PT-2016-3329 · Samba Team+4 · Samba+3

Huzaifa S. Sidhpurwala

Published

2016-12-19

Updated

2024-06-15

CVE-2016-2123

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Samba versions 4.0.0 through 4.5.2

Description A flaw in the Samba routine ndr pull dnsp name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. This routine parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects, making this a remote privilege escalation issue.

Recommendations For Samba versions 4.0.0 through 4.5.2, consider restricting access to the dnsRecord attribute over LDAP to prevent exploitation until a patch is available. As a temporary workaround, limit the privileges of authenticated LDAP users to minimize the risk of remote privilege escalation.

Exploit

Fix

Heap Based Buffer Overflow

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-122CWE-119

Related Identifiers

ALT-PU-2016-2465

ALT-PU-2016-2466

ALT-PU-2018-2488

ALT-PU-2018-2489

BDU:2021-01289

CVE-2016-2123

DSA-3740-1

ECHO-66D0-8AED-029E

OPENSUSE-SU-2024:11365-1

SUSE-SU-2016:3271-1

SUSE-SU-2016:3272-1

SUSE-SU-2016:3299-1

SUSE-SU-2016_3271-1

SUSE-SU-2016_3272-1

SUSE-SU-2016_3299-1

USN-3158-1

ZDI-17-053

Affected Products

Alt Linux

Samba

Suse

Ubuntu

PT-2016-3329 · Samba Team+4 · Samba+3

CVE-2016-2123

Weakness Enumeration

Related Identifiers

Affected Products

References · 112