Samba up to 3.6.23/4.0.17/4.1.7 vfs Shadow Copy SRV_SNAPSHOT_ARRAY initialization
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.1 | $0-$5k | 0.00 |
A vulnerability was found in Samba up to 3.6.23/4.0.17/4.1.7 (File Transfer Software) and classified as problematic. Affected by this issue is an unknown code of the component vfs Shadow Copy Handler. The manipulation of the argument SRV_SNAPSHOT_ARRAY with an unknown input leads to a initialization vulnerability. Using CWE to declare the problem leads to CWE-665. The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. Impacted is confidentiality. CVE summarizes:
Samba 3.6.6 through 3.6.23, 4.0.x before 4.0.18, and 4.1.x before 4.1.8, when a certain vfs shadow copy configuration is enabled, does not properly initialize the SRV_SNAPSHOT_ARRAY response field, which allows remote authenticated users to obtain potentially sensitive information from process memory via a (1) FSCTL_GET_SHADOW_COPY_DATA or (2) FSCTL_SRV_ENUMERATE_SNAPSHOTS request.
The weakness was presented 05/27/2014 by Christof Schmitt with Samba as CVE-2014-0178.html as confirmed advisory (Website). The advisory is shared for download at samba.org. The public release was coordinated in cooperation with the vendor. This vulnerability is handled as CVE-2014-0178 since 12/03/2013. The attack may be launched remotely. No form of authentication is required for exploitation. There are known technical details, but no exploit is available. The advisory points out:
In preparing a response to an authenticated FSCTL_GET_SHADOW_COPY_DATA or FSCTL_SRV_ENUMERATE_SNAPSHOTS client request, affected versions of Samba do not initialize 8 bytes of the 16 byte SRV_SNAPSHOT_ARRAY response field. The uninitialized buffer is sent back to the client. A non-default VFS module providing the get_shadow_copy_data_fn() hook must be explicitly enabled for Samba to process the aforementioned client requests. Therefore, only configurations with "shadow_copy" or "shadow_copy2" specified for the "vfs objects" parameter are vulnerable.
The vulnerability scanner Nessus provides a plugin with the ID 74290 (Samba 3.5.x / 3.6.x < 3.6.25 / 4.1.x < 4.1.8 Multiple Vulnerabilities), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Misc.. The commercial vulnerability scanner Qualys is able to test this issue with plugin 185124 (HPE HP-UX CIFS-Server Multiple Vulnerabilities (HPSBUX03574)).
Upgrading to version 4.0.18 or 4.1.8 eliminates this vulnerability. The upgrade is hosted for download at samba.org. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (93455) and Tenable (74290). See 7563, 11176, 12681 and 43529 for similar entries.
Product
Type
Name
Version
- 3.6.0
- 3.6.1
- 3.6.2
- 3.6.3
- 3.6.4
- 3.6.5
- 3.6.6
- 3.6.7
- 3.6.8
- 3.6.9
- 3.6.10
- 3.6.11
- 3.6.12
- 3.6.13
- 3.6.14
- 3.6.15
- 3.6.16
- 3.6.17
- 3.6.18
- 3.6.19
- 3.6.20
- 3.6.21
- 3.6.22
- 3.6.23
- 4.0.0
- 4.0.1
- 4.0.2
- 4.0.3
- 4.0.4
- 4.0.5
- 4.0.6
- 4.0.7
- 4.0.8
- 4.0.9
- 4.0.10
- 4.0.11
- 4.0.12
- 4.0.13
- 4.0.14
- 4.0.15
- 4.0.16
- 4.0.17
- 4.1.0
- 4.1.1
- 4.1.2
- 4.1.3
- 4.1.4
- 4.1.5
- 4.1.6
- 4.1.7
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.3VulDB Meta Temp Score: 5.1
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: InitializationCWE: CWE-665
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 74290
Nessus Name: Samba 3.5.x / 3.6.x < 3.6.25 / 4.1.x < 4.1.8 Multiple Vulnerabilities
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 702966
OpenVAS Name: Debian Security Advisory DSA 2966-1 (samba - security update)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: Samba 4.0.18/4.1.8
Timeline
12/03/2013 🔍05/27/2014 🔍
05/27/2014 🔍
05/28/2014 🔍
05/28/2014 🔍
05/28/2014 🔍
05/28/2014 🔍
05/29/2014 🔍
06/03/2014 🔍
06/16/2014 🔍
07/02/2014 🔍
06/20/2021 🔍
Sources
Product: samba.orgAdvisory: CVE-2014-0178.html
Researcher: Christof Schmitt
Organization: Samba
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2014-0178 (🔍)
OVAL: 🔍
IAVM: 🔍
X-Force: 93455 - Samba shadow copy information disclosure, Medium Risk
SecurityTracker: 1030308 - Samba Discloses Portions of System Memory to Remote Authenticated Users
Vulnerability Center: 45008 - Samba 3.6.6 through 3.6.23, 4.0.x before 4.0.18, and 4.1.x before 4.1.8 Remote Information Disclosure, Low
SecurityFocus: 67686 - Samba Uninitialized Memory Information Disclosure Vulnerability
Secunia: 59378 - SUSE update for samba, Less Critical
See also: 🔍
Entry
Created: 05/28/2014 14:28Updated: 06/20/2021 12:57
Changes: 05/28/2014 14:28 (82), 05/31/2017 08:46 (16), 06/20/2021 12:57 (3)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.