__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Samba Vulnerabilities [Red Hat Security Advisory RHSA-2004:632-17] November 16, 2004 18:00 GMT Number P-038 [REVISED 20 Dec 2004] [REVISED 24 Jun 2005] ______________________________________________________________________________ PROBLEM: A buffer overflow in handling Unicode filenames and a problem with input validation routines were discovered in Samba. Samba provides file and printer sharing services to SMB/CIFS clients. PLATFORM: Samba 3.0.x <= 3.0.7 Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS, ES, WS (v.2.1 and v.3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI - Samba 3.0.7 DAMAGE: An authenticated remote attacker can send a specially crafted request for a specially crafted filename containing unicode characters to trigger a buffer overflow. Also, a bug in the input validation routines used to match filename strings containing wildcard characters may allow the user to consume more than normal amounts of CPU cycles. SOLUTION: Install the security patch. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A remote authenticated attacker may be able ASSESSMENT: to execute arbitrary code and/or cause a denial of service. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-038.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2004-632.html ADDITIONAL LINKS: SGI Advisory 2004-12-01-01-P http://www.sgi.com/support/security/advisories.html Sun Alert ID: 101783 http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-101783-1 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0882, CAN-2004-0930 ______________________________________________________________________________ REVISION HISTORY: 12/20/2004 - added link information to SGI Advisory 2004-12-01-01-P announcing fixes released for these Samba Vulnerabilities. 06/24/2005 - added link to Sun Alert ID 101783. [***** Start Red Hat Security Advisory RHSA-2004:632-17 *****] Updated samba packages fix security issues Advisory: RHSA-2004:632-17 Last updated on: 2004-11-16 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CAN-2004-0882 CAN-2004-0930 back Security Advisory Details: Updated samba packages that fix various security vulnerabilities are now available. Samba provides file and printer sharing services to SMB/CIFS clients. During a code audit, Stefan Esser discovered a buffer overflow in Samba versions prior to 3.0.8 when handling unicode filenames. An authenticated remote user could exploit this bug which may lead to arbitrary code execution on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0882 to this issue. Red Hat believes that the Exec-Shield technology (enabled by default since Update 3) will block attempts to remotely exploit this vulnerability on x86 architectures. Additionally, a bug was found in the input validation routines in versions of Samba prior to 3.0.8 that caused the smbd process to consume abnormal amounts of system memory. An authenticated remote user could exploit this bug to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0930 to this issue. Users of Samba should upgrade to these updated packages, which contain backported security patches, and are not vulnerable to these issues. Updated packages: Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- AMD64: samba-3.0.7-1.3E.1.x86_64.rpm 440a9ae7f707066f28f66b127f1b564c samba-client-3.0.7-1.3E.1.x86_64.rpm fffa29e5873d2c188b34a720c8e73929 samba-common-3.0.7-1.3E.1.x86_64.rpm 26543f2db62357e8a9aebdbf1acf3274 samba-swat-3.0.7-1.3E.1.x86_64.rpm a699adf4b14ee22dea0d6a4d84e66f24 SRPMS: samba-3.0.7-1.3E.1.src.rpm 122c0bb27aac341fc37156dc94fc522e i386: samba-3.0.7-1.3E.1.i386.rpm 0a6450f412492dff6b01562de975708d samba-client-3.0.7-1.3E.1.i386.rpm