(Oracle Issues Fix for Oracle Linux) Samba Multiple Flaws Let Remote Users Hijack Connections, Obtain Potentially Sensitive Information, and Deny Service
SecurityTracker Alert ID: 1035558|
SecurityTracker URL: http://securitytracker.com/id/1035558
CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2115, CVE-2016-2118
(Links to External Site)
Date: Apr 13 2016
Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 3.0.0 to 4.4.0|
Multiple vulnerabilities were reported in Samba. A remote user can cause denial of service conditions on the target system. A remote user can hijack connection. A remote user can obtain potentially sensitive information on the target system.|
A remote authenticated user can exploit a missing error check in dcesrv_auth_bind_ack() in the DCE/RPC protocol implementation to cause excessive CPU consumption on the target system or cause the target service to crash or execute arbitrary code [CVE-2015-5370]. Versions 3.6.0 to 4.4.0 are affected.
The NTLMSSP implementation is not protected against downgrading. A remote user that can conduct a man-in-the-middle attack can hijack the target connection [CVE-2016-2110].
The NTLMSSP implementation is not protected against downgrading. A remote user that can conduct a man-in-the-middle attack can spoof a system name to a Domain Controller and obtain session-related information about the spoofed system [CVE-2016-2111].
The LDAP implementation does not enforce integrity protection for LDAP connections. A remote user that can conduct a man-in-the-middle attack can downgrade the target LDAP connection to use no integrity protection and gain access to the connection [CVE-2016-2112].
A remote user that can conduct a man-in-the-middle attack can gain access to LDAP connection [CVE-2016-2113]. Versions 4.0.0 to 4.4.0 are affected.
The system does not enforce the mandatory server signing configuration setting. As a result, a remote user can conduct a man-in-the-middle attack to hijack SMB1 connections [CVE-2016-2114]. Versions 4.0.0 to 4.4.0 are affected.
The IPC implementation does not enforce integrity protection by default. A remote user that can conduct a man-in-the-middle attacker can view and modify data sent via the IPC connection [CVE-2016-2115].
A remote user that can conduct a man-in-the-middle attack against DCE/RPE connections can impersonate the target user against the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD) implementations to obtain read/write access to the target Security Account Manager database [CVE-2016-2118]. This can be exploited to obtain passwords in the database. Versions 3.6.0 to 4.4.0 are affected.
[Editor's note: Microsoft Windows is also affected by this vulnerability, as described in CVE-2016-0128 (Alert ID 1035534). This vulnerability is known as "Badlock".]
Jouni Knuutinen of Synopsys reported the dcesrv_auth_bind_ack() vulnerability. Stefan Metzmacher of SerNet (https://samba.plus) reported the other vulnerabilities.
A remote user can cause denial of service conditions.|
A remote user can obtain potentially sensitive information on the target system.
A remote user can hijack connections.
Oracle has issued a fix for CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2115, and CVE-2016-2118 for samba3x.|
The Oracle Linux advisory is available at:
Vendor URL: linux.oracle.com/errata/ELSA-2016-0613.html (Links to External Site)
Access control error, Authentication error|
|Underlying OS: Linux (Oracle)|
|Underlying OS Comments: 5|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [El-errata] ELSA-2016-0613 Critical: Oracle Linux 5 samba3x security update|
Oracle Linux Security Advisory ELSA-2016-0613
The following updated rpms for Oracle Linux 5 have been uploaded to the
Unbreakable Linux Network:
Description of changes:
- Remove use-after-free talloc_tos() inlined function problem (John
Haxby) [orabug 19973497]
- related: #1322685 - Update CVE patchset
- related: #1322685 - Update CVE patchset
- resolves: #1322685 - Fix CVE-2015-5370
- resolves: #1322685 - Fix CVE-2016-2110
- resolves: #1322685 - Fix CVE-2016-2111
- resolves: #1322685 - Fix CVE-2016-2112
- resolves: #1322685 - Fix CVE-2016-2115
- resolves: #1322685 - Fix CVE-2016-2118 (Known as Badlock)
El-errata mailing list