{"containers": {"cna": {"affected": [{"product": "samba", "vendor": "[UNKNOWN]", "versions": [{"status": "affected", "version": "4.5.3"}, {"status": "affected", "version": "4.4.8"}, {"status": "affected", "version": "4.3.13"}]}], "datePublic": "2016-12-19T00:00:00", "descriptions": [{"lang": "en", "value": "It was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-11-01T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2017:0495", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0495.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2125"}, {"name": "RHSA-2017:0494", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0494.html"}, {"name": "1037494", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1037494"}, {"name": "RHSA-2017:1265", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1265"}, {"name": "94988", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94988"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.samba.org/samba/security/CVE-2016-2125.html"}, {"name": "RHSA-2017:0744", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0744.html"}, {"name": "RHSA-2017:0662", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0662.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2016-2125", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "samba", "version": {"version_data": [{"version_value": "4.5.3"}, {"version_value": "4.4.8"}, {"version_value": "4.3.13"}]}}]}, "vendor_name": "[UNKNOWN]"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users."}]}, "impact": {"cvss": [[{"vectorString": "6.4/CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.0"}], [{"vectorString": "4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287"}]}]}, "references": {"reference_data": [{"name": "RHSA-2017:0495", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-0495.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2125", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2125"}, {"name": "RHSA-2017:0494", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-0494.html"}, {"name": "1037494", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037494"}, {"name": "RHSA-2017:1265", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1265"}, {"name": "94988", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94988"}, {"name": "https://www.samba.org/samba/security/CVE-2016-2125.html", "refsource": "CONFIRM", "url": "https://www.samba.org/samba/security/CVE-2016-2125.html"}, {"name": "RHSA-2017:0744", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-0744.html"}, {"name": "RHSA-2017:0662", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-0662.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T23:17:50.585Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2017:0495", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0495.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2125"}, {"name": "RHSA-2017:0494", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0494.html"}, {"name": "1037494", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1037494"}, {"name": "RHSA-2017:1265", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1265"}, {"name": "94988", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/94988"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.samba.org/samba/security/CVE-2016-2125.html"}, {"name": "RHSA-2017:0744", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0744.html"}, {"name": "RHSA-2017:0662", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0662.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-2125", "datePublished": "2018-10-31T20:00:00", "dateReserved": "2016-01-29T00:00:00", "dateUpdated": "2024-08-05T23:17:50.585Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A8F34E8-7040-4DB7-9979-DD2D20C8D03C", "versionEndExcluding": "4.3.13", "versionStartIncluding": "3.0.25", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A963A86-CAF4-4882-B9DC-E9C7CDA2764C", "versionEndExcluding": "4.4.8", "versionStartIncluding": "4.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "6044E13A-532E-403E-AA23-4A77771D2094", "versionEndExcluding": "4.5.3", "versionStartIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:gluster_storage:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1986832-44C9-491E-A75D-AAD8FAE683E6", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "9BBCD86A-E6C7-4444-9D74-F861084090F0", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "D99A687E-EAE6-417E-A88E-D0082BC194CD", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "B353CE99-D57C-465B-AAB0-73EF581127D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "A8442C20-41F9-47FD-9A12-E724D3A31FD7", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "9EC0D196-F7B8-4BDD-9050-779F7A7FBEE4", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "matchCriteriaId": "A4E9DD8A-A68B-4A69-8B01-BFF92A2020A8", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "BF77CDCF-B9C9-427D-B2BF-36650FB2148C", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "24C0F4E1-C52C-41E0-9F14-F83ADD5CC7ED", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "B76AA310-FEC7-497F-AF04-C3EC1E76C4CC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "E5ED5807-55B7-47C5-97A6-03233F4FBC3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users."