cbcvebase.
CVE-2017-14746
published 2017-11-27

CVE-2017-14746: Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers to execute arbitrary code via a crafted SMB1 request.

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
9.88%
95.0th percentile
Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers to execute arbitrary code via a crafted SMB1 request.

Affected

23 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiansamba< samba 2:4.7.1+dfsg-2 (bookworm)samba 2:4.7.1+dfsg-2 (bookworm)
redhatenterprise_linux_desktop
redhatenterprise_linux_desktop
redhatenterprise_linux_server
redhatenterprise_linux_server
redhatenterprise_linux_workstation
redhatenterprise_linux_workstation
sambasamba>= 0 < 2:4.7.1+dfsg-22:4.7.1+dfsg-2
sambasamba>= 0 < 2:4.7.1+dfsg-22:4.7.1+dfsg-2
sambasamba>= 0 < 2:4.7.1+dfsg-22:4.7.1+dfsg-2
sambasamba>= 0 < 2:4.7.1+dfsg-22:4.7.1+dfsg-2
sambasamba>= 0 < 2:4.3.11+dfsg-0ubuntu0.14.04.132:4.3.11+dfsg-0ubuntu0.14.04.13
sambasamba>= 0 < 2:4.3.11+dfsg-0ubuntu0.16.04.122:4.3.11+dfsg-0ubuntu0.16.04.12
sambasamba>= 4.0.0 < 4.5.04.5.0
sambasamba>= 4.5.0 < 4.5.154.5.15
sambasamba>= 4.6.0 < 4.6.114.6.11
sambasamba>= 4.7.0 < 4.7.34.7.3

Detection & IOCsextracted from sources · hover to see the quote

  • Detect crafted SMB1 requests targeting the use-after-free vulnerability; blocking or alerting on SMB1 protocol usage is the primary detection/mitigation vector
  • Monitor for SMB1 (SMB_COM_WRITE and related commands) traffic to Samba servers; the attack vector is an unauthenticated malicious SMB1 request used to control heap memory via a deallocated heap pointer
  • The exploit chain combines CVE-2017-14746 (use-after-free via SMB1) with CVE-2017-12163 (heap memory leak via SMB_COM_WRITE with oversized numtowrite field); detect SMB_COM_WRITE requests where the declared write length exceeds the actual data carried in the request
  • ·Mitigation: disable SMB1 by setting 'server min protocol = SMB2' in the [global] section of smb.conf and restarting smbd; note this may break older clients
  • ·Affected versions: Samba 4.x before 4.7.3; Red Hat Enterprise Linux 5 and 6 packages listed as Not Affected
  • ·Exploitation research targeted samba_4.6.7+dfsg-1ubuntu2_amd64 on Ubuntu 17.10; Ubuntu compile-time hardening flags (-DFORTIFY_SOURCE=2, -z norelro, -PIE) were noted as obstacles to reliable exploitation

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.