Rapid7 Vulnerability & Exploit Database

Ubuntu: USN-3158-1 (CVE-2016-2123): Samba vulnerabilities

Back to Search

Ubuntu: USN-3158-1 (CVE-2016-2123): Samba vulnerabilities

Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
12/19/2016
Created
07/25/2018
Added
12/20/2016
Modified
03/21/2018

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From DSA-3740:

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,

print, and login server for Unix. The Common Vulnerabilities and

Exposures project identifies the following issues:

From USN-3158-1:

Frederic Besler and others discovered that the ndr_pull_dnsp_nam function in Samba contained an integer overflow. An authenticated attacker could use this to gain administrative privileges. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-2123)

Simo Sorce discovered that that Samba clients always requested a forwardable ticket when using Kerberos authentication. An attacker could use this to impersonate an authenticated user or service. (CVE-2016-2125)

Volker Lendecke discovered that Kerberos PAC validation implementation in Samba contained multiple vulnerabilities. An authenticated attacker could use this to cause a denial of service or gain administrative privileges. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-2126)

From VID-E4BC323F-CC73-11E6-B704-000C292E4FD8:

Samba team reports:

[CVE-2016-2123] Authenicated users can supply malicious dnsRecord attributes

on DNS objects and trigger a controlled memory corruption.

[CVE-2016-2125] Samba client code always requests a forwardable ticket

when using Kerberos authentication. This means the target server, which must be in the current or trusted

domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to

fully impersonate the authenticated user or service.

[CVE-2016-2126] A remote, authenticated, attacker can cause the winbindd process

to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum.

A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.

From SUSE_CVE-2016-2123:

This CVE is addressed in the SUSE advisories SUSE-SU-2016:3271-1, SUSE-SU-2016:3272-1

Solution(s)

  • ubuntu-upgrade-libsmbclient
  • ubuntu-upgrade-samba
  • ubuntu-upgrade-winbind

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;