PT-2015-3395 · Samba Team+6 · Ldb+6

Douglas Bagnall

·

Published

2015-12-16

·

Updated

2024-06-15

·

CVE-2015-5330

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Samba versions 4.1.x through 4.1.21 Samba versions 4.2.x through 4.2.6 Samba versions 4.3.x through 4.3.2 ldb versions prior to 1.1.24
Description The issue is related to the mishandling of string lengths in the ldb library, used in the AD LDAP server in Samba. This allows remote attackers to obtain sensitive information from daemon heap memory by sending crafted packets and then reading an error message or a database value. The vulnerability is associated with information disclosure.
Recommendations For Samba versions 4.1.x through 4.1.21, update to version 4.1.22 or later. For Samba versions 4.2.x through 4.2.6, update to version 4.2.7 or later. For Samba versions 4.3.x through 4.3.2, update to version 4.3.3 or later. For ldb versions prior to 1.1.24, update to version 1.1.24 or later.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALT-PU-2015-2137
ALT-PU-2015-2138
ALT-PU-2015-2139
BDU:2021-01296
CESA-2016_0006
CESA-2016_0009
CESA-2016_0010
CVE-2015-5330
DSA-3433-1
ECHO-E1C3-C270-8490
MGASA-2016-0094
OPENSUSE-SU-2015_2354-1
OPENSUSE-SU-2015_2356-1
OPENSUSE-SU-2016_1064-1
OPENSUSE-SU-2016_1106-1
OPENSUSE-SU-2024:10069-1
OPENSUSE-SU-2024:10074-1
RHSA-2016:0006
RHSA-2016:0009
RHSA-2016:0010
RHSA-2016:0014
RHSA-2016:0015
RHSA-2016:0016
RHSA-2016_0006
RHSA-2016_0009
RHSA-2016_0010
SUSE-SU-2015:2304-1
SUSE-SU-2015:2305-1
SUSE-SU-2016:0032-1
SUSE-SU-2016:0164-1
USN-2855-1
USN-2855-2
USN-2856-1

Affected Products

Alt Linux
Centos
Red Hat
Samba
Suse
Ubuntu
Ldb