The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2013-1805 advisory.

    - resolves: #1018039 - Fix CVE-2013-4408.

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-1806 advisory.

    - resolves: #1018037 - Fix CVE-2013-4408.

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update fixes the following security issues with samba :

  - DCERPC frag_len not checked. (CVE-2013-4408).
    (bnc#844720)

  - winbind pam security problem. (CVE-2012-6150).
    (bnc#853347)

  - No access check verification on stream files     (CVE-2013-4475). And fixes the following non-security     issues :. (bnc#848101)

  - libsmbclient0 package description contains comments.
    (bnc#853021)

  - rpcclient adddriver and setdrive do not set all needed     registry entries. (bnc#817880)

  - Client trying to delete print job fails: Samba returns:
    WERR_INVALID_PRINTER_NAME. (bnc#838472)

  - various upstream fixes. (bnc#854520 and bnc#849226)

This is a LTSS roll-up update for the Samba Server suite fixing multiple security issues and bugs.

Security issues fixed :

  - CVE-2013-4496: Password lockout was not enforced for     SAMR password changes, leading to brute force     possibility.

  - CVE-2013-4408: DCE-RPC fragment length field is     incorrectly checked.

  - CVE-2013-4124: Samba was affected by a denial of service     attack on authenticated or guest connections.

  - CVE-2013-0214: The SWAT webadministration was affected     by a cross site scripting attack (XSS).

  - CVE-2013-0213: The SWAT webadministration could possibly     be used in clickjacking attacks.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version MAIN 6.02, has samba packages installed that are affected by multiple vulnerabilities:

  - Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow     remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum     (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount     (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2     (lsa_io_trans_names). (CVE-2007-2446)

  - The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute     arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the     username map script smb.conf option is enabled, and allows remote authenticated users to execute     commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file     share management. (CVE-2007-2447)

  - Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29     allows remote attackers to execute arbitrary code via a crafted SMB response. (CVE-2008-1105)

  - Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB     subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating     systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users     to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances     involving user accounts that lack home directories. (CVE-2009-2813)

  - smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote     authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break     notification reply packet. (CVE-2009-2906)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated samba4 packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information.

A heap-based buffer overflow flaw was found in the DCE-RPC client code in Samba. A specially crafted DCE-RPC packet could cause various Samba programs to crash or, possibly, execute arbitrary code when parsed. A malicious or compromised Active Directory Domain Controller could use this flaw to compromise the winbindd daemon running with root privileges. (CVE-2013-4408)

Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Stefan Metzmacher and Michael Adam of SerNet as the original reporters of this issue.

All users of Samba are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, the smb service will be restarted automatically.

New samba packages are available for Slackware 14.1, and -current to fix a security issue.

- Update to 4.1.3.

  + DCE-RPC fragment length field is incorrectly checked;
    CVE-2013-4408; (bnc#844720).

  + pam_winbind login without require_membership_of     restrictions; CVE-2012-6150; (bnc#853347).

  - Make use of the full gpg pub key file name including the     key ID.

  - Add transparent file compression support; (fate#316266).

  + Implement FSCTL_GET_COMPRESSION and     FSCTL_SET_COMPRESSION handlers.

  + Add FILE_ATTRIBUTE_COMPRESSED and FILE_NO_COMPRESSION     support.

  + Extend vfs_btrfs VFS module to utilize get/set     compression hooks.

  - Add support for FSCTL_SRV_COPYCHUNK_WRITE;
    (fate#314770).

  - Remove bogus libsmbclient0 package description and     cleanup the libsmbclient line from baselibs.conf;
    (bnc#853021).

  - BuildRequire systemd on post-12.2 systems.

  - Update to 4.1.2.

  + s4-dns: dlz_bind9: Create dns-HOSTNAME account disabled;
    (bso#9091).

  + dfs_server: Use dsdb_search_one to catch 0 results as     well as NO_SUCH_OBJECT errors; (bso#10052).

  + Missing talloc_free can leak stackframe in error path;
    (bso#10187).

  + Fix memset used with constant zero length parameter;
    (bso#10190).

  + s4:dsdb/rootdse: report 'dnsHostName' instead of     'dNSHostName'; (bso#10193).

  + Make offline logon cache updating for cross child domain     group membership; (bso#10194).

  + nsswitch: Fix short writes in winbind_write_sock;
    (bso#10195).

  + RW Deny for a specific user is not overriding RW Allow     for a group; (bso#10196).

  + vfs_glusterfs: Fix excessive debug output from     vfs_gluster_open(); (bso#10224).

  + vfs_glusterfs: Implement proper mashalling/unmarshalling     of ACLs; (bso#10224).

  + VFS plugin was sending the actual size of the volume     instead of the total number of block units because of     which windows was getting the wrong &#9; volume     capacity; (bso#10224).

  + libcli/smb: Fix smb2cli_ioctl*() against Windows 2008;
    (bso#10232).

  + xattr: Fix listing EAs on *BSD for non-root users;
    (bso#10247).

  + Fix the build of vfs_glusterfs; (bso#10253).

  + s3-winbindd: Fix cache_traverse_validate_fn failure for     NDR cache entries; (bso#10264).

  + util: Remove 32bit macros breaking strict aliasing;
    (bso#10269).

  - Let gpg verify execution condition not fail on non SUSE     systems.

  - Add systemd support for post-12.2 systems.

  - Update to 4.1.1.

  + ACLs are not checked on opening an alternate data stream     on a file or directory; CVE-2013-4475; (bso#10229);
    (bnc#848101).

  + Private key in key.pem world readable; CVE-2013-4476;
    (bnc#848103).

Samba was updated to fix security issues and bugs :

Security issues fixed :

  - Password lockout was not enforced for SAMR password     changes, this allowed brute-force attacks on passwords.
    CVE-2013-4496; (bnc#849224).

  - The DCE-RPC fragment length field is incorrectly     checked, which could expose samba clients to buffer     overflow exploits caused by malicious servers;
    CVE-2013-4408; (bnc#844720).

  - The pam_winbind login without require_membership_of     restrictions could allow fallbacks to local users even     if they were not intended to be allowed; CVE-2012-6150;
    (bnc#853347).

Also non security bugs were fixed :

  - Fix problem with server taking too long to respond to a     MSG_PRINTER_DRVUPGRADE message; (bso#9942);
    (bnc#863748).

  - Fix memory leak in printer_list_get_printer();
    (bso#9993); (bnc#865561).

  - Depend on %version-%release with all manual Provides and     Requires; (bnc#844307).

  - Remove superfluous obsoletes *-64bit in the ifarch ppc64     case; (bnc#437293).

  - Fix Winbind 100% CPU utilization caused by domain list     corruption; (bso#10358); (bnc#786677).

  - Samba is chatty about being unable to open a printer;
    (bso#10118).

  - nsswitch: Fix short writes in winbind_write_sock;
    (bso#10195).

  - xattr: fix listing EAs on *BSD for non-root users;
    (bso#10247).

  - spoolss: accept XPS_PASS datatype used by Windows 8;
    (bso#10267).

  - The preceding bugs are tracked by (bnc#854520) too.

  - Make use of the full gpg pub key file name including the     key ID.

  - Remove bogus libsmbclient0 package description and     cleanup the libsmbclient line from baselibs.conf;
    (bnc#853021).

  - Allow smbcacls to take a '--propagate-inheritance' flag     to indicate that the add, delete, modify and set     operations now support automatic propagation of     inheritable ACE(s); (FATE#316474).

  - Attempt to use samlogon validation level 6; (bso#7945);
    (bnc#741623).

  - Recover from ncacn_ip_tcp ACCESS_DENIED/SEC_PKG_ERROR     lsa errors; (bso#7944); (bnc#755663).

  - Fix lsa_LookupSids3 and lsa_LookupNames4 arguments.

  - Use simplified smb signing infrastructure; (bnc#741623).

