CVE-2026-4408
Public on 2026-05-26
Modified on 2026-05-26
Description
Samba file servers and classic (non-AD) domain controllers offer the
SamValidatePasswordChange and SamValidatePasswordReset RPC services on the
SAMR DCE/RPC service when running over NCACN_IP_TCP. Both services pass a
username and password to the "check password script" that can be configured
in smb.conf.
If the "check password script" is configured with the %u
substitution character, the client-controlled username is passed to
the "check password script" without escaping shell meta-characters,
leading to a remote command execution vulnerability.
This is a non-standard configuration in several ways:
It affects Samba file servers and classic (non-AD) domain controllers
that have the "check password script" configured with the %u
substitution character. Active Directory Domain Controllers are not
affected, they do not expand the username via the %u substitution
character.
The problem is much less dangerous if %u has single quotes directly
around it, e.g. '%u', but it's still possible to inject
command line options.
Standard Samba file servers and classic domain controllers are also
only affected if the samba-dcerpcd service is started as a system
service, which can only happen if "rpc start on demand helpers" is set
to the non-default setting "no". In the default configuration for
DCE/RPC, smbd starts the samba-dcerpcd in a way that makes the
vulnerable code inaccessible.
SamValidatePasswordChange and SamValidatePasswordReset RPC services on the
SAMR DCE/RPC service when running over NCACN_IP_TCP. Both services pass a
username and password to the "check password script" that can be configured
in smb.conf.
If the "check password script" is configured with the %u
substitution character, the client-controlled username is passed to
the "check password script" without escaping shell meta-characters,
leading to a remote command execution vulnerability.
This is a non-standard configuration in several ways:
It affects Samba file servers and classic (non-AD) domain controllers
that have the "check password script" configured with the %u
substitution character. Active Directory Domain Controllers are not
affected, they do not expand the username via the %u substitution
character.
The problem is much less dangerous if %u has single quotes directly
around it, e.g. '%u', but it's still possible to inject
command line options.
Standard Samba file servers and classic domain controllers are also
only affected if the samba-dcerpcd service is started as a system
service, which can only happen if "rpc start on demand helpers" is set
to the non-default setting "no". In the default configuration for
DCE/RPC, smbd starts the samba-dcerpcd in a way that makes the
vulnerable code inaccessible.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | samba | Pending Fix | ||
| Amazon Linux 2023 | samba | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |