SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Storage)  >   QNAP Storage Devices Vendors:   QNAP Systems
(QNAP Systems Issues Fix for QNAP Storage Devices) Samba Multiple Flaws Let Remote Users Hijack Connections, Obtain Potentially Sensitive Information, and Deny Service
SecurityTracker Alert ID:  1035630
SecurityTracker URL:  http://securitytracker.com/id/1035630
CVE Reference:   CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2114, CVE-2016-2115, CVE-2016-2118   (Links to External Site)
Date:  Apr 20 2016
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): QTS 4.2.0 and prior
Description:   Multiple vulnerabilities were reported in Samba. A remote user can cause denial of service conditions on the target system. A remote user can hijack connection. A remote user can obtain potentially sensitive information on the target system. QNAP Storage Devices are affected.

A remote authenticated user can exploit a missing error check in dcesrv_auth_bind_ack() in the DCE/RPC protocol implementation to cause excessive CPU consumption on the target system or cause the target service to crash or execute arbitrary code [CVE-2015-5370]. Versions 3.6.0 to 4.4.0 are affected.

The NTLMSSP implementation is not protected against downgrading. A remote user that can conduct a man-in-the-middle attack can hijack the target connection [CVE-2016-2110].

The NTLMSSP implementation is not protected against downgrading. A remote user that can conduct a man-in-the-middle attack can spoof a system name to a Domain Controller and obtain session-related information about the spoofed system [CVE-2016-2111].

The LDAP implementation does not enforce integrity protection for LDAP connections. A remote user that can conduct a man-in-the-middle attack can downgrade the target LDAP connection to use no integrity protection and gain access to the connection [CVE-2016-2112].

A remote user that can conduct a man-in-the-middle attack can gain access to LDAP connection [CVE-2016-2113]. Versions 4.0.0 to 4.4.0 are affected.

The system does not enforce the mandatory server signing configuration setting. As a result, a remote user can conduct a man-in-the-middle attack to hijack SMB1 connections [CVE-2016-2114]. Versions 4.0.0 to 4.4.0 are affected.

The IPC implementation does not enforce integrity protection by default. A remote user that can conduct a man-in-the-middle attacker can view and modify data sent via the IPC connection [CVE-2016-2115].

A remote user that can conduct a man-in-the-middle attack against DCE/RPE connections can impersonate the target user against the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD) implementations to obtain read/write access to the target Security Account Manager database [CVE-2016-2118]. This can be exploited to obtain passwords in the database. Versions 3.6.0 to 4.4.0 are affected.

[Editor's note: Microsoft Windows is also affected by this vulnerability, as described in CVE-2016-0128 (Alert ID 1035534). This vulnerability is known as "Badlock".]

Jouni Knuutinen of Synopsys reported the dcesrv_auth_bind_ack() vulnerability. Stefan Metzmacher of SerNet (https://samba.plus) reported the other vulnerabilities.

Impact:   A remote user can cause denial of service conditions.

A remote user can obtain potentially sensitive information on the target system.

A remote user can hijack connections.

Solution:   QNAP Systems has issued a fix for CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2114, CVE-2016-2115, and CVE-2016-2118 for QNAP Storage Devices (Update to QTS 4.2.0 and then apply Qfix (BadlockFix_4.2.0.1)).

The QNAP Systems advisory is available at:

https://www.qnap.com/i/en/support/con_show.php?cid=89

Vendor URL:  www.qnap.com/i/en/support/con_show.php?cid=89 (Links to External Site)
Cause:   Access control error, Authentication error

Message History:   This archive entry is a follow-up to the message listed below.
Apr 13 2016 Samba Multiple Flaws Let Remote Users Hijack Connections, Obtain Potentially Sensitive Information, and Deny Service



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC