3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
0.006 Low
EPSS
Percentile
78.2%
In preparing a response to an authenticated FSCTL_GET_SHADOW_COPY_DATA
or FSCTL_SRV_ENUMERATE_SNAPSHOTS client request, affected versions of
Samba do not initialize 8 bytes of the 16 byte SRV_SNAPSHOT_ARRAY
response field. The uninitialized buffer is sent back to the client.
A non-default VFS module providing the get_shadow_copy_data_fn() hook
must be explicitly enabled for Samba to process the aforementioned
client requests. Therefore, only configurations with “shadow_copy” or
“shadow_copy2” specified for the “vfs objects” parameter are vulnerable.
Patches addressing this issue have been posted to:
http://www.samba.org/samba/security/
Samba versions 4.0.18 and 4.1.8 will be released with fixes for
this issue. Immediate security releases will not be issued, due to the
low severity of the vulnerability.
To avoid the vulnerability, affected versions can be configured without
“shadow_copy” or “shadow_copy2” specified for the “vfs objects”
parameter. This is the default configuration.
This vulnerability was found and fixed by Christof Schmitt of the Samba
team.