Vulnerability Details : CVE-2018-16841
Samba from version 4.3.0 and before versions 4.7.12, 4.8.7 and 4.9.3 are vulnerable to a denial of service. When configured to accept smart-card authentication, Samba's KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ. This is only possible after authentication with a trusted certificate. talloc is robust against further corruption from a double-free with talloc_free() and directly calls abort(), terminating the KDC process.
Vulnerability category: Memory CorruptionDenial of service
Products affected by CVE-2018-16841
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
Threat overview for CVE-2018-16841
Top countries where our scanners detected CVE-2018-16841
Top open port discovered on systems with this issue
445
IPs affected by CVE-2018-16841 219,739
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2018-16841!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2018-16841
6.79%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-16841
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:N/A:P |
8.0
|
2.9
|
NIST | |
|
5.7
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H |
2.1
|
3.6
|
Red Hat, Inc. | |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2018-16841
-
The product calls free() twice on the same memory address.Assigned by: nvd@nist.gov (Primary)
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2018-16841
-
https://www.samba.org/samba/security/CVE-2018-16841.html
Samba - Security Announcement ArchivePatch;Vendor Advisory
-
https://www.debian.org/security/2018/dsa-4345
Debian -- Security Information -- DSA-4345-1 sambaThird Party Advisory
-
https://usn.ubuntu.com/3827-1/
USN-3827-1: Samba vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://security.gentoo.org/glsa/202003-52
Samba: Multiple vulnerabilities (GLSA 202003-52) — Gentoo securityThird Party Advisory
-
http://www.securityfocus.com/bid/106023
Samba CVE-2018-16841 Remote Denial of Service VulnerabilityVDB Entry;Third Party Advisory
-
https://usn.ubuntu.com/3827-2/
USN-3827-2: Samba vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20181127-0001/
November 2018 Samba Vulnerabilities in NetApp StorageGRID Products | NetApp Product SecurityThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16841
1642545 – (CVE-2018-16841) CVE-2018-16841 samba: Double-free in Samba AD DC KDC with PKINITIssue Tracking;Third Party Advisory
Jump to