CVE-2023-3347
EUVD-2023-4401520.07.2023, 15:15
A vulnerability was found in Samba's SMB2 packet signing mechanism. The SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. This flaw allows an attacker to perform attacks, such as a man-in-the-middle attack, by intercepting the network traffic and modifying the SMB2 messages between client and server, affecting the integrity of the data.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| samba | samba | 4.17.0 ≤ 𝑥 < 4.17.10 |
| samba | samba | 4.18.0 ≤ 𝑥 < 4.18.5 |
| redhat | storage | 3.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux | 9.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-347 - Improper Verification of Cryptographic SignatureThe software does not verify, or incorrectly verifies, the cryptographic signature for data.
- CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication ChannelThe software establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.
References