Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Samba 4.0.0 <= 4.0.10 and 4.1.0 Cryptographic Issues Vulnerability (CVE-2013-4476
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
In setups which provide ldap(s) and/or https services, the private key for SSL/TLS encryption might be world readable. This typically happens in active directory domain controller setups.
Insight
Insight
obtain the private key that is used for the SSL/TLS encryption for ldaps (including STARTTLS on ldap) and https network traffic. The attacker is then able to decrypt encrypted network traffic which may contain confidential information like passwords. Note that the http(s) service is not started by default, only if the 'server services' option contains 'web'. The ldap(s) service is only started if Samba is configured as an active directory domain controller.
Affected Software
Affected Software
Samba versions 4.0.0 through 4.0.10 and 4.1.0.
Detection Method
Detection Method
Checks if a vulnerable version is present on the target host.
Solution
Solution
Update to version 4.0.11, 4.1.1 or later.