CVE-2016-2123
Published: 19 December 2016
A flaw was found in samba versions 4.0.0 to 4.5.2. The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects. This makes the defect a remote privilege escalation.
From the Ubuntu Security Team
Frederic Besler and others discovered that the routine ndr_pull_dnsp_nam in Samba contained an integer overflow. An authenticated attacker could use this to gain administrative privileges.
Notes
| Author | Note |
|---|---|
| mdeslaur | 4.0.0+ only |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
samba Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
|
| trusty |
Released
(2:4.3.11+dfsg-0ubuntu0.14.04.4)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(2:4.3.11+dfsg-0ubuntu0.16.04.3)
|
|
| yakkety |
Released
(2:4.4.5+dfsg-2ubuntu5.2)
|
|
| zesty |
Released
(2:4.4.5+dfsg-2ubuntu7)
|
|
|
samba4 Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |