Think you have a false positive on this rule?

Sid 1-45255

Message

SERVER-SAMBA Samba tree connect andx memory corruption attempt

Summary

This event is generated when an attempt to exploit CVE-2017-14746 is detected.

Impact

Attempted User Privilege Gain

CVE-2017-14746:

CVSS base score 9.8

CVSS impact score 5.9

CVSS exploitability score 3.9

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

An attacker is attempting to exploit a network vulnerability in Samba < 4.7.2 that can lead to remote code execution. CVE-2017-14746: Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers to execute arbitrary code via a crafted SMB1 request.

Affected systems

  • samba samba 4.0.0
  • samba samba 4.0.1
  • samba samba 4.0.2
  • samba samba 4.0.3
  • samba samba 4.0.4
  • samba samba 4.0.5
  • samba samba 4.0.6
  • samba samba 4.0.7
  • samba samba 4.0.8
  • samba samba 4.0.9
  • samba samba 4.0.10
  • samba samba 4.0.11
  • samba samba 4.0.12
  • samba samba 4.0.13
  • samba samba 4.0.14
  • samba samba 4.0.15
  • samba samba 4.0.16
  • samba samba 4.0.17
  • samba samba 4.0.18
  • samba samba 4.0.19
  • samba samba 4.0.20
  • samba samba 4.0.21
  • samba samba 4.0.22
  • samba samba 4.0.23
  • samba samba 4.0.24
  • samba samba 4.0.25
  • samba samba 4.0.26
  • samba samba 4.1.0
  • samba samba 4.1.1
  • samba samba 4.1.2
  • samba samba 4.1.3
  • samba samba 4.1.4
  • samba samba 4.1.5
  • samba samba 4.1.6
  • samba samba 4.1.7
  • samba samba 4.1.8
  • samba samba 4.1.9
  • samba samba 4.1.10
  • samba samba 4.1.11
  • samba samba 4.1.12
  • samba samba 4.1.13
  • samba samba 4.1.14
  • samba samba 4.1.15
  • samba samba 4.1.16
  • samba samba 4.1.17
  • samba samba 4.1.18
  • samba samba 4.1.19
  • samba samba 4.1.20
  • samba samba 4.1.21
  • samba samba 4.1.22
  • samba samba 4.1.23
  • samba samba 4.2.0
  • samba samba 4.2.1
  • samba samba 4.2.2
  • samba samba 4.2.3
  • samba samba 4.2.4
  • samba samba 4.2.5
  • samba samba 4.2.6
  • samba samba 4.2.7
  • samba samba 4.2.8
  • samba samba 4.2.9
  • samba samba 4.2.10
  • samba samba 4.2.11
  • samba samba 4.2.12
  • samba samba 4.2.13
  • samba samba 4.2.14
  • samba samba 4.3.0
  • samba samba 4.3.1
  • samba samba 4.3.2
  • samba samba 4.3.3
  • samba samba 4.3.4
  • samba samba 4.3.5
  • samba samba 4.3.6
  • samba samba 4.3.7
  • samba samba 4.3.8
  • samba samba 4.3.9
  • samba samba 4.3.10
  • samba samba 4.3.11
  • samba samba 4.4.0
  • samba samba 4.4.1
  • samba samba 4.4.2
  • samba samba 4.4.3
  • samba samba 4.4.4
  • samba samba 4.4.14
  • samba samba 4.4.15
  • canonical ubuntu_linux 14.04
  • canonical ubuntu_linux 16.04
  • canonical ubuntu_linux 17.04
  • canonical ubuntu_linux 17.10
  • debian debian_linux 8.0
  • debian debian_linux 9.0
  • redhat enterpriselinuxdesktop 6.0
  • redhat enterpriselinuxdesktop 7.0
  • redhat enterpriselinuxserver 6.0
  • redhat enterpriselinuxserver 7.0
  • redhat enterpriselinuxworkstation 6.0
  • redhat enterpriselinuxworkstation 7.0

Ease of attack

CVE-2017-14746:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Update your Samba installation to the newest version or update your Samba configuration and set the minimum protocol to SMB2.

Contributors

  • Cisco's Talos Intelligence Group

Additional References