CVE-2016-2123
Publication date 19 December 2016
Last updated 24 July 2024
Ubuntu priority
A flaw was found in samba versions 4.0.0 to 4.5.2. The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects. This makes the defect a remote privilege escalation.
From the Ubuntu Security Team
Frederic Besler and others discovered that the routine ndr_pull_dnsp_nam in Samba contained an integer overflow. An authenticated attacker could use this to gain administrative privileges.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| samba | ||
| 16.04 LTS xenial |
Fixed 2:4.3.11+dfsg-0ubuntu0.16.04.3
|
|
| 14.04 LTS trusty |
Fixed 2:4.3.11+dfsg-0ubuntu0.14.04.4
|
|
| samba4 | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
Notes
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3158-1
- Samba vulnerabilities
- 19 December 2016