ALAS-2023-2367 --- sambaID: oval:org.secpod.oval:def:1701954 | Date: (C)2023-12-15 (M)2024-04-29 |
Class: PATCH | Family: unix |
When doing NTLM authentication, the client sends replies tocryptographic challenges back to the server. These replieshave variable length. Winbind did not properly bounds-checkthe lan manager response length, which despite the lanmanager version no longer being used is still part of theprotocol.If the system is running Samba's ntlm_auth as authentication backendfor services like Squid , the vulnarebility is remotely exploitableIf not so configured, or to exploit this vulnerability locally, theuser must have access to the privileged winbindd UNIX domainsocket .This access is normally only given so special system services likeSquid or FreeRADIUS, that use this feature. SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes"
Product: |
samba |
libsmbclient |
libwbclient |
ctdb |