504766 : vulnerability in Samba 3.5.10

Risk 5 : Windows

A remote attacker could create accounts, read part of the credentials file, execute arbitrary commands, cause a denial of service, write to arbitrary files, gain elevated privileges, or disable logging of failed login attempts in a brute-force password attack.

Server Message Block (SMB) is a network protocol native to Windows systems which allows sharing of files and printers across a network. Samba is a software package which implements the SMB protocol on a variety of platforms, providing compatibility with Windows systems. Every computer which uses the SMB protocol, is assigned a NetBIOS name. This name is used to identify the computer on the network for the purposes of resolving SMB requests. Samba servers typically run two daemons: smbd, which provides SMB services, and nmbd, which provides name service which allows the server to appear in the Windows Network Neighborhood.

Samba DCE-RPC Packets Handling Buffer Overflow Vulnerability 12/13/13 CVE 2013-4408 CVE 2013-4496 Samba versions prior to 3.6.22, 4.0.13, and 4.1.3 are prone to a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to incorrect checking of the DCE-RPC fragment length in the client code. The vulnerability can be exploited to cause a buffer overflow by providing a specially crafted fragment length field. Samba Insecure File Permissions and Security Bypass Vulnerabilities 11/15/13 CVE 2013-4475 CVE 2013-4476 Samba versions prior to 3.6.20, 4.0.11, and 4.1.1 do not check the underlying file or directory access control list when opening an alternate data stream. This vulnerability can be exploited to disclose information such as contents of inaccessible alternate streams. In addition, Samba version prior to 4.0.11 and 4.1.1 creates private keys that are used for the SSL/TLS encryption for ldaps with insecure world-readable permissions. This vulnerability can be exploited by local users to obtain sensitive information by reading the key file. Note: By default no version of Samba supports alternate data streams on files or directories. By default, the http(s) service is not started, only if the "server services" option contains "web". The ldap(s) service is only started if Samba is configured as an active directory domain controller. Packet Handling Denial of Service Vulnerability 08/08/13 CVE 2013-4124 Samba before 3.5.22, 3.6.17, and 4.0.8 is prone to a vulnerability, which can be exploited to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error when handling malformed packets and can be exploited to exhaust memory resources by sending a specially crafted packet. LSA RPC "take ownership" Privilege Security Bypass Vulnerability 05/03/12 CVE 2012-2111 Samba versions 3.4.x before 3.4.17, 3.5.x before 3.5.15, and 3.6.x before 3.6.5 are prone to a vulnerability, which can be exploited by malicious users to bypass certain security restrictions. The security issue is caused due to improper application of security checks in the CreateAccount, OpenAccount, AddAccountRights, and RemoveAccountRights remote procedure calls (RPC) within the Local Security Authority (LSA). This can be exploited to gain "take ownership" privileges and e.g. change the ownership of arbitrary files and directories on the smdb file server. Unauthenticated remote code execution vulnerability 04/11/12 CVE 2012-1182 A vulnerability in Samba could allow remote, anonymous attackers to execute arbitrary code with root privileges. The problem occurs in generated code which controls marshalling and unmarshalling of RPC calls over the network, due to the use of a client-supplied length value when allocating the memory for an array. Samba 3.6.3, 3.5.13, and 3.4.15 and earlier are affected by this vulnerability. 3.x Multiple Unspecified Remote Vulnerabilities 09/30/09 Samba 3.x is prone to multiple unspecified remote vulnerabilities, including: An error in 'smbd' that can be exploited to cause a heap-based overflow. An error when Samba is compiled with '--enable-developer' can lead to a heap-based overflow. Multiple unspecified stack overflows. An unspecified heap-based buffer overflow. Attackers can exploit these issues to execute code within the context of the affected server. Failed exploit attempts will result in a denial-of-service condition.

A list of all reported vulnerabilities affecting Samba is available from http://samba.org/samba/history/security.html Samba. The Samba DCE-RPC packets handling buffer overflow vulnerability was reported in http://secunia.com/advisories/55966/ Secunia Advisory SA55966 and http://www.samba.org/samba/security/CVE-2013-4496 Samba Security CVE-2013-4496. The Samba insecure file permissions and security bypass vulnerabilities were reported in http://secunia.com/advisories/55638/ Secunia Advisory SA55638. The Packet Handling Denial of Service vulnerability was reported in http://secunia.com/advisories/54347/ Secunia Advisory SA54347. The LSA RPC "take ownership" Privilege Security Bypass vulnerability was reported in http://secunia.com/advisories/48976/ Secunia Advisory SA48976. The unauthenticated remote code execution vulnerability was reported in a https://www.samba.org/samba/security/CVE-2012-1182 Samba announcement. The 3.x Multiple Unspecified Remote vulnerabilities were reported in http://www.securityfocus.com/bid/36250/ Bugtraq ID 36250.

Solution:

http://www.samba.org/samba/download Upgrade to Samba 3.6.24, 4.0.21, 4.1.11 or higher. Alternatively, apply a fix from your operating system vendor.

References:
CVSS Information:
Low Attack Complexity, Complete Confidentiality Impact, Complete Integrity Impact, Complete Availability Impact
Credit:
Saint Coorporation : 2010-04-02
New Search
Keywords
Risk Factor
Start Date
End Date
Browse