CVE-2015-5296

Name of the Vulnerable Software and Affected Versions Samba versions 3.x and 4.x before 4.1.22 Samba versions 4.2.x before 4.2.7 Samba versions 4.3.x before 4.3.3

Description The issue is related to a lack of input validation in the Samba package, specifically in components clidfs.c, libsmb server.c, and smbXcli base.c. This allows a remote attacker to impact data integrity. The vulnerability is also related to Samba supporting connections that are encrypted but unsigned, which enables man-in-the-middle attackers to conduct encrypted-to-unencrypted downgrade attacks by modifying the client-server data stream.

Recommendations For Samba versions 3.x and 4.x before 4.1.22, update to version 4.1.22 or later to resolve the issue. For Samba versions 4.2.x before 4.2.7, update to version 4.2.7 or later to resolve the issue. For Samba versions 4.3.x before 4.3.3, update to version 4.3.3 or later to resolve the issue. As a temporary workaround, consider disabling the use of encrypted but unsigned connections to minimize the risk of exploitation.