Executive Summary

Summary
Title samba security update
Informations
Name RHSA-2007:1016 First vendor Publication 2007-11-15
Vendor RedHat Last vendor Modification 2007-11-15
Severity (Vendor) Critical Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

Samba is a suite of programs used by machines to share files, printers, and other information.

A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398)

A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572)

A flaw was found in the way Samba assigned group IDs under certain conditions. If the "winbind nss info" parameter in smb.conf is set to either "sfu" or "rfc2307", Samba users are incorrectly assigned the group ID of 0. (CVE-2007-4138)

Red Hat would like to thank Alin Rad Pop of Secunia Research, Rick King, and the Samba developers for responsibly disclosing these issues.

All Samba users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188

5. Bug IDs fixed (http://bugzilla.redhat.com/):

286271 - CVE-2007-4138 samba incorrect primary group assignment for domain users using the rfc2307 or sfu winbind nss info plugin 294631 - CVE-2007-4572 samba buffer overflow 358831 - CVE-2007-5398 Samba "reply_netbios_packet()" Buffer Overflow Vulnerability

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2007-1016.html

CWE : Common Weakness Enumeration

% Id Name
67 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
33 % CWE-264 Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10230
 
Oval ID: oval:org.mitre.oval:def:10230
Title: Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.
Description: Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.
Family: unix Class: vulnerability
Reference(s): CVE-2007-5398
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10375
 
Oval ID: oval:org.mitre.oval:def:10375
Title: The Winbind nss_info extension (nsswitch/idmap_ad.c) in idmap_ad.so in Samba 3.0.25 through 3.0.25c, when the "winbind nss info" option is set to rfc2307 or sfu, grants all local users the privileges of gid 0 when the (1) RFC2307 or (2) Services for UNIX (SFU) primary group attribute is not defined.
Description: The Winbind nss_info extension (nsswitch/idmap_ad.c) in idmap_ad.so in Samba 3.0.25 through 3.0.25c, when the "winbind nss info" option is set to rfc2307 or sfu, grants all local users the privileges of gid 0 when the (1) RFC2307 or (2) Services for UNIX (SFU) primary group attribute is not defined.
Family: unix Class: vulnerability
Reference(s): CVE-2007-4138
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11132
 
Oval ID: oval:org.mitre.oval:def:11132
Title: Stack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup Domain controller, allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests.
Description: Stack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup Domain controller, allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests.
Family: unix Class: vulnerability
Reference(s): CVE-2007-4572
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:17460
 
Oval ID: oval:org.mitre.oval:def:17460
Title: USN-544-1 -- samba vulnerabilities
Description: Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests.
Family: unix Class: patch
Reference(s): USN-544-1
CVE-2007-4572
CVE-2007-5398
Version: 7
Platform(s): Ubuntu 6.06
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10
Product(s): samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:17753
 
Oval ID: oval:org.mitre.oval:def:17753
Title: USN-544-2 -- samba regression
Description: USN-544-1 fixed two vulnerabilities in Samba.
Family: unix Class: patch
Reference(s): USN-544-2
CVE-2007-5398
CVE-2007-4572
Version: 7
Platform(s): Ubuntu 6.06
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10
Product(s): samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18728
 
Oval ID: oval:org.mitre.oval:def:18728
Title: DSA-1409-1 samba - several vulnerabilities
Description: This update fixes all currently known regressions introduced with the previous two revisions of DSA-1409. The original text is reproduced below:
Family: unix Class: patch
Reference(s): DSA-1409-1
CVE-2007-4572
CVE-2007-5398
Version: 7
Platform(s): Debian GNU/Linux 4.0
Product(s): samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20204
 
Oval ID: oval:org.mitre.oval:def:20204
Title: DSA-1409-2 samba - several vulnerabilities
Description: This update fixes all currently known regressions introduced with the previous two revisions of DSA-1409. The original text is reproduced below.
Family: unix Class: patch
Reference(s): DSA-1409-2
CVE-2007-4572
CVE-2007-5398
Version: 5
Platform(s): Debian GNU/Linux 4.0
Product(s): samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20356
 
Oval ID: oval:org.mitre.oval:def:20356
Title: DSA-1409-3 samba - several vulnerabilities (update)
Description: This update fixes all currently known regressions introduced with the previous two revisions of DSA-1409. The original text is reproduced below.
Family: unix Class: patch
Reference(s): DSA-1409-3
CVE-2007-4572
CVE-2007-5398
Version: 5
Platform(s): Debian GNU/Linux 4.0
Product(s): samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22612
 
Oval ID: oval:org.mitre.oval:def:22612
Title: ELSA-2007:1017: samba security update (Critical)
Description: Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.
Family: unix Class: patch
Reference(s): ELSA-2007:1017-01
CVE-2007-4572
CVE-2007-4138
CVE-2007-5398
Version: 17
Platform(s): Oracle Linux 5
Product(s): samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5643
 
Oval ID: oval:org.mitre.oval:def:5643
Title: HP-UX running HP CIFS Server (Samba), Remote Execution of Arbitrary Code
Description: Stack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup Domain controller, allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests.
Family: unix Class: vulnerability
Reference(s): CVE-2007-4572
Version: 9
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5811
 
Oval ID: oval:org.mitre.oval:def:5811
Title: HP-UX running HP CIFS Server (Samba), Remote Execution of Arbitrary Code
Description: Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.
Family: unix Class: vulnerability
Reference(s): CVE-2007-5398
Version: 9
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 48

