.
To exploit this issue, attackers require authenticated access to a writable share.
This issue may be exploited through a writable share accessible by guest accounts.
mount.cifs Utility Local Privilege Escalation Vulnerability
Samba is prone to a local privilege-escalation vulnerability in the 'mount.cifs' utility.
Local attackers can exploit this issue to gain elevated privileges on affected computers.
Samba 3.4.5, 3.3.8, 3.2.15, 3.0.37, and prior are vulnerable.
3.x Multiple Unspecified Remote Vulnerabilities
Samba 3.x is prone to multiple unspecified remote vulnerabilities, including:
An error in 'smbd' that can be exploited to cause a heap-based overflow.
An error when Samba is compiled with '--enable-developer' can lead to a heap-based overflow.
Multiple unspecified stack overflows.
An unspecified heap-based buffer overflow.
Attackers can exploit these issues to execute code within the context of the affected server.
Failed exploit attempts will result in a denial-of-service condition.
A list of all reported vulnerabilities affecting Samba is
The unauthenticated remote code execution vulnerability was reported in a
https://www.samba.org/samba/security/CVE-2012-1182 Samba announcement.
The Any Batched Request Handling Buffer Overflow vulnerability was reported in
http://secunia.com/advisories/48152/ Secunia Advisory SA48152.
The SWAT Cross-Site Scripting and Request Forgery vulnerabilities were reported in
http://secunia.com/advisories/45393/ Secunia Advisory SA45393.
The "FD_SET" Memory Corruption vulnerability was reported in
http://secunia.com/advisories/43512/ Secunia Advisory SA43512.
The sid_parse buffer overflow was reported in the
http://us1.samba.org/samba/history/samba-3.5.5.html Samba 3.5.5 release notes.
The SMB1 Packets Chaining Memory Corruption vulnerability was reported in
http://www.securityfocus.com/bid/40884/ Bugtraq ID 40884.
The vulnerabilities fixed in 3.4.8 and 3.5.2 were reported in
http://www.securityfocus.com/bid/40097/ Bugtraq ID 40097.
The client/mount.cifs.c Local Denial of Service vulnerability was reported in
http://www.securityfocus.com/bid/38326/ Bugtraq ID 38326.
The Symlink Directory Traversal vulnerability was reported in
http://www.securityfocus.com/bid/38111/ Bugtraq ID 38111.
The mount.cifs Utility Local Privilege Escalation vulnerability was reported in
http://www.securityfocus.com/bid/37992/ Bugtraq ID 37992.
The 3.x Multiple Unspecified Remote vulnerabilities were reported in
http://www.securityfocus.com/bid/36250/ Bugtraq ID 36250.
Low Attack Complexity, Complete Confidentiality Impact, Complete Integrity Impact, Complete Availability Impact