Vulnerability Note VU#267873

Samba contains multiple buffer overflows

Overview

Samba contains several buffer overflow vulnerabilitites. At least one of these vulnerabilities could allow an anonymous, remote attacker to execute arbitrary code or cause a denial of service.

I. Description

Samba is a widely-used open-source implementation of Server Message Block (SMB)/Common Internet File System (CIFS). Samba-TNG is a forked development branch of Samba. SMB/CIFS is used in Microsoft Windows to provide file and print services. Samba versions prior to 2.2.8a and Samba-TNG versions prior to 0.3.2 contain several buffer overflow vulnerabilities.

A stack overflow in the function trans2open() (in trans2.c) has been assigned CAN-2003-0201. An exploit for this vulnerability has been publicly released.

After the trans2open() issue was reported, the Samba Team discovered and fixed several other buffer overflow vulnerabilities (in statcache.c, reply.c, and password.c). These vulnerabilities have been assigned CAN-2003-0196.

These vulnerabilities are different than the packet fragment re-assembly problem discussed in VU#298233 (CAN-2003-0085).

II. Impact

An unauthenticated, remote attacker could execute arbitrary code or cause a denial of service. The Samba daemon (smbd) runs with root privileges, so an attacker could gain complete control of a vulnerable system.

III. Solution

Patch or Upgrade

Block or Restrict Access

Systems Affected

VendorStatusDate Updated
Apple Computer Inc.Vulnerable11-Apr-2003
ConectivaVulnerable9-Apr-2003
Cray Inc.Unknown10-Apr-2003
Data GeneralUnknown10-Apr-2003
DebianVulnerable9-Apr-2003
FreeBSDVulnerable9-Apr-2003
FujitsuUnknown9-Apr-2003
Gentoo LinuxVulnerable10-Apr-2003
Guardian Digital Inc. Unknown10-Apr-2003
Hewlett-Packard CompanyVulnerable10-Apr-2003
IBMVulnerable10-Apr-2003
Ingrian NetworksNot Vulnerable10-Apr-2003
MandrakeSoftVulnerable9-Apr-2003
MontaVista SoftwareVulnerable10-Apr-2003
NEC CorporationUnknown9-Apr-2003
NetBSDUnknown9-Apr-2003
NokiaUnknown9-Apr-2003
OpenBSDVulnerable14-Apr-2003
OpenPKGVulnerable9-Apr-2003
Openwall GNU/*/LinuxUnknown9-Apr-2003
Red Hat Inc.Vulnerable10-Apr-2003
Samba-TNGVulnerable10-Apr-2003
Samba TeamVulnerable10-Apr-2003
SCOVulnerable15-May-2003
SequentUnknown9-Apr-2003
SGIVulnerable9-Apr-2003
SlackwareVulnerable10-Apr-2003
Sony CorporationUnknown9-Apr-2003
Sorceror LinuxVulnerable9-Apr-2003
Sun Microsystems Inc.Vulnerable15-May-2003
SuSE Inc.Vulnerable9-Apr-2003
TrustixVulnerable9-Apr-2003
UnisysUnknown10-Apr-2003
Wind River Systems Inc.Unknown9-Apr-2003
WirexVulnerable9-Apr-2003

References


VU#298233
http://lists.samba.org/pipermail/samba-announce/2003-April/000065.html
http://lists.samba.org/pipermail/samba-announce/2003-March/000063.html
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0196
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085
http://www.kb.cert.org/vuls/id/298233
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0008.html
http://www.samba-tng.org/download/tng/announcement-0.3.2.txt
http://www.samba-tng.org/
http://www.samba.org/
http://www.securityfocus.com/bid/7294

Credit

This vulnerability was publicly reported by Erik Parker of Digital Defense Inc.

This document was written by Art Manion.

Other Information

Date Public04/07/2003
Date First Published04/10/2003 02:43:47 AM
Date Last Updated05/15/2003
CERT Advisory 
CVE NameCAN-2003-0201
Metric20.48
Document Revision20

CERT Copyright Material