Executive Summary

Informations
NameCVE-2013-4496First vendor Publication2014-03-14
VendorCveLast vendor Modification2017-01-06

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score5Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce the password-guessing protection mechanism for all interfaces, which makes it easier for remote attackers to obtain access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP attempts.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4496

CWE : Common Weakness Enumeration

%idName
100 %CWE-255Credentials Management

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:24260
 
Oval ID: oval:org.mitre.oval:def:24260
Title: RHSA-2014:0330: samba and samba3x security update (Moderate)
Description: Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce the password-guessing protection mechanism for all interfaces, which makes it easier for remote attackers to obtain access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP attempts.
Family: unix Class: patch
Reference(s): RHSA-2014:0330-01
CESA-2014:0330
CVE-2012-6150
CVE-2013-4496
Version: 7
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
CentOS Linux 5
CentOS Linux 6
Product(s): samba3x
samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24242
 
Oval ID: oval:org.mitre.oval:def:24242
Title: USN-2156-1 -- samba vulnerability
Description: Samba did not properly enforce the password guessing protection mechanism.
Family: unix Class: patch
Reference(s): USN-2156-1
CVE-2013-4496
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24559
 
Oval ID: oval:org.mitre.oval:def:24559
Title: ELSA-2014:0330: samba and samba3x security update (Moderate)
Description: Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. It was found that certain Samba configurations did not enforce the password lockout mechanism. A remote attacker could use this flaw to perform password guessing attacks on Samba user accounts. Note: this flaw only affected Samba when deployed as a Primary Domain Controller. (CVE-2013-4496) A flaw was found in the way the pam_winbind module handled configurations that specified a non-existent group as required. An authenticated user could possibly use this flaw to gain access to a service using pam_winbind in its PAM configuration when group restriction was intended for access to the service. (CVE-2012-6150) Red Hat would like to thank the Samba project for reporting CVE-2013-4496 and Sam Richardson for reporting CVE-2012-6150. Upstream acknowledges Andrew Bartlett as the original reporter of CVE-2013-4496. All users of Samba are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically.
Family: unix Class: patch
Reference(s): ELSA-2014:0330-01
CVE-2012-6150
CVE-2013-4496
Version: 6
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): samba3x
samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24494
 
Oval ID: oval:org.mitre.oval:def:24494
Title: DEPRECATED: ELSA-2014:0330: samba and samba3x security update (Moderate)
Description: Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. It was found that certain Samba configurations did not enforce the password lockout mechanism. A remote attacker could use this flaw to perform password guessing attacks on Samba user accounts. Note: this flaw only affected Samba when deployed as a Primary Domain Controller. (CVE-2013-4496) A flaw was found in the way the pam_winbind module handled configurations that specified a non-existent group as required. An authenticated user could possibly use this flaw to gain access to a service using pam_winbind in its PAM configuration when group restriction was intended for access to the service. (CVE-2012-6150) Red Hat would like to thank the Samba project for reporting CVE-2013-4496 and Sam Richardson for reporting CVE-2012-6150. Upstream acknowledges Andrew Bartlett as the original reporter of CVE-2013-4496. All users of Samba are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically.
Family: unix Class: patch
Reference(s): ELSA-2014:0330-01
CVE-2012-6150
CVE-2013-4496
Version: 7
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): samba3x
samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25152
 
Oval ID: oval:org.mitre.oval:def:25152
Title: SUSE-SU-2014:0497-1 -- Security update for Samba
Description: The Samba fileserver suite was updated to fix bugs and security issues.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0497-1
CVE-2013-4496
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): Samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25353
 
Oval ID: oval:org.mitre.oval:def:25353
Title: SUSE-SU-2014:0901-1 -- Security update for Samba
Description: Samba was updated to fix three security issues and several non-security issue.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0901-1
CVE-2014-3493
CVE-2014-0244
CVE-2014-0178
CVE-2013-4496
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
Product(s): Samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26958
 
Oval ID: oval:org.mitre.oval:def:26958
Title: DEPRECATED: ELSA-2014-0330 -- samba and samba3x security update (moderate)
Description: [3.6.9-168] - resolves: #1073905 - Fix CVE-2012-6150. - resolves: #1073905 - Fix CVE-2013-4496.
Family: unix Class: patch
Reference(s): ELSA-2014-0330
CVE-2012-6150
CVE-2013-4496
Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): samba3x
samba
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application195

