Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2014-0178

Improper Initialization

Published: May 28, 2014 | Modified: Sep 01, 2022
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
3.5 LOW
AV:N/AC:M/Au:S/C:P/I:N/A:N
RedHat/V2
1.4 LOW
AV:A/AC:H/Au:S/C:P/I:N/A:N
RedHat/V3
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2014-0178
CWEhttps://cwe.mitre.org/data/definitions/665.html

Samba 3.6.6 through 3.6.23, 4.0.x before 4.0.18, and 4.1.x before 4.1.8, when a certain vfs shadow copy configuration is enabled, does not properly initialize the SRV_SNAPSHOT_ARRAY response field, which allows remote authenticated users to obtain potentially sensitive information from process memory via a (1) FSCTL_GET_SHADOW_COPY_DATA or (2) FSCTL_SRV_ENUMERATE_SNAPSHOTS request.

Weakness

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

Affected Software

Name Vendor Start Version End Version
Samba Samba 3.6.6 (including) 3.6.25 (excluding)
Samba Samba 4.0.0 (including) 4.0.18 (excluding)
Samba Samba 4.1.0 (including) 4.1.8 (excluding)
Red Hat Enterprise Linux 6 RedHat samba4-0:4.0.0-63.el6_5.rc4 *
Red Hat Enterprise Linux 7 RedHat samba-0:4.1.1-35.el7_0 *
Samba Ubuntu saucy *
Samba Ubuntu trusty *
Samba Ubuntu upstream *
Samba4 Ubuntu lucid *
Samba4 Ubuntu precise *
Samba4 Ubuntu saucy *
Samba4 Ubuntu upstream *

Potential Mitigations

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable’s type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use