RE: [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses
forsmb at mail.ru
Thu May 29 07:02:26 GMT 2008
Hello Jerry, list,
Could someone please provide a bit more information regarding this vulnerability, in terms of what configurations are affected?
Everything I could find on Secunia and in the message below tells me that vulnerable are the cases when smbd acts as a client - what are they?
Secunia suggests that: "Successful exploitation allows execution of arbitrary code by tricking a user into connecting to a malicious server (e.g. by clicking an "smb://" link) or by sending specially crafted packets to an "nmbd" server configured as a local or domain master browser. Do not connect to untrusted SMB servers or follow untrusted links."
What could that mean? E.g. may we consider a situation when all "browser" settings are "no" and no DC on Samba (authentication is done via MS AD, Samba is a member of) plus it is not used for printing as not vulnerable?
That would make our strategy for patching more clear as we'd like to avoid unnecessary downtimes.
Please do not hesitate to move this discussion to samba-technical, if you feel it's more appropriate.
> -----Original Message-----
> From: samba at lists.samba.org On Behalf Of Gerald (Jerry) Carter
> Sent: Wednesday, May 28, 2008 6:56 PM
> To: samba at samba.org
> Subject: [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> == Subject: Boundary failure when parsing SMB responses
> == can result in a buffer overrun
> == CVE ID#: CVE-2008-1105
> == Versions: Samba 3.0.0 - 3.0.29 (inclusive)
> == Summary: Specifically crafted SMB responses can result
> == in a heap overflow in the Samba client code.
> == Because the server process, smbd, can itself
> == act as a client during operations such as
> == printer notification and domain authentication,
> == this issue affects both Samba client and server
> == installations.
> Secunia Research reported a vulnerability that allows for
> the execution of arbitrary code in smbd. This defect is
> is a result of an incorrect buffer size when parsing SMB
> replies in the routine receive_smb_raw().
> Patch Availability
> A patch addressing this defect has been posted to
> Additionally, Samba 3.0.30 has been issued as a security
> release to correct the defect. Samba administrators are
> advised to upgrade to 3.0.30 or apply the patch as soon
> as possible.
> This vulnerability was reported to Samba developers by
> Alin Rad Pop, Secunia Research.
> The time line is as follows:
> * May 15, 2008: Initial report to security at samba.org.
> * May 15, 2008: First response from Samba developers confirming
> the bug along with a proposed patch.
> * May 28, 2008: Public security advisory made available.
> == Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba