Samba SMB/CIFS Packet Assembling Buffer Overflow Vulnerability
Risk
High
Date Discovered
03-15-2003
Description
A buffer overflow vulnerability has been reported for Samba. The vulnerability occurs when the smbd service attempts to re-assemble specially crafted SMB/CIFS packets.
An attacker can exploit this vulnerability by creating a specially formatted SMB/CIFS packet and send it to a vulnerable Samba server. The overflow condition will be triggered and will result in smbd overwriting sensitive areas of memory with attacker-supplied values.
This vulnerability is further exacerbated by the fact that the smbd service runs with root privileges.
Platforms Affected
Apple MacOS X 10.0.4
Apple MacOS X 10.2 (Jaguar)
Apple MacOS X 10.2.1
Apple MacOS X 10.2.2
Apple MacOS X 10.2.3
Apple MacOS X 10.2.4
Apple MacOS X Server 10.0
Caldera OpenLinux 2.3
Caldera OpenLinux 2.4
Caldera OpenLinux Server 3.1
Caldera OpenLinux Workstation 3.1
Conectiva Linux ecommerce
Conectiva Linux graficas
Conectiva Linux 4.0
Conectiva Linux 4.0 es
Conectiva Linux 4.1
Conectiva Linux 4.2
Conectiva Linux 5.0
Conectiva Linux 5.1
Conectiva Linux 6.0
Debian Linux 2.1
Debian Linux 2.2
Debian Linux 2.2 68k
Debian Linux 2.2 alpha
Debian Linux 2.2 arm
Debian Linux 2.2 powerpc
Debian Linux 2.2 sparc
Debian Linux 2.3
Debian Linux 2.3 alpha
Debian Linux 2.3 powerpc
Debian Linux 2.3 sparc
Debian Linux 3.0
Debian Linux 3.0 alpha
Debian Linux 3.0 arm
Debian Linux 3.0 hppa
Debian Linux 3.0 ia-32
Debian Linux 3.0 ia-64
Debian Linux 3.0 m68k
Debian Linux 3.0 mips
Debian Linux 3.0 mipsel
Debian Linux 3.0 ppc
Debian Linux 3.0 s/390
Debian Linux 3.0 sparc
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 5.0
MandrakeSoft Linux Mandrake 7.0
MandrakeSoft Linux Mandrake 7.1
MandrakeSoft Linux Mandrake 8.1
MandrakeSoft Linux Mandrake 8.1 ia64
MandrakeSoft Linux Mandrake 8.2
MandrakeSoft Linux Mandrake 8.2 ppc
MandrakeSoft Linux Mandrake 9.0
OpenPKG OpenPKG 1.0
OpenPKG OpenPKG 1.1
Progeny Debian 1.0
RedHat Linux 4.2
RedHat Linux 5.2 alpha
RedHat Linux 5.2 i386
RedHat Linux 5.2 sparc
RedHat Linux 6.0
RedHat Linux 6.1 alpha
RedHat Linux 6.1 i386
RedHat Linux 6.1 sparc
RedHat Linux 6.2
RedHat Linux 6.2 alpha
RedHat Linux 6.2 i386
RedHat Linux 6.2 sparc
RedHat Linux 6.2 E alpha
RedHat Linux 6.2 E i386
RedHat Linux 6.2 E sparc
RedHat Linux 7.0
RedHat Linux 7.0 alpha
RedHat Linux 7.0 i386
RedHat Linux 7.1
RedHat Linux 7.1 alpha
RedHat Linux 7.1 i386
S.u.S.E. Linux 6.3
S.u.S.E. Linux 6.3 alpha
S.u.S.E. Linux 6.4
S.u.S.E. Linux 6.4 alpha
S.u.S.E. Linux 6.4 ppc
S.u.S.E. Linux 7.0
S.u.S.E. Linux 7.0 alpha
S.u.S.E. Linux 7.0 ppc
S.u.S.E. Linux 7.0 sparc
S.u.S.E. Linux 7.1
S.u.S.E. Linux 7.1 alpha
S.u.S.E. Linux 7.1 ppc
S.u.S.E. Linux 7.1 sparc
S.u.S.E. Linux 7.2
SCO eDesktop 2.4
SCO eServer 2.3.1
Sun Solaris 7.0
Sun Solaris 7.0 _x86
Sun Solaris 8.0
Sun Solaris 8.0 _x86
Trustix Secure Linux 1.1
Trustix Secure Linux 1.2
Wirex Immunix OS 6.2
Wirex Immunix OS 7.0
Wirex Immunix OS 7.0 -Beta
Components Affected
Samba Samba 2.0 .0
Samba Samba 2.0.1
Samba Samba 2.0.2
Samba Samba 2.0.3
Samba Samba 2.0.4
Samba Samba 2.0.5
Samba Samba 2.0.6
Samba Samba 2.0.7
Samba Samba 2.0.8
Samba Samba 2.0.9
Samba Samba 2.0.10
Samba Samba 2.2 .0a
Samba Samba 2.2 .0
Samba Samba 2.2.2
Samba Samba 2.2.3 a
Samba Samba 2.2.3
Samba Samba 2.2.4
Samba Samba 2.2.5
Samba Samba 2.2.6
Samba Samba 2.2.7 a
Samba Samba 2.2.7
Recommendations
Block external access at the network boundary, unless service is required by external parties.
Configure firewalls to block unsolicited traffic destined for ports 137, 138, 139 and 445. This may prevent exploitation of this vulnerability from unknown third parties.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Malicious network activity may be indiciated by network-based intrusion detection systems. Audit IDS and server logs regularly.
Implement multiple redundant layers of security.
The implementation of memory protection schemes, such as non-executuable stacks, may help prevent against exploitation.
Gentoo Linux have released an advisory that addresses this vulnerability (200303-11), users who are running net-fs/samba are advised to upgrade to samba-2.2.8 using the following commands:
emerge sync
emerge samba
emerge clean
Debian has released an advisory. Information about obtaining and applying fixes are available in the referenced advisory.
Fixes available:
Samba Samba 2.0 .0:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.0.1:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.0.2:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.0.3:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.0.4:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.0.5:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.0.6:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.0.7:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.0.8:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.0.9:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.0.10:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.2 .0a:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.2 .0:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.2.2:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.2.3 a:
Samba Samba 2.2.3:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.2.4:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.2.5:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.2.6:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.2.7 a:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
Samba Samba 2.2.7:
Samba Upgrade Samba 2.2.8
http://download.samba.org/samba/ftp/
References
Source: Gentoo 200303-11 samba
URL: http://online.securityfocus.com/advisories/5097
Source: Debian DSA-262-1 samba
URL: http://online.securityfocus.com/advisories/5095
Source: Samba 2.2.8 available for download
URL: http://lists.samba.org/pipermail/samba-announce/2003-March/000063.html
Source: Samba Homepage
URL: http://www.samba.org
Credits
Discovery of this vulnerability credited to Sebastian Krahmer <krahmer at suse.de>.
Copyright (c) 2003 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
| 
