Vulnerability Note VU#226184
Samba vulnerable to integer overflow processing file security descriptors
Samba contains an integer overflow vulnerability in code that processes file security descriptors. This could allow an authenticated, remote attacker to execute arbitrary code or cause a denial of service on a vulnerable system.
Samba is an open-source implementation of SMB/CIFS file and print services. It is frequently included in UNIX and Linux distributions and is typically used provide file and print services to Windows clients.
The Samba daemon, smbd, contains a vulnerability in code that processes file security descriptors. While allocating heap memory to store security descriptors, a 32-bit integer counter may overflow (wrap). This counter is truncated and used by smbd to allocate memory to store security descriptors. Without checking the size of this value, smbd may allocate insufficient memory, resulting in a buffer overflow. Heap memory control structures can be overwritten, corrupting heap memory, and possibly allowing the execution of arbitrary code. More information is available in iDEFENSE Security Advisory 12.16.04.
An authenticated, remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system. The smbd daemon typically runs with root privileges.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Samba||Affected||-||17 Dec 2004|
|Hitachi||Not Affected||17 Dec 2004||22 Dec 2004|
|Microsoft Corporation||Not Affected||17 Dec 2004||23 Dec 2004|
|Apple Computer Inc.||Unknown||17 Dec 2004||17 Dec 2004|
|Conectiva||Unknown||17 Dec 2004||17 Dec 2004|
|Cray Inc.||Unknown||17 Dec 2004||17 Dec 2004|
|Debian||Unknown||17 Dec 2004||17 Dec 2004|
|EMC Corporation||Unknown||17 Dec 2004||17 Dec 2004|
|Engarde||Unknown||17 Dec 2004||17 Dec 2004|
|F5 Networks||Unknown||17 Dec 2004||17 Dec 2004|
|FreeBSD||Unknown||17 Dec 2004||17 Dec 2004|
|Fujitsu||Unknown||17 Dec 2004||17 Dec 2004|
|Hewlett-Packard Company||Unknown||17 Dec 2004||17 Dec 2004|
|IBM||Unknown||Incorrect data type for operator or @Function: Time/Date expected Incorrect data type for operator or @Function: Time/Date expected Incorrect data type for operator or @Function: Time/Date expected||17 Dec 2004|
|IBM-zSeries||Unknown||17 Dec 2004||17 Dec 2004|
CVSS Metrics (Learn More)
This vulnerability was reported by iDEFENSE.
This document was written by Art Manion.
- CVE IDs: CAN-2004-1154
- Date Public: 16 Dec 2004
- Date First Published: 17 Dec 2004
- Date Last Updated: 05 Jan 2005
- Severity Metric: 14.40
- Document Revision: 24
If you have feedback, comments, or additional information about this vulnerability, please send us email.