CVE-2014-8143

Current Description

Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allows remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation.

Basic Data

PublishedJanuary 17, 2015
Last ModifiedSeptember 08, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-264
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:S/C:C/I:C/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationSINGLE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score8.5
SeverityHIGH
Exploitability Score6.8
Impact Score10.0
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationSambaSamba4.0.0*******
    2.3ApplicationSambaSamba4.0.1*******
    2.3ApplicationSambaSamba4.0.2*******
    2.3ApplicationSambaSamba4.0.3*******
    2.3ApplicationSambaSamba4.0.4*******
    2.3ApplicationSambaSamba4.0.5*******
    2.3ApplicationSambaSamba4.0.6*******
    2.3ApplicationSambaSamba4.0.7*******
    2.3ApplicationSambaSamba4.0.8*******
    2.3ApplicationSambaSamba4.0.9*******
    2.3ApplicationSambaSamba4.0.10*******
    2.3ApplicationSambaSamba4.0.11*******
    2.3ApplicationSambaSamba4.0.12*******
    2.3ApplicationSambaSamba4.0.13*******
    2.3ApplicationSambaSamba4.0.14*******
    2.3ApplicationSambaSamba4.0.15*******
    2.3ApplicationSambaSamba4.0.16*******
    2.3ApplicationSambaSamba4.0.17*******
    2.3ApplicationSambaSamba4.0.18*******
    2.3ApplicationSambaSamba4.0.19*******
    2.3ApplicationSambaSamba4.0.20*******
    2.3ApplicationSambaSamba4.0.21*******
    2.3ApplicationSambaSamba4.0.22*******
    2.3ApplicationSambaSamba4.0.23*******
    2.3ApplicationSambaSamba4.1.0*******
    2.3ApplicationSambaSamba4.1.1*******
    2.3ApplicationSambaSamba4.1.2*******
    2.3ApplicationSambaSamba4.1.3*******
    2.3ApplicationSambaSamba4.1.4*******
    2.3ApplicationSambaSamba4.1.5*******
    2.3ApplicationSambaSamba4.1.6*******
    2.3ApplicationSambaSamba4.1.7*******
    2.3ApplicationSambaSamba4.1.8*******
    2.3ApplicationSambaSamba4.1.9*******
    2.3ApplicationSambaSamba4.1.10*******
    2.3ApplicationSambaSamba4.1.11*******
    2.3ApplicationSambaSamba4.1.12*******
    2.3ApplicationSambaSamba4.1.13*******
    2.3ApplicationSambaSamba4.1.14*******
    2.3ApplicationSambaSamba4.1.15*******
    2.3ApplicationSambaSamba4.2.0rc1******
    2.3ApplicationSambaSamba4.2.0rc2******
    2.3ApplicationSambaSamba4.2.0rc3******

Vulnerable Software List

VendorProductVersions
Samba Samba 4.0.0, 4.0.1, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.0.2, 4.0.20, 4.0.21, 4.0.22, 4.0.23, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.1, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.1.15, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.2.0

References

NameSourceURLTags
openSUSE-SU-2015:0375http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00031.htmlSUSE
openSUSE-SU-2016:1064http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00042.htmlSUSE
62594http://secunia.com/advisories/62594SECUNIA
72278http://www.securityfocus.com/bid/72278BID
1031615http://www.securitytracker.com/id/1031615SECTRACK
SSA:2015-020-01http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.416326SLACKWARE
USN-2481-1http://www.ubuntu.com/usn/USN-2481-1UBUNTU
https://download.samba.org/pub/samba/patches/security/samba-4.0.23-CVE-2014-8143.patchhttps://download.samba.org/pub/samba/patches/security/samba-4.0.23-CVE-2014-8143.patchCONFIRMPATCH
https://download.samba.org/pub/samba/patches/security/samba-4.1.15-CVE-2014-8143.patchhttps://download.samba.org/pub/samba/patches/security/samba-4.1.15-CVE-2014-8143.patchCONFIRMPATCH
samba-cve20148143-priv-esc(100596)https://exchange.xforce.ibmcloud.com/vulnerabilities/100596XF
https://www.samba.org/samba/security/CVE-2014-8143https://www.samba.org/samba/security/CVE-2014-8143CONFIRMPATCH Vendor Advisory