The remote Solaris system is missing necessary patches to address security updates :

  - The winbind_name_list_to_sid_string_list function in     nsswitch/pam_winbind.c in Samba through 4.1.2 handles     invalid require_membership_of group names by accepting     authentication by any user, which allows remote     authenticated users to bypass intended access     restrictions in opportunistic circumstances by     leveraging an administrator's pam_winbind     configuration-file mistake. (CVE-2012-6150)

  - Heap-based buffer overflow in the     dcerpc_read_ncacn_packet_done function in     librpc/rpc/dcerpc_util.c in winbindd in Samba 3.x before     3.6.22, 4.0.x before 4.0.13, and 4.1.x before 4.1.3     allows remote AD domain controllers to execute arbitrary     code via an invalid fragment length in a DCE-RPC packet.
    (CVE-2013-4408)

The remote host is affected by the vulnerability described in GLSA-201502-15 (Samba: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Samba. Please review       the CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker may be able to execute arbitrary code,       cause a Denial of Service condition, bypass intended file restrictions,       or obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

It was discovered that Winbind incorrectly handled invalid group names with the require_membership_of parameter. If an administrator used an invalid group name by mistake, access was granted instead of having the login fail. (CVE-2012-6150)

Stefan Metzmacher and Michael Adam discovered that Samba incorrectly handled DCE-RPC fragment length fields. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code as the root user. (CVE-2013-4408)

Hemanth Thummala discovered that Samba incorrectly handled file permissions when vfs_streams_depot or vfs_streams_xattr were enabled.
A remote attacker could use this issue to bypass intended restrictions. (CVE-2013-4475).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This updates Samba to version 4.0.13, which fixes two security bugs.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	名称	产品	系列	发布时间	最近更新时间	严重程度
71288	Oracle Linux 6 : samba4 (ELSA-2013-1805)	Nessus	Oracle Linux Local Security Checks	2013/12/10	2024/10/22	critical
71289	Oracle Linux 5 / 6 : samba / and / samba3x (ELSA-2013-1806)	Nessus	Oracle Linux Local Security Checks	2013/12/10	2024/10/22	critical
71833	SuSE 11.2 / 11.3 Security Update : Samba (SAT Patch Numbers 8655 / 8656)	Nessus	SuSE Local Security Checks	2014/1/7	2021/1/19	high
83623	SUSE SLES11 Security Update : Samba (SUSE-SU-2014:0723-1)	Nessus	SuSE Local Security Checks	2015/5/20	2021/1/19	high
206855	NewStart CGSL MAIN 6.02 : samba Multiple Vulnerabilities (NS-SA-2024-0054)	Nessus	NewStart CGSL Local Security Checks	2024/9/10	2024/9/17	critical
71292	RHEL 6 : samba4 (RHSA-2013:1805)	Nessus	Red Hat Local Security Checks	2013/12/10	2021/1/14	high
71932	Slackware 14.1 / current : samba (SSA:2014-013-04)	Nessus	Slackware Local Security Checks	2014/1/14	2021/1/14	high
75242	openSUSE Security Update : samba (openSUSE-SU-2013:1921-1)	Nessus	SuSE Local Security Checks	2014/6/13	2021/1/19	high
75302	openSUSE Security Update : samba (openSUSE-SU-2014:0405-1)	Nessus	SuSE Local Security Checks	2014/6/13	2021/1/19	high
80766	Oracle Solaris Third-Party Patch Update : samba (cve_2012_6150_input_validation)	Nessus	Solaris Local Security Checks	2015/1/19	2021/1/14	high
81536	GLSA-201502-15 : Samba: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	2015/2/26	2021/1/11	critical
71273	CentOS 6 : samba4 (CESA-2013:1805)	Nessus	CentOS Local Security Checks	2013/12/10	2021/1/4	high
71376	Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 / 13.10 : samba vulnerabilities (USN-2054-1)	Nessus	Ubuntu Local Security Checks	2013/12/12	2019/9/19	high
71447	Fedora 19 : samba-4.0.13-1.fc19 (2013-23085)	Nessus	Fedora Local Security Checks	2013/12/16	2021/1/11	high

检测

插件搜索

critical

critical

high

high

critical

high

high

high

high

high

critical

high

high

high