Description

Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof LDAPS and HTTPS servers and obtain sensitive information via a crafted certificate.

References

• ALPINE-5495
• ALPINE-5496
• ALPINE-5497
• CVE-2016-2113
• DEBIAN-DSA-3548
• REDHAT-RHSA-2016:0612
• REDHAT-RHSA-2016:0614
• REDHAT-RHSA-2016:0618
• REDHAT-RHSA-2016:0620

Solution

Related Vulnerabilities

• Oracle Solaris 11: CVE-2016-2113: Vulnerability in Samba
• RHSA-2016:0618: samba security, bug fix, and enhancement update
• Amazon Linux AMI: Security patch for samba (ALAS-2016-686) (multiple CVEs)
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 5
• Huawei EulerOS: CVE-2016-2113: samba security update
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 4
• RHSA-2016:0612: samba and samba4 security, bug fix, and enhancement update
• RHSA-2016:0620: samba4 security, bug fix, and enhancement update
• Gentoo Linux: CVE-2016-2113: Samba: Multiple vulnerabilities
• FreeBSD: samba -- multiple vulnerabilities (Multiple CVEs)
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 6
• Samba CVE-2016-2113: Missing TLS certificate validation allows man in the middle attacks