CVE-2016-2115 — Channel Accessible by Non-Endpoint in Samba

CWE-254 CWE-300 — Channel Accessible by Non-Endpoint18 documents7 sources

Severity

5.9MEDIUMNVD

EPSS

25.2%

top 3.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samba Debian Samba Canonical Ubuntu Linux +2 more

Timeline

PublishedApr 25

Latest updateMay 17

Description

Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not require SMB signing within a DCERPC session over ncacn_np, which allows man-in-the-middle attackers to spoof SMB clients by modifying the client-server data stream.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/samba< samba 2:4.3.7+dfsg-1 (bookworm)

▶Debiansamba/samba< 2:4.3.7+dfsg-1+3

▶Ubuntusamba/samba< 2:4.3.9+dfsg-0ubuntu0.14.04.1+4

▶NVDsamba/samba222 versions+221

▶NVDemc/isilon_onefs22 versions+21

Also affects: Ubuntu Linux 14.04, 15.10, 16.04

Patches

Patch: www.samba.org ↗Patch: www.samba.org ↗

🔴Vulnerability Details

GHSA

GHSA-5vv3-jf75-3fr5: Samba 3↗2022-05-17

▶

GHSA

GHSA-vw4c-6hqg-68fm: EMC Isilon OneFS 7↗2022-05-17

▶

OSV

samba regression↗2016-05-25

▶

OSV

samba regressions↗2016-05-04

▶

OSV

libsoup2.4 update↗2016-05-04

▶

📋Vendor Advisories

Ubuntu

Samba regression↗2016-05-25

▶

Ubuntu

Samba regressions↗2016-05-18

▶

Ubuntu

libsoup update↗2016-05-04

▶

Ubuntu

Samba regressions↗2016-05-04

▶

Ubuntu

Samba vulnerabilities↗2016-04-18

▶

💬Community

Bugzilla

CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws [fedora-all]↗2016-04-12

▶

Bugzilla

CVE-2016-2115 samba: Smb signing not required by default when smb client connection is used for ipc usage↗2016-02-25

▶