CVE-2014-8143

NameCVE-2014-8143
DescriptionSamba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allows remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs776993

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
samba (PTS)buster, buster (security)2:4.9.5+dfsg-5+deb10u3fixed
bullseye2:4.13.13+dfsg-1~deb11u4fixed
bullseye (security)2:4.13.13+dfsg-1~deb11u5fixed
bookworm, sid2:4.16.4+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sambasourcesqueeze(not affected)
sambasourcewheezy(not affected)
sambasource(unstable)2:4.1.17+dfsg-1776993
samba4source(unstable)4.0.0~beta2+dfsg1-3.2+deb7u2

Notes

[wheezy] - samba <not-affected> (Only affects 4.0 and later)
[squeeze] - samba <not-affected> (Only affects 4.0 and later)
AD-related packages removed from src:samba4 in 4.0.0~beta2+dfsg1-3.2+deb7u2
https://www.samba.org/samba/security/CVE-2014-8143

Search for package or bug name: Reporting problems