Denial of Service Vulnerability in Samba AD DC and File Server
CVE-2019-14907

6.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Samba
Vendor: CVE Published:; 21 January 2020

Summary

In certain versions of Samba, if the log level is set to 3 or higher, an issue arises that allows a failure in character conversion to lead to unintended string outputs. This can occur during NTLMSSP authentication exchanges, resulting in the potential termination of long-lived processes such as the RPC server within the Samba Active Directory Domain Controller. Although this may mainly affect an isolated smbd service in a file server context, the implication is that it can disrupt ongoing operations, and therefore, timely patching is advised.

Affected Version(s)

samba All versions 4.11.x before 4.11.5

samba All versions 4.10.x before 4.10.12

samba All versions 4.9.x before 4.9.18

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14907

https://www.samba.org/samba/security/CVE-2019-14907.html

https://security.netapp.com/advisory/ntap-20200122-0001/

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 21, 2020
Vulnerability Reserved
Aug 10, 2019