CVE-2012-6150

 

Published at: - 03-12-2013 08:55

Last modified: - 01-09-2022 06:34

Total changes: - 2

Description

The winbind_name_list_to_sid_string_list function in nsswitch/pam_winbind.c in Samba through 4.1.2 handles invalid require_membership_of group names by accepting authentication by any user, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging an administrator's pam_winbind configuration-file mistake.

Common Vulnerability Scoring System (CVSS)

AV:N/AC:H/Au:S/C:P/I:P/A:N

 

Verification logic

 

Reference

• https://bugzilla.samba.org/show_bug.cgi?id=10300
• [oss-security] 20131202 Re: CVE request: samba pam_winbind authentication fails open-Mailing List, Third Party Advisory
• https://bugzilla.redhat.com/show_bug.cgi?id=1036897
• [samba-technical] 20120612 winbind pam security problem-Exploit, Vendor Advisory
• [samba-technical] 20131128 fail authentication if user isn't member of *any* require_membership_of specified groups-Exploit, Vendor Advisory
• openSUSE-SU-2013:1921-Mailing List, Third Party Advisory
• USN-2054-1-Third Party Advisory
• SUSE-SU-2014:0024-Mailing List, Third Party Advisory
• openSUSE-SU-2014:0405-Mailing List, Third Party Advisory
• RHSA-2014:0330-Third Party Advisory
• MDVSA-2013:299-Third Party Advisory
• GLSA-201502-15-Third Party Advisory
• SSRT101413-Mailing List, Third Party Advisory
• openSUSE-SU-2016:1106-Mailing List, Third Party Advisory
• openSUSE-SU-2016:1107-Mailing List, Third Party Advisory
• FEDORA-2014-7672-Mailing List, Third Party Advisory
• FEDORA-2014-9132-Mailing List, Third Party Advisory

 

Keywords

NVD

 

CVE-2012-6150

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures