CVE-2016-2113 — Improper Certificate Validation in Samba

CWE-310 CWE-295 — Improper Certificate Validation17 documents7 sources

Severity

7.4HIGHNVD

OSV5.9

EPSS

6.3%

top 9.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samba Debian Samba Canonical Ubuntu Linux

Timeline

PublishedApr 25

Latest updateMay 17

Description

Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof LDAPS and HTTPS servers and obtain sensitive information via a crafted certificate.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages4 packages

▶debiandebian/samba< samba 2:4.3.7+dfsg-1 (bookworm)

▶Debiansamba/samba< 2:4.3.7+dfsg-1+3

▶Ubuntusamba/samba< 2:4.3.9+dfsg-0ubuntu0.14.04.1+4

▶NVDsamba/samba69 versions+68

Also affects: Ubuntu Linux 14.04, 15.10, 16.04

Patches

Patch: www.samba.org ↗Patch: www.samba.org ↗

🔴Vulnerability Details

GHSA

GHSA-j9wg-qqgj-ph9r: Samba 4↗2022-05-17

▶

OSV

samba regression↗2016-05-25

▶

OSV

samba regressions↗2016-05-04

▶

OSV

libsoup2.4 update↗2016-05-04

▶

OSV

CVE-2016-2113: Samba 4↗2016-04-25

▶

📋Vendor Advisories

Ubuntu

Samba regression↗2016-05-25

▶

Ubuntu

Samba regressions↗2016-05-18

▶

Ubuntu

libsoup update↗2016-05-04

▶

Ubuntu

Samba regressions↗2016-05-04

▶

Ubuntu

Samba vulnerabilities↗2016-04-18

▶

💬Community

Bugzilla

CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws [fedora-all]↗2016-04-12

▶

Bugzilla

CVE-2016-2113 samba: Server certificates not validated at client side↗2016-02-25

▶

Bugzilla

CVE-2016-2110 samba: Man-in-the-middle attacks possible with NTLMSSP authentication↗2016-02-25

▶