504766 : vulnerability in Samba 3.0.37

Risk 5 : Windows

A remote attacker could create accounts, read part of the credentials file, execute arbitrary commands, cause a denial of service, write to arbitrary files, gain elevated privileges, or disable logging of failed login attempts in a brute-force password attack.

Server Message Block (SMB) is a network protocol native to Windows systems which allows sharing of files and printers across a network. Samba is a software package which implements the SMB protocol on a variety of platforms, providing compatibility with Windows systems. Every computer which uses the SMB protocol, is assigned a NetBIOS name. This name is used to identify the computer on the network for the purposes of resolving SMB requests. Samba servers typically run two daemons: smbd, which provides SMB services, and nmbd, which provides name service which allows the server to appear in the Windows Network Neighborhood.

Unauthenticated remote code execution vulnerability 04/11/12 CVE 2012-1182 A vulnerability in Samba could allow remote, anonymous attackers to execute arbitrary code with root privileges. The problem occurs in generated code which controls marshalling and unmarshalling of RPC calls over the network, due to the use of a client-supplied length value when allocating the memory for an array. Samba 3.6.3, 3.5.13, and 3.4.15 and earlier are affected by this vulnerability. Any Batched Request Handling Buffer Overflow Vulnerability 02/29/12 CVE 2012-0870 Samba before 3.4.0 is prone to a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in process.c when handling Any Batched (AndX) request packets and can be exploited to cause a heap-based buffer overflow. SWAT Cross-Site Scripting and Request Forgery Vulnerabilities 08/03/11 CVE 2011-2522 CVE 2011-2694 Samba before 3.5.10 is prone to two vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and request forgery attacks. Successful exploitation of the vulnerabilities requires that SWAT is enabled (not default). "FD_SET" Memory Corruption Vulnerability 03/14/11 CVE 2011-0719 Samba before 3.5.7 is prone to a memory-corruption vulnerability. An attacker can exploit this issue to crash the application or cause the application to enter an infinite loop. sid_parse buffer overflow 09/14/10 CVE 2010-3069 A buffer overflow vulnerability in the sid_parse function allows a client to execute arbitrary commands by sending a long, specially crafted Windows SID represented in binary. Samba versions prior to 3.5.5 are affected by this vulnerability. SMB1 Packets Chaining Memory Corruption 06/21/10 CVE 2010-2063 A memory corruption vulnerability has been reported in Samba before 3.3.13. The vulnerability is due to improper validation when chaining SMB1 packets. Remote attackers could exploit this vulnerability by sending a crafted SMB message to a target SMB server. Successful exploitation would allow for arbitrary code injection and execution which might allow the attacker to take complete control of a target host. Code injection that does not result in execution could crash the target system, and result in a Denial of Service condition. Vulnerabilities fixed in 3.4.8 and 3.5.2 06/02/10 CVE 2010-1635 CVE 2010-1642 Samba before 3.4.8 and 3.5.2 is prone to multiple remote denial-of-service vulnerabilities. An attacker can exploit these issues to crash the application, denying service to legitimate users. client/mount.cifs.c Local Denial of Service Vulnerability 03/26/10 CVE 2010-0547 Samba 3.4.5 and prior are prone to a local denial-of-service vulnerability. A local attacker can exploit this issue to corrupt system files, resulting in a denial-of-service condition. Symlink Directory Traversal Vulnerability 03/12/10 CVE 2010-0926 Samba is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploits would allow an attacker to access files outside of the Samba user's root directory to obtain sensitive information and perform other attacks. To exploit this issue, attackers require authenticated access to a writable share. This issue may be exploited through a writable share accessible by guest accounts. mount.cifs Utility Local Privilege Escalation Vulnerability 03/04/10 CVE 2010-0787 Samba is prone to a local privilege-escalation vulnerability in the 'mount.cifs' utility. Local attackers can exploit this issue to gain elevated privileges on affected computers. Samba 3.4.5, 3.3.8, 3.2.15, 3.0.37, and prior are vulnerable. 3.x Multiple Unspecified Remote Vulnerabilities 09/30/09 Samba 3.x is prone to multiple unspecified remote vulnerabilities, including: An error in 'smbd' that can be exploited to cause a heap-based overflow. An error when Samba is compiled with '--enable-developer' can lead to a heap-based overflow. Multiple unspecified stack overflows. An unspecified heap-based buffer overflow. Attackers can exploit these issues to execute code within the context of the affected server. Failed exploit attempts will result in a denial-of-service condition.

A list of all reported vulnerabilities affecting Samba is available from http://samba.org/samba/history/security.html Samba. The unauthenticated remote code execution vulnerability was reported in a https://www.samba.org/samba/security/CVE-2012-1182 Samba announcement. The Any Batched Request Handling Buffer Overflow vulnerability was reported in http://secunia.com/advisories/48152/ Secunia Advisory SA48152. The SWAT Cross-Site Scripting and Request Forgery vulnerabilities were reported in http://secunia.com/advisories/45393/ Secunia Advisory SA45393. The "FD_SET" Memory Corruption vulnerability was reported in http://secunia.com/advisories/43512/ Secunia Advisory SA43512. The sid_parse buffer overflow was reported in the http://us1.samba.org/samba/history/samba-3.5.5.html Samba 3.5.5 release notes. The SMB1 Packets Chaining Memory Corruption vulnerability was reported in http://www.securityfocus.com/bid/40884/ Bugtraq ID 40884. The vulnerabilities fixed in 3.4.8 and 3.5.2 were reported in http://www.securityfocus.com/bid/40097/ Bugtraq ID 40097. The client/mount.cifs.c Local Denial of Service vulnerability was reported in http://www.securityfocus.com/bid/38326/ Bugtraq ID 38326. The Symlink Directory Traversal vulnerability was reported in http://www.securityfocus.com/bid/38111/ Bugtraq ID 38111. The mount.cifs Utility Local Privilege Escalation vulnerability was reported in http://www.securityfocus.com/bid/37992/ Bugtraq ID 37992. The 3.x Multiple Unspecified Remote vulnerabilities were reported in http://www.securityfocus.com/bid/36250/ Bugtraq ID 36250.

Solution:

http://www.samba.org/samba/download Upgrade to Samba 3.6.22, 4.0.16, 4.1.6 or higher. Alternatively, apply a fix from your operating system vendor.

References:
CVSS Information:
Low Attack Complexity, Complete Confidentiality Impact, Complete Integrity Impact, Complete Availability Impact
Credit:
Saint Coorporation : 2010-04-02
New Search
Keywords
Risk Factor
Start Date
End Date
Browse