Vulnerabilities > CVE-2007-4572 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Samba

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
samba
CWE-119
critical
nessus

Summary

Stack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup Domain controller, allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2007-009.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2007-009 applied. This update contains several security fixes for a large number of programs.
    last seen2020-06-01
    modified2020-06-02
    plugin id29723
    published2007-12-18
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29723
    titleMac OS X Multiple Vulnerabilities (Security Update 2007-009)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(29723);
      script_version("1.27");
      script_cvs_date("Date: 2018/07/14  1:59:35");
    
      script_cve_id("CVE-2006-0024", "CVE-2007-1218", "CVE-2007-1659", "CVE-2007-1660", "CVE-2007-1661",
                    "CVE-2007-1662", "CVE-2007-3798", "CVE-2007-3876", "CVE-2007-4131", "CVE-2007-4351",
                    "CVE-2007-4572", "CVE-2007-4708", "CVE-2007-4709", "CVE-2007-4710", "CVE-2007-4766",
                    "CVE-2007-4767", "CVE-2007-4768", "CVE-2007-4965", "CVE-2007-5116", "CVE-2007-5379",
                    "CVE-2007-5380", "CVE-2007-5398", "CVE-2007-5476", "CVE-2007-5770", "CVE-2007-5847",
                    "CVE-2007-5848", "CVE-2007-5849", "CVE-2007-5850", "CVE-2007-5851", "CVE-2007-5853",
                    "CVE-2007-5854", "CVE-2007-5855", "CVE-2007-5856", "CVE-2007-5857", "CVE-2007-5858",
                    "CVE-2007-5859", "CVE-2007-5860", "CVE-2007-5861", "CVE-2007-5863", "CVE-2007-6077",
                    "CVE-2007-6165");
      script_bugtraq_id(17106, 22772, 24965, 25417, 25696, 26096, 26268, 26274, 26346,
                        26350, 26421, 26454, 26455, 26510, 26598, 26908, 26910, 26926);
    
      script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2007-009)");
      script_summary(english:"Check for the presence of Security Update 2007-009");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a Mac OS X update that fixes various
    security issues.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running a version of Mac OS X 10.5 or 10.4 that does
    not have Security Update 2007-009 applied. 
    
    This update contains several security fixes for a large number of
    programs.");
      script_set_attribute(attribute:"see_also", value:"http://docs.info.apple.com/article.html?artnum=307179");
      script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html");
      script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/13649");
      script_set_attribute(attribute:"solution", value:"Install Security Update 2007-009.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Mail.app Image Attachment Command Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_cwe_id(16, 20, 22, 79, 119, 134, 189, 200, 264, 287, 310, 362, 399);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/03/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/10/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/18");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
      script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/MacOSX/packages", "Host/uname");
      exit(0);
    }
    
    
    uname = get_kb_item("Host/uname");
    if ( ! uname ) exit(0);
    if ( egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname) )
    {
      packages = get_kb_item("Host/MacOSX/packages");
      if ( ! packages ) exit(0);
      if (!egrep(pattern:"^SecUpd(Srvr)?(2007-009|200[89]-|20[1-9][0-9]-)", string:packages))
        security_hole(0);
    }
    else if ( egrep(pattern:"Darwin.* (9\.[01]\.)", string:uname) )
    {
     packages = get_kb_item("Host/MacOSX/packages/boms");
     if ( ! packages ) exit(0);
     if ( !egrep(pattern:"^com\.apple\.pkg\.update\.security\.2007\.009\.bom", string:packages) )
    	security_hole(0);
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-544-1.NASL
    descriptionSamba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) Alin Rad Pop of Secunia Research discovered that nmbd did not properly check the length of netbios packets. When samba is configured as a WINS server, a remote attacker could send multiple crafted requests resulting in the execution of arbitrary code with root privileges. (CVE-2007-5398). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id28251
    published2007-11-16
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28251
    titleUbuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : samba vulnerabilities (USN-544-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-544-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(28251);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:33:01");
    
      script_cve_id("CVE-2007-4572", "CVE-2007-5398");
      script_xref(name:"USN", value:"544-1");
    
      script_name(english:"Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : samba vulnerabilities (USN-544-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Samba developers discovered that nmbd could be made to overrun a
    buffer during the processing of GETDC logon server requests. When
    samba is configured as a Primary or Backup Domain Controller, a remote
    attacker could send malicious logon requests and possibly cause a
    denial of service. (CVE-2007-4572)
    
    Alin Rad Pop of Secunia Research discovered that nmbd did not properly
    check the length of netbios packets. When samba is configured as a
    WINS server, a remote attacker could send multiple crafted requests
    resulting in the execution of arbitrary code with root privileges.
    (CVE-2007-5398).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/544-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpam-smbpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libsmbclient");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libsmbclient-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-samba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python2.4-samba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-doc-pdf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:smbclient");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:smbfs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:swat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:winbind");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/11/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(6\.06|6\.10|7\.04|7\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 6.10 / 7.04 / 7.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"6.06", pkgname:"libpam-smbpass", pkgver:"3.0.22-1ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libsmbclient", pkgver:"3.0.22-1ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libsmbclient-dev", pkgver:"3.0.22-1ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"python2.4-samba", pkgver:"3.0.22-1ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"samba", pkgver:"3.0.22-1ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"samba-common", pkgver:"3.0.22-1ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"samba-dbg", pkgver:"3.0.22-1ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"samba-doc", pkgver:"3.0.22-1ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"samba-doc-pdf", pkgver:"3.0.22-1ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"smbclient", pkgver:"3.0.22-1ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"smbfs", pkgver:"3.0.22-1ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"swat", pkgver:"3.0.22-1ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"winbind", pkgver:"3.0.22-1ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"libpam-smbpass", pkgver:"3.0.22-1ubuntu4.3")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"libsmbclient", pkgver:"3.0.22-1ubuntu4.3")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"libsmbclient-dev", pkgver:"3.0.22-1ubuntu4.3")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"python2.4-samba", pkgver:"3.0.22-1ubuntu4.3")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"samba", pkgver:"3.0.22-1ubuntu4.3")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"samba-common", pkgver:"3.0.22-1ubuntu4.3")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"samba-dbg", pkgver:"3.0.22-1ubuntu4.3")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"samba-doc", pkgver:"3.0.22-1ubuntu4.3")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"samba-doc-pdf", pkgver:"3.0.22-1ubuntu4.3")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"smbclient", pkgver:"3.0.22-1ubuntu4.3")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"smbfs", pkgver:"3.0.22-1ubuntu4.3")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"swat", pkgver:"3.0.22-1ubuntu4.3")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"winbind", pkgver:"3.0.22-1ubuntu4.3")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"libpam-smbpass", pkgver:"3.0.24-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"libsmbclient", pkgver:"3.0.24-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"libsmbclient-dev", pkgver:"3.0.24-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"python-samba", pkgver:"3.0.24-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"samba", pkgver:"3.0.24-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"samba-common", pkgver:"3.0.24-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"samba-dbg", pkgver:"3.0.24-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"samba-doc", pkgver:"3.0.24-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"samba-doc-pdf", pkgver:"3.0.24-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"smbclient", pkgver:"3.0.24-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"smbfs", pkgver:"3.0.24-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"swat", pkgver:"3.0.24-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"winbind", pkgver:"3.0.24-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"libpam-smbpass", pkgver:"3.0.26a-1ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"libsmbclient", pkgver:"3.0.26a-1ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"libsmbclient-dev", pkgver:"3.0.26a-1ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"samba", pkgver:"3.0.26a-1ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"samba-common", pkgver:"3.0.26a-1ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"samba-dbg", pkgver:"3.0.26a-1ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"samba-doc", pkgver:"3.0.26a-1ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"samba-doc-pdf", pkgver:"3.0.26a-1ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"smbclient", pkgver:"3.0.26a-1ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"smbfs", pkgver:"3.0.26a-1ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"swat", pkgver:"3.0.26a-1ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"winbind", pkgver:"3.0.26a-1ubuntu2.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpam-smbpass / libsmbclient / libsmbclient-dev / python-samba / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-1013.NASL
    descriptionUpdated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) Red Hat would like to thank Alin Rad Pop of Secunia Research, and the Samba developers for responsibly disclosing these issues. Users of Samba are advised to ugprade to these updated packages, which contain backported patches to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id28244
    published2007-11-16
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28244
    titleRHEL 2.1 / 3 : samba (RHSA-2007:1013)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2007:1013. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(28244);
      script_version ("1.23");
      script_cvs_date("Date: 2019/10/25 13:36:12");
    
      script_cve_id("CVE-2007-4572", "CVE-2007-5398");
      script_bugtraq_id(26454, 26455);
      script_xref(name:"RHSA", value:"2007:1013");
    
      script_name(english:"RHEL 2.1 / 3 : samba (RHSA-2007:1013)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated samba packages that fix several security issues are now
    available for Red Hat Enterprise Linux 2.1 and 3.
    
    This update has been rated as having critical security impact by the
    Red Hat Security Response Team.
    
    Samba is a suite of programs used by machines to share files,
    printers, and other information.
    
    A buffer overflow flaw was found in the way Samba creates NetBIOS
    replies. If a Samba server is configured to run as a WINS server, a
    remote unauthenticated user could cause the Samba server to crash or
    execute arbitrary code. (CVE-2007-5398)
    
    A heap-based buffer overflow flaw was found in the way Samba
    authenticates users. A remote unauthenticated user could trigger this
    flaw to cause the Samba server to crash. Careful analysis of this flaw
    has determined that arbitrary code execution is not possible, and
    under most circumstances will not result in a crash of the Samba
    server. (CVE-2007-4572)
    
    Red Hat would like to thank Alin Rad Pop of Secunia Research, and the
    Samba developers for responsibly disclosing these issues.
    
    Users of Samba are advised to ugprade to these updated packages, which
    contain backported patches to resolve these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-4572"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2007-5398"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2007:1013"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-swat");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/11/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/11/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(2\.1|3)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2007:1013";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-2.2.12-1.21as.8.1")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-client-2.2.12-1.21as.8.1")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-common-2.2.12-1.21as.8.1")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-swat-2.2.12-1.21as.8.1")) flag++;
    
      if (rpm_check(release:"RHEL3", reference:"samba-3.0.9-1.3E.14.1")) flag++;
      if (rpm_check(release:"RHEL3", reference:"samba-client-3.0.9-1.3E.14.1")) flag++;
      if (rpm_check(release:"RHEL3", reference:"samba-common-3.0.9-1.3E.14.1")) flag++;
      if (rpm_check(release:"RHEL3", reference:"samba-swat-3.0.9-1.3E.14.1")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "samba / samba-client / samba-common / samba-swat");
      }
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2007-1013.NASL
    descriptionFrom Red Hat Security Advisory 2007:1013 : Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) Red Hat would like to thank Alin Rad Pop of Secunia Research, and the Samba developers for responsibly disclosing these issues. Users of Samba are advised to ugprade to these updated packages, which contain backported patches to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id67596
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67596
    titleOracle Linux 3 : samba (ELSA-2007-1013)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-1016.NASL
    descriptionUpdated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the
    last seen2020-06-01
    modified2020-06-02
    plugin id28245
    published2007-11-16
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28245
    titleRHEL 4 : samba (RHSA-2007:1016)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2007-3402.NASL
    descriptionSecurity Fixes : - CVE-2007-4572 - CVE-2007-5398 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id28229
    published2007-11-16
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/28229
    titleFedora 7 : samba-3.0.27-0.fc7 (2007-3402)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-544-2.NASL
    descriptionUSN-544-1 fixed two vulnerabilities in Samba. Fixes for CVE-2007-5398 are unchanged, but the upstream changes for CVE-2007-4572 introduced a regression in all releases which caused Linux smbfs mounts to fail. Additionally, Dapper and Edgy included an incomplete patch which caused configurations using NetBIOS to fail. A proper fix for these regressions does not exist at this time, and so the patch addressing CVE-2007-4572 has been removed. This vulnerability is believed to be an unexploitable denial of service, but a future update will address this issue. We apologize for the inconvenience. Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) Alin Rad Pop of Secunia Research discovered that nmbd did not properly check the length of netbios packets. When samba is configured as a WINS server, a remote attacker could send multiple crafted requests resulting in the execution of arbitrary code with root privileges. (CVE-2007-5398). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id28288
    published2007-11-20
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28288
    titleUbuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : samba regression (USN-544-2)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1409.NASL
    descriptionThis update fixes all currently known regressions introduced with the previous two revisions of DSA-1409. The original text is reproduced below : Several local/remote vulnerabilities have been discovered in samba, a LanManager-like file and printer server for Unix. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-5398 Alin Rad Pop of Secunia Research discovered that nmbd did not properly check the length of netbios packets. When samba is configured as a WINS server, a remote attacker could send multiple crafted requests resulting in the execution of arbitrary code with root privileges. - CVE-2007-4572 Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id28298
    published2007-11-26
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28298
    titleDebian DSA-1409-3 : samba - several vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2007-751.NASL
    description - Thu Nov 15 2007 Simo Sorce <ssorce at redhat.com> 3.0.24-8.fc6 - Fix CVE-2007-4572 - Fix CVE-2007-5398 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id28315
    published2007-11-26
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/28315
    titleFedora Core 6 : samba-3.0.24-8.fc6 (2007-751)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2007-224.NASL
    descriptionThe samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. If samba is configured as a Primary or Backup Domain Controller, this could be used by a remote attacker to send malicious logon requests and possibly cause a denial of service (CVE-2007-4572). As well, Alin Rad Pop of Secunia Research found that nmbd did not properly check the length of netbios packets. If samba is configured as a WINS server, this could be used by a remote attacker able to send multiple crafted requests to nmbd, resulting in the execution of arbitrary code with root privileges (CVE-2007-5398). Update : This update corrects all known regressions with previous Samba updates due to the security fixes to correct CVE-2007-4572.
    last seen2020-06-01
    modified2020-06-02
    plugin id28274
    published2007-11-20
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/28274
    titleMandrake Linux Security Advisory : samba (MDKSA-2007:224-3)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200711-29.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200711-29 (Samba: Execution of arbitrary code) Two vulnerabilities have been reported in nmbd. Alin Rad Pop (Secunia Research) discovered a boundary checking error in the reply_netbios_packet() function which could lead to a stack-based buffer overflow (CVE-2007-5398). The Samba developers discovered a boundary error when processing GETDC logon requests also leading to a buffer overflow (CVE-2007-4572). Impact : To exploit the first vulnerability, a remote unauthenticated attacker could send specially crafted WINS
    last seen2020-06-01
    modified2020-06-02
    plugin id28318
    published2007-11-26
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/28318
    titleGLSA-200711-29 : Samba: Execution of arbitrary code
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_A63B15F997FF11DC9E480016179B2DD5.NASL
    descriptionThe Samba Team reports : Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the
    last seen2020-06-01
    modified2020-06-02
    plugin id28317
    published2007-11-26
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28317
    titleFreeBSD : samba -- multiple vulnerabilities (a63b15f9-97ff-11dc-9e48-0016179b2dd5)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS9_114684.NASL
    descriptionSunOS 5.9: Samba Patch. Date this patch was last updated by Sun : Dec/22/10
    last seen2020-06-01
    modified2020-06-02
    plugin id13559
    published2004-07-12
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13559
    titleSolaris 9 (sparc) : 114684-17
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20071115_SAMBA_ON_SL5_X.NASL
    descriptionA buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the
    last seen2020-06-01
    modified2020-06-02
    plugin id60309
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60309
    titleScientific Linux Security Update : samba on SL5.x, SL4.x, SL3.x i386/x86_64
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2007-1114.NASL
    descriptionUpdated samba packages that fix a security issue and a bug are now available for Red Hat Enterprise Linux. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A stack-based buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server. (CVE-2007-6015) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue. This update also fixes a regression caused by the fix for CVE-2007-4572, which prevented some clients from being able to properly access shares. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id29256
    published2007-12-11
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/29256
    titleCentOS 3 / 4 / 5 : samba (CESA-2007:1114)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2007-1013.NASL
    descriptionUpdated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) Red Hat would like to thank Alin Rad Pop of Secunia Research, and the Samba developers for responsibly disclosing these issues. Users of Samba are advised to ugprade to these updated packages, which contain backported patches to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id37627
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37627
    titleCentOS 3 : samba (CESA-2007:1013)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_CIFS-MOUNT-4719.NASL
    descriptionThis update fixes two buffer overflows in nmbd (CVE-2007-4572 / CVE-2007-5398). Remote attackers could potentially exploit them to execute arbitrary code. The updated packages additionally contain fixes for numerous other defects. Please refer to the package changelog for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id29391
    published2007-12-13
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29391
    titleSuSE 10 Security Update : Samba (ZYPP Patch Number 4719)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2008-0001.NASL
    descriptionI Service Console package security updates a. OpenPegasus PAM Authentication Buffer Overflow Alexander Sotirov from VMware Security Research discovered a buffer overflow vulnerability in the OpenPegasus Management server. This flaw could be exploited by a malicious remote user on the service console network to gain root access to the service console. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5360 to this issue. b. Updated Samba package An issue where attackers on the service console management network can cause a stack-based buffer overflow in the reply_netbios_packet function of nmbd in Samba. On systems where Samba is being used as a WINS server, exploiting this vulnerability can allow remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. An issue where attackers on the service console management network can exploit a vulnerability that occurs when Samba is configured as a Primary or Backup Domain controller. The vulnerability allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5398 and CVE-2007-4572 to these issues. Note: By default Samba is not configured as a WINS server or a domain controller and ESX is not vulnerable unless the administrator has changed the default configuration. This vulnerability can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. c. Updated util-linux package The patch addresses an issue where the mount and umount utilities in util-linux call the setuid and setgid functions in the wrong order and do not check the return values, which could allow attackers to gain elevated privileges via helper application such as mount.nfs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5191 to this issue. d. Updated Perl package The update addresses an issue where the regular expression engine in Perl can be used to issue a specially crafted regular expression that allows the attacker to run arbitrary code with the permissions level of the current Perl user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5116 to this issue. e. Updated OpenSSL package A flaw in the SSL_get_shared_ciphers() function could allow an attacker to cause a buffer overflow problem by sending ciphers to applications that use the function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-3108, and CVE-2007-5135 to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id40372
    published2009-07-27
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40372
    titleVMSA-2008-0001 : Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20071210_SAMBA_ON_SL5_X.NASL
    descriptionA stack-based buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server. (CVE-2007-6015) This update also fixes a regression caused by the fix for CVE-2007-4572, which prevented some clients from being able to properly access shares.
    last seen2020-06-01
    modified2020-06-02
    plugin id60328
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60328
    titleScientific Linux Security Update : samba on SL5.x, SL4.x, SL3.x i386/x86_64
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-1114.NASL
    descriptionUpdated samba packages that fix a security issue and a bug are now available for Red Hat Enterprise Linux. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A stack-based buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server. (CVE-2007-6015) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue. This update also fixes a regression caused by the fix for CVE-2007-4572, which prevented some clients from being able to properly access shares. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id29303
    published2007-12-11
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/29303
    titleRHEL 2.1 / 3 / 4 / 5 : samba (RHSA-2007:1114)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2007-3403.NASL
    descriptionSecurity Fixes : - CVE-2007-4572 - CVE-2007-5398 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id28256
    published2007-11-20
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/28256
    titleFedora 8 : samba-3.0.27-0.fc8 (2007-3403)
  • NASL familyMisc.
    NASL idSAMBA_3_0_27.NASL
    descriptionAccording to its banner, the version of the Samba server on the remote host contains a boundary error in the
    last seen2020-06-01
    modified2020-06-02
    plugin id28228
    published2007-11-16
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/28228
    titleSamba < 3.0.27 Multiple Vulnerabilities
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2007-1016.NASL
    descriptionFrom Red Hat Security Advisory 2007:1016 : Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the
    last seen2020-06-01
    modified2020-06-02
    plugin id67597
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67597
    titleOracle Linux 4 : samba (ELSA-2007-1016)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2007-1114.NASL
    descriptionFrom Red Hat Security Advisory 2007:1114 : Updated samba packages that fix a security issue and a bug are now available for Red Hat Enterprise Linux. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A stack-based buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server. (CVE-2007-6015) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue. This update also fixes a regression caused by the fix for CVE-2007-4572, which prevented some clients from being able to properly access shares. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id67620
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67620
    titleOracle Linux 3 / 4 / 5 : samba (ELSA-2007-1114)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-617-1.NASL
    descriptionSamba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) Alin Rad Pop of Secunia Research discovered that Samba did not properly perform bounds checking when parsing SMB replies. A remote attacker could send crafted SMB packets and execute arbitrary code. (CVE-2008-1105). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33217
    published2008-06-18
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33217
    titleUbuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : samba vulnerabilities (USN-617-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_CIFS-MOUNT-4740.NASL
    descriptionThis update fixes two buffer overflows in nmbd (CVE-2007-4572, CVE-2007-5398). Remote attackers could potentially exploit them to execute arbitrary code. The updated packages additionally contain fixes for numerous other defects. Please refer to the package changelog for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id28370
    published2007-11-30
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/28370
    titleopenSUSE 10 Security Update : cifs-mount (cifs-mount-4740)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS9_X86_114685.NASL
    descriptionSunOS 5.9_x86: Samba Patch. Date this patch was last updated by Sun : Dec/22/10
    last seen2020-06-01
    modified2020-06-02
    plugin id13609
    published2004-07-12
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13609
    titleSolaris 9 (x86) : 114685-17
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2007-1016.NASL
    descriptionUpdated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the
    last seen2020-06-01
    modified2020-06-02
    plugin id67059
    published2013-06-29
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67059
    titleCentOS 4 : samba (CESA-2007:1016)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-617-2.NASL
    descriptionUSN-617-1 fixed vulnerabilities in Samba. The upstream patch introduced a regression where under certain circumstances accessing large files might cause the client to report an invalid packet length error. This update fixes the problem. We apologize for the inconvenience. Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) Alin Rad Pop of Secunia Research discovered that Samba did not properly perform bounds checking when parsing SMB replies. A remote attacker could send crafted SMB packets and execute arbitrary code. (CVE-2008-1105). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33388
    published2008-07-02
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33388
    titleUbuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : samba regression (USN-617-2)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-1017.NASL
    descriptionUpdated samba packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the
    last seen2020-06-01
    modified2020-06-02
    plugin id28246
    published2007-11-16
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28246
    titleRHEL 5 : samba (RHSA-2007:1017)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2007-320-01.NASL
    descriptionNew samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id28277
    published2007-11-20
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/28277
    titleSlackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / current : samba (SSA:2007-320-01)

Oval

  • accepted2013-04-29T04:11:44.333-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
      ovaloval:org.mitre.oval:def:11831
    • commentCentOS Linux 4.x
      ovaloval:org.mitre.oval:def:16636
    • commentOracle Linux 4.x
      ovaloval:org.mitre.oval:def:15990
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
      ovaloval:org.mitre.oval:def:11414
    • commentThe operating system installed on the system is CentOS Linux 5.x
      ovaloval:org.mitre.oval:def:15802
    • commentOracle Linux 5.x
      ovaloval:org.mitre.oval:def:15459
    descriptionStack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup Domain controller, allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests.
    familyunix
    idoval:org.mitre.oval:def:11132
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleStack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup Domain controller, allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests.
    version27
  • accepted2015-04-20T04:02:26.698-04:00
    classvulnerability
    contributors
    • namePai Peng
      organizationHewlett-Packard
    • nameSushant Kumar Singh
      organizationHewlett-Packard
    • nameSushant Kumar Singh
      organizationHewlett-Packard
    • namePrashant Kumar
      organizationHewlett-Packard
    • nameMike Cokus
      organizationThe MITRE Corporation
    descriptionStack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup Domain controller, allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests.
    familyunix
    idoval:org.mitre.oval:def:5643
    statusaccepted
    submitted2008-06-30T13:13:25.000-04:00
    titleHP-UX running HP CIFS Server (Samba), Remote Execution of Arbitrary Code
    version46

Redhat

advisories
  • rhsa
    idRHSA-2007:1013
  • rhsa
    idRHSA-2007:1016
  • rhsa
    idRHSA-2007:1017
rpms
  • samba-0:2.2.12-1.21as.8.1
  • samba-0:3.0.9-1.3E.14.1
  • samba-client-0:2.2.12-1.21as.8.1
  • samba-client-0:3.0.9-1.3E.14.1
  • samba-common-0:2.2.12-1.21as.8.1
  • samba-common-0:3.0.9-1.3E.14.1
  • samba-debuginfo-0:3.0.9-1.3E.14.1
  • samba-swat-0:2.2.12-1.21as.8.1
  • samba-swat-0:3.0.9-1.3E.14.1
  • samba-0:3.0.25b-1.el4_6.2
  • samba-client-0:3.0.25b-1.el4_6.2
  • samba-common-0:3.0.25b-1.el4_6.2
  • samba-debuginfo-0:3.0.25b-1.el4_6.2
  • samba-swat-0:3.0.25b-1.el4_6.2
  • samba-0:3.0.25b-1.el5_1.2
  • samba-client-0:3.0.25b-1.el5_1.2
  • samba-common-0:3.0.25b-1.el5_1.2
  • samba-debuginfo-0:3.0.25b-1.el5_1.2
  • samba-swat-0:3.0.25b-1.el5_1.2

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 26454 CVE(CAN) ID: CVE-2007-4572 Samba是一套实现SMB(Server Messages Block)协议、跨平台进行文件共享和打印共享服务的程序。 Samba的nmbd在处理GETDC登录服务器请求时存在缓冲器溢出漏洞,可能导致非预期的服务器行为。 如果远程攻击者发送了畸形的GETDC请求的话就可以触发这个漏洞,但无法利用这个溢出执行任意指令,在大多数情况下也不会导致Samba服务器崩溃。仅在将Samba服务器配置为主或备份域控制器时才会出现这个漏洞。 Samba 3.0.0 - 3.0.26a 临时解决方法: * 在服务器的smb.conf文件中禁用domain logons和domain master选项。 厂商补丁: RedHat ------ RedHat已经为此发布了安全公告(RHSA-2007:1017-01、RHSA-2007:1016-01、RHSA-2007:1013-01)以及相应补丁: RHSA-2007:1017-01:Critical: samba security update 链接:<a href="https://www.redhat.com/support/errata/RHSA-2007-1017.html" target="_blank">https://www.redhat.com/support/errata/RHSA-2007-1017.html</a> RHSA-2007:1016-01:Critical: samba security update 链接:<a href="https://www.redhat.com/support/errata/RHSA-2007-1016.html" target="_blank">https://www.redhat.com/support/errata/RHSA-2007-1016.html</a> RHSA-2007:1013-01:Critical: samba security update 链接:<a href="https://www.redhat.com/support/errata/RHSA-2007-1013.html" target="_blank">https://www.redhat.com/support/errata/RHSA-2007-1013.html</a> Samba ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://us1.samba.org/samba/ftp/patches/security/samba-3.0.26a-CVE-2007_-4572.patch" target="_blank">http://us1.samba.org/samba/ftp/patches/security/samba-3.0.26a-CVE-2007_-4572.patch</a>
idSSV:2434
last seen2017-11-19
modified2007-11-17
published2007-11-17
reporterRoot
titleSamba NMBD登录请求远程溢出漏洞

References