Vulnerability Note VU#226184

Samba vulnerable to integer overflow processing file security descriptors

Original Release date: 17 Dec 2004 | Last revised: 05 Jan 2005

Overview

Samba contains an integer overflow vulnerability in code that processes file security descriptors. This could allow an authenticated, remote attacker to execute arbitrary code or cause a denial of service on a vulnerable system.

Description

Samba is an open-source implementation of SMB/CIFS file and print services. It is frequently included in UNIX and Linux distributions and is typically used provide file and print services to Windows clients.

The Samba daemon, smbd, contains a vulnerability in code that processes file security descriptors. While allocating heap memory to store security descriptors, a 32-bit integer counter may overflow (wrap). This counter is truncated and used by smbd to allocate memory to store security descriptors. Without checking the size of this value, smbd may allocate insufficient memory, resulting in a buffer overflow. Heap memory control structures can be overwritten, corrupting heap memory, and possibly allowing the execution of arbitrary code. More information is available in iDEFENSE Security Advisory 12.16.04.

An authenticated, remote attacker could exploit this vulnerability using a specially crafted SMB packet. Note that an attacker may be authenticated to an anonymous share, in which case the attacker would not require valid credentials, just a TCP connection.

Impact

An authenticated, remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system. The smbd daemon typically runs with root privileges.

Solution

Patch or upgrade
Apply a patch or upgrade as specified by your vendor. This vulnerability is addressed in Samba 3.0.10 and a patch (with signature) is available for Samba 3.0.9.


Restrict access

The Samba Server Security web page documents several ways to restrict access to Samba servers based on network interface, IP network, and TCP ports (139 and 445). Also, consider disabling or carefully restricting access to anonymous shares.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
SambaAffected-17 Dec 2004
HitachiNot Affected17 Dec 200422 Dec 2004
Microsoft CorporationNot Affected17 Dec 200423 Dec 2004
Apple Computer Inc.Unknown17 Dec 200417 Dec 2004
ConectivaUnknown17 Dec 200417 Dec 2004
Cray Inc.Unknown17 Dec 200417 Dec 2004
DebianUnknown17 Dec 200417 Dec 2004
EMC CorporationUnknown17 Dec 200417 Dec 2004
EngardeUnknown17 Dec 200417 Dec 2004
F5 NetworksUnknown17 Dec 200417 Dec 2004
FreeBSDUnknown17 Dec 200417 Dec 2004
FujitsuUnknown17 Dec 200417 Dec 2004
Hewlett-Packard CompanyUnknown17 Dec 200417 Dec 2004
IBMUnknownIncorrect data type for operator or @Function: Time/Date expected Incorrect data type for operator or @Function: Time/Date expected Incorrect data type for operator or @Function: Time/Date expected17 Dec 2004
IBM-zSeriesUnknown17 Dec 200417 Dec 2004
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by iDEFENSE.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2004-1154
  • Date Public: 16 Dec 2004
  • Date First Published: 17 Dec 2004
  • Date Last Updated: 05 Jan 2005
  • Severity Metric: 14.40
  • Document Revision: 24

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.