Nessus® Vulnerability Scanner

DateDescription
2016-04-21Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-490.nasl - Type : ACT_GATHER_INFO
2015-05-20Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-0723-1.nasl - Type : ACT_GATHER_INFO
2015-03-30Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2015-082.nasl - Type : ACT_GATHER_INFO
2015-02-26Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201502-15.nasl - Type : ACT_GATHER_INFO
2015-01-19Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_samba_20140522.nasl - Type : ACT_GATHER_INFO
2014-08-20Name : The remote Fedora host is missing a security update.
File : fedora_2014-9132.nasl - Type : ACT_GATHER_INFO
2014-06-26Name : The remote Fedora host is missing a security update.
File : fedora_2014-7672.nasl - Type : ACT_GATHER_INFO
2014-06-13Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-228.nasl - Type : ACT_GATHER_INFO
2014-06-13Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-229.nasl - Type : ACT_GATHER_INFO
2014-04-11Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-0383.nasl - Type : ACT_GATHER_INFO
2014-04-10Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-0383.nasl - Type : ACT_GATHER_INFO
2014-04-10Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0383.nasl - Type : ACT_GATHER_INFO
2014-04-10Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140409_samba4_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-04-08Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_cifs-mount-140312.nasl - Type : ACT_GATHER_INFO
2014-03-28Name : The remote Fedora host is missing a security update.
File : fedora_2014-3815.nasl - Type : ACT_GATHER_INFO
2014-03-27Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2156-1.nasl - Type : ACT_GATHER_INFO
2014-03-26Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-0330.nasl - Type : ACT_GATHER_INFO
2014-03-26Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-0330.nasl - Type : ACT_GATHER_INFO
2014-03-26Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0330.nasl - Type : ACT_GATHER_INFO
2014-03-26Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140325_samba_and_samba3x_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2014-03-18Name : The remote Samba server is affected by multiple vulnerabilities.
File : samba_4_1_6.nasl - Type : ACT_GATHER_INFO
2014-03-17Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2014-072-01.nasl - Type : ACT_GATHER_INFO
2014-03-17Name : The remote Fedora host is missing a security update.
File : fedora_2014-3796.nasl - Type : ACT_GATHER_INFO
2014-03-12Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_03e48bf5a96d11e3a5563c970e169bc2.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

SourceUrl
BID http://www.securityfocus.com/bid/66336
CONFIRM http://advisories.mageia.org/MGASA-2014-0138.html
http://www.samba.org/samba/history/samba-3.6.23.html
http://www.samba.org/samba/history/samba-4.0.16.html
http://www.samba.org/samba/history/samba-4.1.6.html
http://www.samba.org/samba/security/CVE-2013-4496
https://bugzilla.samba.org/show_bug.cgi?id=10245
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n...
FEDORA http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136864....
http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134717.html
GENTOO http://security.gentoo.org/glsa/glsa-201502-15.xml
MANDRIVA http://www.mandriva.com/security/advisories?name=MDVSA-2015:082
REDHAT http://rhn.redhat.com/errata/RHSA-2014-0330.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00048.html
http://lists.opensuse.org/opensuse-updates/2014-03/msg00062.html
http://lists.opensuse.org/opensuse-updates/2014-03/msg00063.html
UBUNTU http://www.ubuntu.com/usn/USN-2156-1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
DateInformations
2017-01-11 13:25:28
  • Multiple Updates
2017-01-07 09:25:13
  • Multiple Updates
2016-12-03 09:23:54
  • Multiple Updates
2016-08-23 09:24:48
  • Multiple Updates
2016-08-20 09:22:28
  • Multiple Updates
2016-06-15 09:25:32
  • Multiple Updates
2016-04-26 13:27:45
  • Multiple Updates
2016-04-04 17:23:42
  • Multiple Updates
2015-05-21 13:30:50
  • Multiple Updates
2015-04-02 09:25:36
  • Multiple Updates
2015-03-31 13:28:01
  • Multiple Updates
2015-03-03 09:23:05
  • Multiple Updates
2015-02-27 13:24:22
  • Multiple Updates
2015-01-21 13:26:23
  • Multiple Updates
2014-07-17 09:21:41
  • Multiple Updates
2014-06-14 13:36:09
  • Multiple Updates
2014-04-12 13:22:55
  • Multiple Updates
2014-04-11 13:22:01
  • Multiple Updates
2014-04-09 13:22:19
  • Multiple Updates
2014-04-01 14:40:04
  • Multiple Updates
2014-03-29 13:23:47
  • Multiple Updates
2014-03-28 17:20:03
  • Multiple Updates
2014-03-28 13:22:10
  • Multiple Updates
2014-03-27 13:21:34
  • Multiple Updates
2014-03-26 13:22:45
  • Multiple Updates
2014-03-19 13:21:28
  • Multiple Updates
2014-03-18 13:22:47
  • First insertion