Описание
All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless).
A flaw was found in samba. When log levels are set at 3 or higher, the string obtained from the client, after a failed character conversion, is printed which could cause long-lived processes to terminate. The highest threat from this vulnerability is to system availability.
Меры по смягчению последствий
Do not set a log level of 3 or above in production.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | samba | Not affected | ||
| Red Hat Enterprise Linux 6 | samba | Not affected | ||
| Red Hat Enterprise Linux 6 | samba4 | Not affected | ||
| Red Hat Enterprise Linux 7 | samba | Fixed | RHSA-2020:3981 | 29.09.2020 |
| Red Hat Enterprise Linux 8 | openchange | Fixed | RHSA-2020:1878 | 28.04.2020 |
| Red Hat Enterprise Linux 8 | samba | Fixed | RHSA-2020:1878 | 28.04.2020 |
| Red Hat Enterprise Linux 8 | openchange | Fixed | RHSA-2020:1878 | 28.04.2020 |
| Red Hat Enterprise Linux 8 | samba | Fixed | RHSA-2020:1878 | 28.04.2020 |
| Red Hat Gluster Storage 3.5 for RHEL 7 | libtalloc | Fixed | RHSA-2020:0943 | 23.03.2020 |
| Red Hat Gluster Storage 3.5 for RHEL 7 | libtdb | Fixed | RHSA-2020:0943 | 23.03.2020 |
Показывать по
Дополнительная информация
Статус:
6.5 Medium
CVSS3
Связанные уязвимости
All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless).
All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless).
All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11 ...
6.5 Medium
CVSS3