Think you have a false positive on this rule?

Sid 1-45071


SERVER-SAMBA Samba write and unlock command memory leak attempt


This event is generated when a crafted malicious SMB packet is intended to leak the memory of a Samba server in a file via a write operation on a Samba share.


Attempted User Privilege Gain

Detailed information

This vulnerability relies in the way how the Samba server is not able to check the correct range of data length that a SMB client states is going to send, hence the client can send more data and make the Samba server to leak some sections of it's memory into the content of the file the client wants to write. The client is not able to choose what memory section leak, though. Even though this vulnerability is present in deprecated SMB protocol commands, the vulnerable functions are still present in the code, hence if an authenticated SMB client uses the vulnerable commands, will be able to exploit this vulnerability

Affected systems

  • All Samba versions

Ease of attack


False positives


False negatives


Corrective action

As this is an SMB1-only vulnerability, it can be avoided by setting the server to only use SMB2 via adding:

server min protocol = SMB2_02

to the [global] section of the smb.conf file and restart smbd.

Also, upgrade to Samba 4.6.8, 4.5.14 and 4.4.16 will fix the missing range check.


  • Cisco's Talos Intelligence Group

Additional References

  • CVE-2017-12163