}, {"lang": "es", "value": "Se ha descubierto que Samba, en versiones anteriores a la 4.5.3, 4.4.8 y 4.3.13, siempre solicitaba tickets que pod\u00edan reenviarse al emplear la autenticaci\u00f3n de Kerberos. Un servicio al que Samba se ha autenticado con Kerberos podr\u00eda emplear el ticket para suplantar Samba con otros usuarios de servicios o dominios."}], "id": "CVE-2016-2125", "lastModified": "2023-11-07T02:30:56.917", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-10-31T20:29:00.247", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0494.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0495.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0662.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0744.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94988"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1037494"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1265"}, {"source": "secalert@redhat.com", "tags": ["Mitigation", "Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2125"}, {"source": "secalert@redhat.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://www.samba.org/samba/security/CVE-2016-2125.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2017:0662", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "samba-0:3.6.23-41.el6", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2017-03-21T00:00:00Z"}, {"advisory": "RHSA-2017:0744", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "samba4-0:4.2.10-9.el6", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2017-03-21T00:00:00Z"}, {"advisory": "RHSA-2017:1265", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "samba-0:4.4.4-13.el7_3", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-05-22T00:00:00Z"}, {"advisory": "RHSA-2017:0494", "cpe": "cpe:/a:redhat:storage:3.2:samba:el6", "package": "samba-0:4.4.6-4.el6rhs", "product_name": "Red Hat Gluster Storage 3.2 for RHEL 6", "release_date": "2017-03-23T00:00:00Z"}, {"advisory": "RHSA-2017:0495", "cpe": "cpe:/a:redhat:storage:3.2:samba:el7", "package": "samba-0:4.4.6-4.el7rhgs", "product_name": "Red Hat Gluster Storage 3.2 for RHEL 7", "release_date": "2017-03-23T00:00:00Z"}], "bugzilla": {"description": "samba: Unconditional privilege delegation to Kerberos servers in trusted realms", "id": "1403114", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1403114"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:A/AC:M/Au:N/C:P/I:P/A:N", "status": "verified"}, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-287", "details": ["It was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users.", "It was found that Samba always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users."], "mitigation": {"lang": "en:us", "value": "The following mitigation is suggested by upstream.\nThe samba-tool command and the AD DC mode honours the undocumented \"gensec_gssapi:delegation=no\" option in the [global] section of the smb.conf file.\nControlling Kerberos forwarding\n===============================\nIn the Active Directory world it's possible for administrators to\nlimit the delegation. User and computer objects can both act as\nKerberos users and also as Kerberos services. Both types of objects have an\nattribute called 'userAccountControl' which is a bitmask that controls the\nbehavior of the account. The following three values have impact on possible\ndelegation:\n0x00100000: UF_NOT_DELEGATED:\nThe UF_NOT_DELEGATED can be used to disable the ability to get forwardable TGT\nfor the account. It means the KDC will respond with an error if the client asks\nfor the forwardable ticket. The client typically gives up and removes the\nGSS_C_DELEG_FLAG flag and continues without passing delegated credentials.\nAdministrators can use this to disable possible delegation for the most\nprivileged accounts (e.g. administrator accounts).\n0x00080000: UF_TRUSTED_FOR_DELEGATION\nIf the UF_TRUSTED_FOR_DELEGATION is set on an account a KDC will include the\nOK_AS_DELEGATE flag in a granted service ticket. If the client application\nuses just GSS_C_DELEG_POLICY_FLAG (instead of GSS_C_DELEG_FLAG) gssapi/Kerberos\nlibraries typically only include delegated credentials when the service ticket\nincludes the OK_AS_DELEGATE flag. Administrators can use this to control which\nservices will get delegated credentials, for example if the service runs in a\ntrusted environment and actually requires the presence of delegated\ncredentials.\n0x01000000: UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION\nThe UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION is not really relevant for this\nCVE and just listed here for completeness. This flag is relevant for the\nS4U2Proxy feature, where a service can ask the KDC for a proxied service\nticket which can impersonate users to other services."}, "name": "CVE-2016-2125", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "samba3x", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/a:redhat:storage:3.1", "fix_state": "Affected", "package_name": "samba", "product_name": "Red Hat Gluster Storage 3.1"}], "public_date": "2016-12-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-2125\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-2125\nhttps://www.samba.org/samba/security/CVE-2016-2125.html"], "threat_severity": "Moderate", "upstream_fix": "samba 4.5.3, samba 4.4.8, samba 4.3.13"}