bfbacd051ca80500a34991d3dc9ca3ce samba-common-3.0.7-1.3E.1.i386.rpm 370cf89a18b670160f51608041812c24 samba-swat-3.0.7-1.3E.1.i386.rpm f89375430ce2785a01cc4586d9689f5a samba-3.0.7-1.3E.1.i386.rpm 0a6450f412492dff6b01562de975708d Red Hat Enterprise Linux AS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: samba-2.2.12-1.21as.1.src.rpm e1220dc76372c90c46faa649cbba1ee6 i386: samba-2.2.12-1.21as.1.i386.rpm 6f81c1ecf8b0b0355ce70502e9a85326 samba-client-2.2.12-1.21as.1.i386.rpm 350ef1e72e4743b0be11603ee1f42cca samba-common-2.2.12-1.21as.1.i386.rpm ac6ae17ef6870ebbabd4817f1f90fcd9 samba-swat-2.2.12-1.21as.1.i386.rpm 9988653768e2c954a9ccbe73ff67ed75 ia64: samba-2.2.12-1.21as.1.ia64.rpm a96f03101ea7bd41d886fa95bf9f4308 samba-client-2.2.12-1.21as.1.ia64.rpm 2a4452ec646410dccdd0c23e53203b69 samba-common-2.2.12-1.21as.1.ia64.rpm 31daf4320431b9ff26e51d63e58785f0 samba-swat-2.2.12-1.21as.1.ia64.rpm 06a17eba99c63289a22ea54e6ade8b64 Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- AMD64: samba-3.0.7-1.3E.1.x86_64.rpm 440a9ae7f707066f28f66b127f1b564c samba-client-3.0.7-1.3E.1.x86_64.rpm fffa29e5873d2c188b34a720c8e73929 samba-common-3.0.7-1.3E.1.x86_64.rpm 26543f2db62357e8a9aebdbf1acf3274 samba-swat-3.0.7-1.3E.1.x86_64.rpm a699adf4b14ee22dea0d6a4d84e66f24 SRPMS: samba-3.0.7-1.3E.1.src.rpm 122c0bb27aac341fc37156dc94fc522e i386: samba-3.0.7-1.3E.1.i386.rpm 0a6450f412492dff6b01562de975708d samba-client-3.0.7-1.3E.1.i386.rpm bfbacd051ca80500a34991d3dc9ca3ce samba-common-3.0.7-1.3E.1.i386.rpm 370cf89a18b670160f51608041812c24 samba-swat-3.0.7-1.3E.1.i386.rpm f89375430ce2785a01cc4586d9689f5a samba-3.0.7-1.3E.1.i386.rpm 0a6450f412492dff6b01562de975708d samba-3.0.7-1.3E.1.i386.rpm 0a6450f412492dff6b01562de975708d ia64: samba-3.0.7-1.3E.1.ia64.rpm e733b35d09659e19a1afcf10ab1ab7dc samba-client-3.0.7-1.3E.1.ia64.rpm c02426d44e8bbdf625c6baa3b63f7f6c samba-common-3.0.7-1.3E.1.ia64.rpm 0a37cd8c24c6f69bb1df0aab93467670 samba-swat-3.0.7-1.3E.1.ia64.rpm bf2bfb26e2bb0ccd7c66841214465655 ppc: samba-3.0.7-1.3E.1.ppc.rpm 0c2696dce74d906545781ecdeca858c7 samba-client-3.0.7-1.3E.1.ppc.rpm 585752b05ad3796f7fa614c06aed33c6 samba-common-3.0.7-1.3E.1.ppc.rpm f75539c9db2405597957edf1b219a158 samba-swat-3.0.7-1.3E.1.ppc.rpm 2318bcd405d8a884e437d905a31b2fc1 ppc64: samba-3.0.7-1.3E.1.ppc64.rpm e52f8991a6c1e6acb03a567f988019d7 s390: samba-3.0.7-1.3E.1.s390.rpm 9da990f973c4b9cdf5c2ba67e571492f samba-client-3.0.7-1.3E.1.s390.rpm 6c5535ee6419de2597e90d4b67651342 samba-common-3.0.7-1.3E.1.s390.rpm 58560ac1022642fcde78b34d9b765bd0 samba-swat-3.0.7-1.3E.1.s390.rpm 70c2f0e373c3f3364420d413524bf18c samba-3.0.7-1.3E.1.s390.rpm 9da990f973c4b9cdf5c2ba67e571492f s390x: samba-3.0.7-1.3E.1.s390x.rpm a2d13a8f4ca6eefaa52cf69abb23223c samba-client-3.0.7-1.3E.1.s390x.rpm b0390f7081498b6f9a3570c3362de11f samba-common-3.0.7-1.3E.1.s390x.rpm 23da9fd92b3c59c1e318a2a701494785 samba-swat-3.0.7-1.3E.1.s390x.rpm 802db132f4ec3fe57a42884c1f20c487 Red Hat Enterprise Linux ES (v. 2.1) -------------------------------------------------------------------------------- SRPMS: samba-2.2.12-1.21as.1.src.rpm e1220dc76372c90c46faa649cbba1ee6 i386: samba-2.2.12-1.21as.1.i386.rpm 6f81c1ecf8b0b0355ce70502e9a85326 samba-client-2.2.12-1.21as.1.i386.rpm 350ef1e72e4743b0be11603ee1f42cca samba-common-2.2.12-1.21as.1.i386.rpm ac6ae17ef6870ebbabd4817f1f90fcd9 samba-swat-2.2.12-1.21as.1.i386.rpm 9988653768e2c954a9ccbe73ff67ed75 Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- AMD64: samba-3.0.7-1.3E.1.x86_64.rpm 440a9ae7f707066f28f66b127f1b564c samba-client-3.0.7-1.3E.1.x86_64.rpm fffa29e5873d2c188b34a720c8e73929 samba-common-3.0.7-1.3E.1.x86_64.rpm 26543f2db62357e8a9aebdbf1acf3274 samba-swat-3.0.7-1.3E.1.x86_64.rpm a699adf4b14ee22dea0d6a4d84e66f24 