__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Samba Encrypted Password Buffer Overrun Vulnerability [Red Hat Security Advisory RHSA-2002:266-05] November 26, 2002 00:00 GMT Number N-019 ______________________________________________________________________________ PROBLEM: There is a flaw in the length checking for encrypted password change requests from clients. This vulnerability could be used as a buffer overrun attack on smbd's stack. PLATFORM: Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386 DAMAGE: A potential attacker could gain root access on the target machine. SOLUTION: Apply updated packages as described by Red Hat's security advisory. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The attack would have to be crafted such ASSESSMENT: that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-019.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2002-266.html ______________________________________________________________________________ [***** Start Red Hat Security Advisory RHSA-2002:266-05 *****] New samba packages available to fix potential security vulnerability Advisory: RHSA-2002:266-05 Last updated on: 2002-11-21 Affected Products: Red Hat Linux 7.3 Red Hat Linux 8.0 Security Advisory Details: New samba packages are available that fix a security vulnerability present in samba versions 2.2.2 through 2.2.6. A potential attacker could gain root access on the target machine. It is strongly encouraged that all Samba users update to the fixed packages. As of this time, there are no known exploits for this vulnerability. There was a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password, could be used as a buffer overrun attack on smbd's stack. The attack would have to be crafted such that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code. Thanks to the Debian Samba maintainers for discovering this issue, and to the Samba team for providing the fix (and the problem description text above.) Updated packages: Red Hat Linux 7.3 -------------------------------------------------------------------------------- SRPMS: samba-2.2.7-1.7.3.src.rpm 5c8ba729bb3e6d2f0614fd543053e6e9 i386: samba-2.2.7-1.7.3.i386.rpm 92178f0aa6c7ec0cb2b55c0f32c59ca4 samba-client-2.2.7-1.7.3.i386.rpm 6915d467d9572737dfbfcac916734084 samba-common-2.2.7-1.7.3.i386.rpm 56ce43d49614bf5a79b90dfbd4a77235 samba-swat-2.2.7-1.7.3.i386.rpm 82cbcb8e2c3be661e0e6c1c7f9856ecd Red Hat Linux 8.0 -------------------------------------------------------------------------------- SRPMS: samba-2.2.7-2.src.rpm 9b5ded05dc9cc2c49c40b686ec78caf7 i386: samba-2.2.7-2.i386.rpm 4e2339d23bad01690938748d84dac186 samba-client-2.2.7-2.i386.rpm a7a48f9d6d8e45966172ae1b941e0208 samba-common-2.2.7-2.i386.rpm 3bd309562e0cdefc8d4cd5b02ee0b71c samba-swat-2.2.7-2.i386.rpm 0efdfc0d8de8294c0dd4978a82d15991 Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Keywords: change, encrypted, password, samba, security -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey.html#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg -v filename Note that you need RPM >= 3.0 to check GnuPG keys. [***** End Red Hat Security Advisory RHSA-2002:266-05 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) CIACTech03-001: Spamming using the Windows Messenger Service N-010: Web-Based Enterprise Management on Solaris 8 Installs Insecure Files N-011: Cumulative Patch for Internet Information Service N-012: Windows 2000 Default Permissions Could Allow Trojan Horse Program N-013: ISC Remote Vulnerabilities in BIND4 and BIND8 N-014: Trojan Horse tcpdump and libpcap Distributions N-015: SGI IRIX lpd Daemon Vulnerabilities via sendmail and dns N-016: Buffer Overrun in Microsoft Data Access Components (MDAC) N-017: Cisco PIX Multiple Vulnerabilities N-018: Microsoft Cumulative Patch for Internet Explorer