SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#226184

Samba vulnerable to integer overflow processing file security descriptors

Overview

Samba contains an integer overflow vulnerability in code that processes file security descriptors. This could allow an authenticated, remote attacker to execute arbitrary code or cause a denial of service on a vulnerable system.

I. Description

Samba is an open-source implementation of SMB/CIFS file and print services. It is frequently included in UNIX and Linux distributions and is typically used provide file and print services to Windows clients.

The Samba daemon, smbd, contains a vulnerability in code that processes file security descriptors. While allocating heap memory to store security descriptors, a 32-bit integer counter may overflow (wrap). This counter is truncated and used by smbd to allocate memory to store security descriptors. Without checking the size of this value, smbd may allocate insufficient memory, resulting in a buffer overflow. Heap memory control structures can be overwritten, corrupting heap memory, and possibly allowing the execution of arbitrary code. More information is available in iDEFENSE Security Advisory 12.16.04.

An authenticated, remote attacker could exploit this vulnerability using a specially crafted SMB packet. Note that an attacker may be authenticated to an anonymous share, in which case the attacker would not require valid credentials, just a TCP connection.

II. Impact

An authenticated, remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system. The smbd daemon typically runs with root privileges.

III. Solution

Patch or upgrade

Apply a patch or upgrade as specified by your vendor. This vulnerability is addressed in Samba 3.0.10 and a patch (with signature) is available for Samba 3.0.9.

Restrict access

The Samba Server Security web page documents several ways to restrict access to Samba servers based on network interface, IP network, and TCP ports (139 and 445). Also, consider disabling or carefully restricting access to anonymous shares.

Systems Affected

VendorStatusDate Updated
Apple Computer Inc.Unknown17-Dec-2004
ConectivaUnknown17-Dec-2004
Cray Inc.Unknown17-Dec-2004
DebianUnknown17-Dec-2004
EMC CorporationUnknown17-Dec-2004
EngardeUnknown17-Dec-2004
F5 NetworksUnknown17-Dec-2004
FreeBSDUnknown17-Dec-2004
FujitsuUnknown17-Dec-2004
Hewlett-Packard CompanyUnknown17-Dec-2004
HitachiNot Vulnerable22-Dec-2004
IBMUnknown17-Dec-2004
IBM-zSeriesUnknown17-Dec-2004
IBM eServerUnknown17-Dec-2004
ImmunixUnknown17-Dec-2004
Ingrian NetworksUnknown17-Dec-2004
Juniper NetworksUnknown17-Dec-2004
MandrakeSoftUnknown17-Dec-2004
Microsoft CorporationNot Vulnerable23-Dec-2004
MontaVista SoftwareUnknown17-Dec-2004
NEC CorporationUnknown17-Dec-2004
NETBSDUnknown17-Dec-2004
NokiaUnknown17-Dec-2004
NovellUnknown17-Dec-2004
OpenBSDUnknown17-Dec-2004
Openwall GNU/*/LinuxUnknown17-Dec-2004
Red Hat Inc.Unknown17-Dec-2004
SambaVulnerable17-Dec-2004
SCOUnknown17-Dec-2004
SequentUnknown17-Dec-2004
SGIUnknown17-Dec-2004
Sony CorporationUnknown17-Dec-2004
Sun Microsystems Inc.Unknown17-Dec-2004
SuSE Inc.Unknown20-Dec-2004
TurboLinuxUnknown17-Dec-2004
UnisysUnknown17-Dec-2004
Wind River Systems Inc.Unknown17-Dec-2004

References


http://www.idefense.com/application/poi/display?id=165
http://www.samba.org/samba/news/#3.0.10
http://www.samba.org/samba/security/CAN-2004-1154.html
http://www.samba.org/samba/ftp/patches/security/samba-3.0.9-CAN-2004-1154.patch.asc
http://www.samba.org/samba/ftp/patches/security/samba-3.0.9-CAN-2004-1154.patch
http://www.samba.org/samba/history/security.html
http://www.samba.org/samba/docs/server_security.html
http://secunia.com/advisories/13453/

Credit

This vulnerability was reported by iDEFENSE.

This document was written by Art Manion.

Other Information

Date Public12/16/2004
Date First Published12/17/2004 12:57:05 PM
Date Last Updated01/05/2005
CERT Advisory 
CVE NameCAN-2004-1154
US-CERT Technical Alerts 
Metric14.40
Document Revision24

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader