Vulnerabilities > CVE-2004-0082 - Unspecified vulnerability in Samba 3.0.0/3.0.1
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-064.NASL description Updated Samba packages that fix a security vulnerability are now available. Samba provides file and printer sharing services to SMB/CIFS clients. The Samba team discovered an issue that affects version 3.0.0 and 3.0.1 of Samba. If an account for a user is created, but marked as disabled using the mksmbpasswd script, it is possible for Samba to overwrite the user last seen 2020-06-01 modified 2020-06-02 plugin id 12467 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12467 title RHEL 3 : samba (RHSA-2004:064) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2004:064. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12467); script_version ("1.23"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2004-0082"); script_xref(name:"RHSA", value:"2004:064"); script_name(english:"RHEL 3 : samba (RHSA-2004:064)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated Samba packages that fix a security vulnerability are now available. Samba provides file and printer sharing services to SMB/CIFS clients. The Samba team discovered an issue that affects version 3.0.0 and 3.0.1 of Samba. If an account for a user is created, but marked as disabled using the mksmbpasswd script, it is possible for Samba to overwrite the user's password with the contents of an uninitialized buffer. This might lead to a disabled account becoming enabled with a password that could be guessed by an attacker. Although this is likely to be a low risk issue for most Samba users, we have provided updated packages, which contain a backported patch correcting this issue. Red Hat would like to thank the Samba team for reporting this issue and providing us with a patch. Note: Due to a packaging error in samba-3.0.0-14.3E, the winbind daemon is not automatically restarted when the Samba package is upgraded. After up2date has installed the samba-3.0.2-4.3E packages, you must run '/sbin/service winbind condrestart' as root to restart the winbind daemon." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0082" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2004:064" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-swat"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/03/03"); script_set_attribute(attribute:"patch_publication_date", value:"2004/05/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2004:064"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL3", reference:"samba-3.0.2-6.3E")) flag++; if (rpm_check(release:"RHEL3", reference:"samba-client-3.0.2-6.3E")) flag++; if (rpm_check(release:"RHEL3", reference:"samba-common-3.0.2-6.3E")) flag++; if (rpm_check(release:"RHEL3", reference:"samba-swat-3.0.2-6.3E")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "samba / samba-client / samba-common / samba-swat"); } }NASL family Misc. NASL id SAMBA_MKSMBPASSWD.NASL description According to its banner, the version of Samba running on the remote host is earlier than 3.0.2. Such versions are shipped with an account creation script (mksmbpasswd.sh) that, when utilized to disable a user account, may overwrite the user last seen 2020-06-01 modified 2020-06-02 plugin id 17722 published 2011-11-18 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17722 title Samba < 3.0.2 mksmbpasswd.sh Uninitialized Passwords NASL family FreeBSD Local Security Checks NASL id FREEBSD_SAMBA_301_2.NASL description The following package needs to be updated: samba last seen 2016-09-26 modified 2004-07-06 plugin id 12611 published 2004-07-06 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=12611 title FreeBSD : Samba 3.0.x password initialization bug (172) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_3388EFF95D6E11D880E30020ED76EF5A.NASL description From the Samba 3.0.2 release notes : Security Announcement: It has been confirmed that previous versions of Samba 3.0 are susceptible to a password initialization bug that could grant an attacker unauthorized access to a user account created by the mksmbpasswd.sh shell script. last seen 2020-06-01 modified 2020-06-02 plugin id 37695 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37695 title FreeBSD : Samba 3.0.x password initialization bug (3388eff9-5d6e-11d8-80e3-0020ed76ef5a)
Oval
| accepted | 2010-09-20T04:00:38.639-04:00 | ||||||||||||||||
| class | vulnerability | ||||||||||||||||
| contributors |
| ||||||||||||||||
| description | The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password. | ||||||||||||||||
| family | unix | ||||||||||||||||
| id | oval:org.mitre.oval:def:827 | ||||||||||||||||
| status | accepted | ||||||||||||||||
| submitted | 2004-03-20T12:00:00.000-04:00 | ||||||||||||||||
| title | Samba mksmboasswd Disabled Account Creation Vulnerability | ||||||||||||||||
| version | 41 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://us1.samba.org/samba/ftp/WHATSNEW-3.0.2a.txt
- http://www.ciac.org/ciac/bulletins/o-078.shtml
- http://www.osvdb.org/3919
- http://www.redhat.com/support/errata/RHSA-2004-064.html
- http://www.securityfocus.com/bid/9637
- http://www.vuxml.org/freebsd/3388eff9-5d6e-11d8-80e3-0020ed76ef5a.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15132
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A827