OpenVAS Exploits

Date Description
2010-05-12 Name : Mac OS X Security Update 2007-009
File : nvt/macosx_secupd_2007-009.nasl
2010-02-15 Name : Solaris Update for Samba 114684-15
File : nvt/gb_solaris_114684_15.nasl
2010-02-15 Name : Solaris Update for Samba 114685-15
File : nvt/gb_solaris_114685_15.nasl
2009-11-17 Name : Mac OS X Version
File : nvt/macosx_version.nasl
2009-10-13 Name : Solaris Update for Samba 114684-14
File : nvt/gb_solaris_114684_14.nasl
2009-10-13 Name : Solaris Update for Samba 119758-16
File : nvt/gb_solaris_119758_16.nasl
2009-10-13 Name : Solaris Update for Samba 114685-14
File : nvt/gb_solaris_114685_14.nasl
2009-10-13 Name : Solaris Update for Samba 119757-16
File : nvt/gb_solaris_119757_16.nasl
2009-10-10 Name : SLES9: Security update for Samba
File : nvt/sles9p5014067.nasl
2009-09-23 Name : Solaris Update for Samba 119757-15
File : nvt/gb_solaris_119757_15.nasl
2009-09-23 Name : Solaris Update for Samba 119758-15
File : nvt/gb_solaris_119758_15.nasl
2009-06-03 Name : Solaris Update for Samba 119757-14
File : nvt/gb_solaris_119757_14.nasl
2009-06-03 Name : Solaris Update for Samba 119758-14
File : nvt/gb_solaris_119758_14.nasl
2009-06-03 Name : Solaris Update for Samba 114685-13
File : nvt/gb_solaris_114685_13.nasl
2009-06-03 Name : Solaris Update for Samba 114684-13
File : nvt/gb_solaris_114684_13.nasl
2009-05-05 Name : HP-UX Update for HP CIFS Server (Samba) HPSBUX02316
File : nvt/gb_hp_ux_HPSBUX02316.nasl
2009-05-05 Name : HP-UX Update for HP CIFS Server (Samba) HPSBUX02341
File : nvt/gb_hp_ux_HPSBUX02341.nasl
2009-04-09 Name : Mandriva Update for samba MDKSA-2007:224-3 (samba)
File : nvt/gb_mandriva_MDKSA_2007_224_3.nasl
2009-04-09 Name : Mandriva Update for samba MDKSA-2007:224-1 (samba)
File : nvt/gb_mandriva_MDKSA_2007_224_1.nasl
2009-04-09 Name : Mandriva Update for samba MDKSA-2007:224 (samba)
File : nvt/gb_mandriva_MDKSA_2007_224.nasl
2009-03-23 Name : Ubuntu Update for samba regression USN-544-2
File : nvt/gb_ubuntu_USN_544_2.nasl
2009-03-23 Name : Ubuntu Update for samba vulnerabilities USN-544-1
File : nvt/gb_ubuntu_USN_544_1.nasl
2009-03-23 Name : Ubuntu Update for samba vulnerabilities USN-617-1
File : nvt/gb_ubuntu_USN_617_1.nasl
2009-03-23 Name : Ubuntu Update for samba regression USN-617-2
File : nvt/gb_ubuntu_USN_617_2.nasl
2009-03-06 Name : RedHat Update for samba RHSA-2007:1114-01
File : nvt/gb_RHSA-2007_1114-01_samba.nasl
2009-02-27 Name : CentOS Update for samba CESA-2007:1114 centos3 x86_64
File : nvt/gb_CESA-2007_1114_samba_centos3_x86_64.nasl
2009-02-27 Name : CentOS Update for samba CESA-2007:1114-01 centos2 i386
File : nvt/gb_CESA-2007_1114-01_samba_centos2_i386.nasl
2009-02-27 Name : CentOS Update for samba CESA-2007:1114 centos3 i386
File : nvt/gb_CESA-2007_1114_samba_centos3_i386.nasl
2009-02-27 Name : Fedora Update for samba FEDORA-2007-2145
File : nvt/gb_fedora_2007_2145_samba_fc7.nasl
2009-02-27 Name : Fedora Update for samba FEDORA-2007-3402
File : nvt/gb_fedora_2007_3402_samba_fc7.nasl
2009-02-27 Name : Fedora Update for samba FEDORA-2007-3403
File : nvt/gb_fedora_2007_3403_samba_fc8.nasl
2009-02-27 Name : Fedora Update for samba FEDORA-2007-4275
File : nvt/gb_fedora_2007_4275_samba_fc8.nasl
2009-02-27 Name : Fedora Update for samba FEDORA-2007-751
File : nvt/gb_fedora_2007_751_samba_fc6.nasl
2009-02-17 Name : Fedora Update for samba FEDORA-2008-4679
File : nvt/gb_fedora_2008_4679_samba_fc8.nasl
2009-02-16 Name : Fedora Update for samba FEDORA-2008-10638
File : nvt/gb_fedora_2008_10638_samba_fc8.nasl
2009-01-28 Name : SuSE Update for samba SUSE-SA:2007:065
File : nvt/gb_suse_2007_065.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200711-29 (samba)
File : nvt/glsa_200711_29.nasl
2008-09-04 Name : FreeBSD Ports: samba
File : nvt/freebsd_samba11.nasl
2008-09-04 Name : FreeBSD Ports: samba, samba3, ja-samba
File : nvt/freebsd_samba10.nasl
2008-01-17 Name : Debian Security Advisory DSA 1409-1 (samba)
File : nvt/deb_1409_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 1409-3 (samba)
File : nvt/deb_1409_3.nasl
2008-01-17 Name : Debian Security Advisory DSA 1409-2 (samba)
File : nvt/deb_1409_2.nasl
0000-00-00 Name : Slackware Advisory SSA:2007-320-01 samba
File : nvt/esoft_slk_ssa_2007_320_01.nasl
0000-00-00 Name : Slackware Advisory SSA:2007-255-02 samba
File : nvt/esoft_slk_ssa_2007_255_02.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
39180 Samba nmbd Crafted GETDC mailslot Request Remote Overflow

