samba - May 2017 - Severity of unpublished CVE-2017-2619 and CVE-2017-7494

Thanks for the analysis of second bug.
Please also share CVSSv3 score for first bug.

Arjit Kumar


On Fri, May 26, 2017 at 12:29 PM, Andrew Bartlett <abartlet at samba.org>
wrote:
> On Fri, 2017-05-26 at 11:36 +0530, Arjit Gupta via samba wrote:
> > Hi Team,
> >
> > Please let me know the severity of CVE-2017-2619 and  CVE-2017-7494.
>
> They are not unpublished:
>
> https://www.samba.org/samba/security/CVE-2017-2619.html
>
> https://www.samba.org/samba/security/CVE-2017-7494.html
>
> For this second bug, I did some work on CVSS scores:
>
> I've had a go at a CVSSv3 score for the normal case here (password
> required to
> write to shares):
>
> AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (8.2)
>
> https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
> R:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
>
> for the AD DC, assuming only sysvol/netlogon shares (which should be
> admin-only) but that administrator isn't root:
>
> AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (6.7)
>
> https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
> R:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
>
> Naturally if the users who can write to your Samba shares also hold the
> root
> password then this isn't really an issue, unless you assume some attack
> to drop
> a specific .so on a share.
>
> That would be:
>
> AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (7.0)
>
> https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/P
> R:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
>
> Finally, if you allow guest upload of files, then be worried:
>
> AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (9.1)
>
> https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
> R:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
>
>
> Feedback welcome.  I'm just hoping this helps folks who need to
> classify this.
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>

On Fri, 2017-05-26 at 13:47 +0530, Arjit Gupta wrote:
> 
> Thanks for the analysis of second bug.
> Please also share CVSSv3 score for first bug.
My assessment is:

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
R:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

2.8

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hi Andrew,

In above mail you have replied CVSS scores:v3 score of CVE-2017-2619 as 2.8
but on the link
<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
R:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C> mentioned it is showing 8.2.

What is the correct vulnerability score of CVE.

Arjit Kumar


On Fri, May 26, 2017 at 1:54 PM, Andrew Bartlett <abartlet at samba.org>
wrote:
> On Fri, 2017-05-26 at 13:47 +0530, Arjit Gupta wrote:
> >
> > Thanks for the analysis of second bug.
> > Please also share CVSSv3 score for first bug.
>
> My assessment is:
>
> https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
> R:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
>
> 2.8
>
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>