SRPMS: samba-3.0.7-1.3E.1.src.rpm 122c0bb27aac341fc37156dc94fc522e i386: samba-3.0.7-1.3E.1.i386.rpm 0a6450f412492dff6b01562de975708d samba-client-3.0.7-1.3E.1.i386.rpm bfbacd051ca80500a34991d3dc9ca3ce samba-common-3.0.7-1.3E.1.i386.rpm 370cf89a18b670160f51608041812c24 samba-swat-3.0.7-1.3E.1.i386.rpm f89375430ce2785a01cc4586d9689f5a samba-3.0.7-1.3E.1.i386.rpm 0a6450f412492dff6b01562de975708d samba-3.0.7-1.3E.1.i386.rpm 0a6450f412492dff6b01562de975708d ia64: samba-3.0.7-1.3E.1.ia64.rpm e733b35d09659e19a1afcf10ab1ab7dc samba-client-3.0.7-1.3E.1.ia64.rpm c02426d44e8bbdf625c6baa3b63f7f6c samba-common-3.0.7-1.3E.1.ia64.rpm 0a37cd8c24c6f69bb1df0aab93467670 samba-swat-3.0.7-1.3E.1.ia64.rpm bf2bfb26e2bb0ccd7c66841214465655 Red Hat Enterprise Linux WS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: samba-2.2.12-1.21as.1.src.rpm e1220dc76372c90c46faa649cbba1ee6 i386: samba-2.2.12-1.21as.1.i386.rpm 6f81c1ecf8b0b0355ce70502e9a85326 samba-client-2.2.12-1.21as.1.i386.rpm 350ef1e72e4743b0be11603ee1f42cca samba-common-2.2.12-1.21as.1.i386.rpm ac6ae17ef6870ebbabd4817f1f90fcd9 samba-swat-2.2.12-1.21as.1.i386.rpm 9988653768e2c954a9ccbe73ff67ed75 Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- AMD64: samba-3.0.7-1.3E.1.x86_64.rpm 440a9ae7f707066f28f66b127f1b564c samba-client-3.0.7-1.3E.1.x86_64.rpm fffa29e5873d2c188b34a720c8e73929 samba-common-3.0.7-1.3E.1.x86_64.rpm 26543f2db62357e8a9aebdbf1acf3274 samba-swat-3.0.7-1.3E.1.x86_64.rpm a699adf4b14ee22dea0d6a4d84e66f24 SRPMS: samba-3.0.7-1.3E.1.src.rpm 122c0bb27aac341fc37156dc94fc522e i386: samba-3.0.7-1.3E.1.i386.rpm 0a6450f412492dff6b01562de975708d samba-client-3.0.7-1.3E.1.i386.rpm bfbacd051ca80500a34991d3dc9ca3ce samba-common-3.0.7-1.3E.1.i386.rpm 370cf89a18b670160f51608041812c24 samba-swat-3.0.7-1.3E.1.i386.rpm f89375430ce2785a01cc4586d9689f5a samba-3.0.7-1.3E.1.i386.rpm 0a6450f412492dff6b01562de975708d samba-3.0.7-1.3E.1.i386.rpm 0a6450f412492dff6b01562de975708d ia64: samba-3.0.7-1.3E.1.ia64.rpm e733b35d09659e19a1afcf10ab1ab7dc samba-client-3.0.7-1.3E.1.ia64.rpm c02426d44e8bbdf625c6baa3b63f7f6c samba-common-3.0.7-1.3E.1.ia64.rpm 0a37cd8c24c6f69bb1df0aab93467670 samba-swat-3.0.7-1.3E.1.ia64.rpm bf2bfb26e2bb0ccd7c66841214465655 Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor -------------------------------------------------------------------------------- SRPMS: samba-2.2.12-1.21as.1.src.rpm e1220dc76372c90c46faa649cbba1ee6 ia64: samba-2.2.12-1.21as.1.ia64.rpm a96f03101ea7bd41d886fa95bf9f4308 samba-client-2.2.12-1.21as.1.ia64.rpm 2a4452ec646410dccdd0c23e53203b69 samba-common-2.2.12-1.21as.1.ia64.rpm 31daf4320431b9ff26e51d63e58785f0 samba-swat-2.2.12-1.21as.1.ia64.rpm 06a17eba99c63289a22ea54e6ade8b64 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Bugs fixed: (see bugzilla for more information) 134640 - CAN-2004-0882 unicode parsing overflow 138325 - CAN-2004-0930 wildcard remote DoS References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0930 http://www.samba.org/samba/history/samba-3.0.9.html http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf [***** End Red Hat Security Advisory RHSA-2004:632-17 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-028: Cisco Vulnerability in Cisco Secure Access Control Server (ACS) EAP-TLS Authentication P-029: libxml and libxml2 Buffer Overflow P-030: Local Volume Manager (LVM) Vulnerability P-031: HP OpenView Operations (OVO) Remote Privilege Elevation Vulnerability P-032: GZIP Insecure Temporary Files P-033: "libgd" Integer Overflows P-034: Cisco IOS DHCP Blocked Interface Denial-of-Service P-035: iPlanet/Sun ONE Messaging Server Webmail Vulnerability P-036: Crafted Timed Attack Evades Cisco Security P-037: Sudo Environment Cleaning Vulnerability