39179 Samba nmbd nmbd/nmbd_packets.c reply_netbios_packet Function Remote Overflow

39178 Samba idmap_ad.so Winbind nss_info Extension (nsswitch/idmap_ad.c) Local Priv...

Snort® IPS/IDS

Date Description
2015-03-31 Samba WINS Server Name Registration handling stack buffer overflow attempt
RuleID : 33582 - Revision : 3 - Type : SERVER-SAMBA
2014-01-10 Samba WINS Server Name Registration handling stack buffer overflow attempt
RuleID : 16058 - Revision : 13 - Type : SERVER-SAMBA

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2007-1114.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2007-1016.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2007-1013.nasl - Type : ACT_GATHER_INFO
2013-06-29 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2007-1016.nasl - Type : ACT_GATHER_INFO
2013-01-24 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-1034.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20071115_samba_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20071210_samba_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2011-11-18 Name : The remote Samba server is affected by a local privilege escalation vulnerabi...
File : samba_3_0_26.nasl - Type : ACT_GATHER_INFO
2009-07-27 Name : The remote VMware ESX host is missing one or more security-related patches.
File : vmware_VMSA-2008-0001.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2007-1013.nasl - Type : ACT_GATHER_INFO
2008-07-02 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-617-2.nasl - Type : ACT_GATHER_INFO
2008-06-18 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-617-1.nasl - Type : ACT_GATHER_INFO
2007-12-18 Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_SecUpd2007-009.nasl - Type : ACT_GATHER_INFO
2007-12-13 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_cifs-mount-4719.nasl - Type : ACT_GATHER_INFO
2007-12-11 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-1114.nasl - Type : ACT_GATHER_INFO
2007-12-11 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2007-1114.nasl - Type : ACT_GATHER_INFO
2007-11-30 Name : The remote openSUSE host is missing a security update.
File : suse_cifs-mount-4740.nasl - Type : ACT_GATHER_INFO
2007-11-26 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200711-29.nasl - Type : ACT_GATHER_INFO
2007-11-26 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_a63b15f997ff11dc9e480016179b2dd5.nasl - Type : ACT_GATHER_INFO
2007-11-26 Name : The remote Fedora Core host is missing a security update.
File : fedora_2007-751.nasl - Type : ACT_GATHER_INFO
2007-11-26 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1409.nasl - Type : ACT_GATHER_INFO
2007-11-20 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-544-2.nasl - Type : ACT_GATHER_INFO
2007-11-20 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2007-320-01.nasl - Type : ACT_GATHER_INFO
2007-11-20 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2007-224.nasl - Type : ACT_GATHER_INFO
2007-11-20 Name : The remote Fedora host is missing a security update.
File : fedora_2007-3403.nasl - Type : ACT_GATHER_INFO
2007-11-16 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-1017.nasl - Type : ACT_GATHER_INFO
2007-11-16 Name : The remote Samba server may be affected one or more vulnerabilities.
File : samba_3_0_27.nasl - Type : ACT_GATHER_INFO
2007-11-16 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-1016.nasl - Type : ACT_GATHER_INFO
2007-11-16 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-1013.nasl - Type : ACT_GATHER_INFO
2007-11-16 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-544-1.nasl - Type : ACT_GATHER_INFO
2007-11-16 Name : The remote Fedora host is missing a security update.
File : fedora_2007-3402.nasl - Type : ACT_GATHER_INFO
2007-11-06 Name : The remote Fedora host is missing a security update.
File : fedora_2007-2145.nasl - Type : ACT_GATHER_INFO
2007-09-24 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_2bc96f18683f11dc82b602e0185f8d72.nasl - Type : ACT_GATHER_INFO
2007-09-14 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2007-255-02.nasl - Type : ACT_GATHER_INFO
2004-07-12 Name : The remote host is missing Sun Security Patch number 114684-17
File : solaris9_114684.nasl - Type : ACT_GATHER_INFO
2004-07-12 Name : The remote host is missing Sun Security Patch number 114685-17
File : solaris9_x86_114685.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:51:09
  • Multiple Updates