Vulnerability   
Search   
    Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.150741
Category:Denial of Service
Title:Samba 3.3.10, 3.4.3, 3.5.0 and later Improper Input Validation Vulnerability (CVE-2012-6150)
Summary:Login of authenticated users is not restricted by the pam_winbind; require_membership_of parameter if it only specifies invalid group names.
Description:Summary:
Login of authenticated users is not restricted by the pam_winbind
require_membership_of parameter if it only specifies invalid group names.

Vulnerability Insight:
Winbind allows for the further restriction of authenticated PAM logins using
the require_membership_of parameter. System administrators may specify a list
of SIDs or groups for which an authenticated user must be a member of. If an
authenticated user does not belong to any of the entries, then login should
fail. Invalid group name entries are ignored.

Samba versions 3.3.10, 3.4.3, 3.5.0 and later incorrectly allow login from
authenticated users if the require_membership_of parameter specifies only
invalid group names.

This is a vulnerability with low impact. All require_membership_of group
names must be invalid for this bug to be encountered.

Affected Software/OS:
Samba versions 3.3.10, 3.4.3, 3.5.0 and later.

Solution:
Update to version 3.6.22, 4.0.13, and 4.1.3 or later.

CVSS Score:
3.6

CVSS Vector:
AV:N/AC:H/Au:S/C:P/I:P/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2012-6150
FEDORA-2014-7672
http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134717.html
FEDORA-2014-9132
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136864.html
GLSA-201502-15
http://security.gentoo.org/glsa/glsa-201502-15.xml
HPSBUX03087
http://marc.info/?l=bugtraq&m=141660010015249&w=2
MDVSA-2013:299
http://www.mandriva.com/security/advisories?name=MDVSA-2013:299
RHSA-2014:0330
http://rhn.redhat.com/errata/RHSA-2014-0330.html
SSRT101413
SUSE-SU-2014:0024
http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00002.html
USN-2054-1
http://www.ubuntu.com/usn/USN-2054-1
[oss-security] 20131202 Re: CVE request: samba pam_winbind authentication fails open
http://openwall.com/lists/oss-security/2013/12/03/5
[samba-technical] 20120612 winbind pam security problem
https://lists.samba.org/archive/samba-technical/2012-June/084593.html
[samba-technical] 20131128 fail authentication if user isn't member of *any* require_membership_of specified groups
https://lists.samba.org/archive/samba-technical/2013-November/096411.html
https://bugzilla.redhat.com/show_bug.cgi?id=1036897
https://bugzilla.samba.org/show_bug.cgi?id=10300
openSUSE-SU-2013:1921
http://lists.opensuse.org/opensuse-updates/2013-12/msg00088.html
openSUSE-SU-2014:0405
http://lists.opensuse.org/opensuse-updates/2014-03/msg00063.html
openSUSE-SU-2016:1106
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html
openSUSE-SU-2016:1107
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00048.html
CopyrightCopyright (C) 2021 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2025 E-Soft Inc. All rights reserved.