13485 – [CVE 21] samba 4.15.5 CVEs found

Bug 13485 - [CVE 21] samba 4.15.5 CVEs found

Summary: [CVE 21] samba 4.15.5 CVEs found

Status:	RESOLVED DUPLICATE of bug 13935

Alias:	None

Product:	ROSA Fresh
Classification:	ROSA-based products
Component:	System (kernel, glibc, systemd, bash, PAM...) (show other bugs)
Version:	All
Hardware:	All Linux

Importance:	Normal normal
Target Milestone:	---
Assignee:	ROSA Linux Bugs

URL:	CVE-2021-20251, CVE-2021-20254, CVE-2...
Whiteboard:

Depends on:
Blocks:

Reported:	2023-08-23 16:21 MSK by Yury
Modified:	2023-10-20 11:49 MSK (History)
CC List:	5 users (show)

See Also:
Platform:	2021.1
ROSA Vulnerability identifier:
RPM Package:
Upstream:

Flags:	y.tumanov: secteam_verified?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yury 2023-08-23 16:21:15 MSK

Please patch CVEs for package samba version 4.15.5
  
INFO (CVEs are): samba 4.15.5
 cves found
CVE-2021-20251
Desc: A flaw was found in samba. A race condition in the password lockout code may lead to the risk of brute force attacks being successful if special conditions are met.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20251
Severity: MEDIUM
CVE-2021-20254
Desc: A flaw was found in samba. The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user. The highest threat from this vulnerability is to data confidentiality and integrity.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20254
Severity: MEDIUM
CVE-2021-20277
Desc: A flaw was found in Samba's libldb. Multiple, consecutive leading spaces in an LDAP attribute can lead to an out-of-bounds memory write, leading to a crash of the LDAP server process handling the request. The highest threat from this vulnerability is to system availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20277
Severity: HIGH
CVE-2021-23192
Desc: A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-23192
Severity: HIGH
CVE-2022-44640
Desc: Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC).
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-44640
Severity: CRITICAL
CVE-2023-0614
Desc: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-0614
Severity: MEDIUM
CVE-2023-34966
Desc: An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34966
Severity: HIGH
CVE-2023-34967
Desc: A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34967
Severity: MEDIUM
CVE-2023-34968
Desc: A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34968
Severity: MEDIUM

Comment 1 Vladimir Potapov 2023-10-20 11:49:44 MSK


*** This bug has been marked as a duplicate of bug 13935 ***