samba - May 2017 - Severity of unpublished CVE-2017-2619 and CVE-2017-7494

Hi Team,

Please let me know the severity of CVE-2017-2619 and  CVE-2017-7494.

Arjit Kumar

On Fri, 2017-05-26 at 11:36 +0530, Arjit Gupta via samba
wrote:
> Hi Team,
> 
> Please let me know the severity of CVE-2017-2619 and  CVE-2017-7494.
They are not unpublished:

https://www.samba.org/samba/security/CVE-2017-2619.html

https://www.samba.org/samba/security/CVE-2017-7494.html

For this second bug, I did some work on CVSS scores:

I've had a go at a CVSSv3 score for the normal case here (password
required to
write to shares):

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (8.2)

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
R:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

for the AD DC, assuming only sysvol/netlogon shares (which should be
admin-only) but that administrator isn't root:

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (6.7)

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
R:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Naturally if the users who can write to your Samba shares also hold the
root
password then this isn't really an issue, unless you assume some attack
to drop
a specific .so on a share.

That would be:

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (7.0)

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/P
R:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Finally, if you allow guest upload of files, then be worried:

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (9.1)

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
R:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C


Feedback welcome.  I'm just hoping this helps folks who need to
classify this.

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Thanks for the analysis of second bug.
Please also share CVSSv3 score for first bug.

Arjit Kumar


On Fri, May 26, 2017 at 12:29 PM, Andrew Bartlett <abartlet at samba.org>
wrote:
> On Fri, 2017-05-26 at 11:36 +0530, Arjit Gupta via samba wrote:
> > Hi Team,
> >
> > Please let me know the severity of CVE-2017-2619 and  CVE-2017-7494.
>
> They are not unpublished:
>
> https://www.samba.org/samba/security/CVE-2017-2619.html
>
> https://www.samba.org/samba/security/CVE-2017-7494.html
>
> For this second bug, I did some work on CVSS scores:
>
> I've had a go at a CVSSv3 score for the normal case here (password
> required to
> write to shares):
>
> AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (8.2)
>
> https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
> R:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
>
> for the AD DC, assuming only sysvol/netlogon shares (which should be
> admin-only) but that administrator isn't root:
>
> AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (6.7)
>
> https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
> R:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
>
> Naturally if the users who can write to your Samba shares also hold the
> root
> password then this isn't really an issue, unless you assume some attack
> to drop
> a specific .so on a share.
>
> That would be:
>
> AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (7.0)
>
> https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/P
> R:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
>
> Finally, if you allow guest upload of files, then be worried:
>
> AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (9.1)
>
> https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
> R:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
>
>
> Feedback welcome.  I'm just hoping this helps folks who need to
> classify this.
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>