| VID |
23024 |
| Severity |
40 |
| Port |
139 |
| Protocol |
TCP |
| Class |
Samba |
| Detailed Description |
The Samba server, according to its version number, has a remote file creation vulnerability.
A remote attacker can use a NetBIOS name containing unix path characters which will then be substituted into the %m macro wherever it occurs in smb.conf. This can be used to cause Samba to create a log file on top of an important system file, which in turn can be used to compromise security on the target server.
The most commonly used configuration option that can be vulnerable to this attack is the "log file" option. The default value for this option is VARDIR/log.smbd. If the default is used then Samba is not vulnerable to this attack.
The security hole occurs when a log file option like the following is used:
log file = /var/log/samba/%m.log
In this case the attacker can use a locally created symbolic link to overwrite any file on the system. This requires local access to the server. The attacker can use this flaw to overwrite or append data remotely to the specified file.
* Note: This check item solely relied on the version of the remote Samba server to assess this vulnerability, so this might be a false positive.
* References:
http://online.securityfocus.com/bid/2928
http://www.iss.net/security_center/static/6731.php
Platforms Affected:
- Samba 2.0.9 or prior
- Samba 2.2.0 |
| Recommendation |
For Conectiva Linux All versions:
Upgrade to the latest version of samba (2.0.9 or later), as listed in Conectiva Linux Security Announcement CLA-2001:405, http://online.securityfocus.com/archive/1/193028
For Debian Linux 2.2 (alias potato):
Upgrade to the latest version of samba (2.0.7-3.4 or later), as listed in Debian Security Advisory DSA-065-1, http://online.securityfocus.com/archive/1/193029
For Red Hat Linux All versions:
Upgrade to the latest version of samba (2.0.10-0.52 or later), as listed in Red Hat, Inc. Red Hat Security Advisory RHSA-2001:086-06, http://www.redhat.com/support/errata/RHSA-2001-086.html
For HP CIFS/9000 Server version A.01.07 and earlier and HP 3000 servers running Samba/iX:
See Hewlett-Packard Company Security Advisory HPSBUX0107-157 for workaround information. http://online.securityfocus.com/advisories/3423
For HP 3000 MPE/iX servers running Samba/iX:
See Hewlett-Packard Company Security Advisory HPSBMP0107-012 for workaround information. http://online.securityfocus.com/archive/1/194699
For SGI IRIX All versions:
Upgrade to the latest version of samba (2.2.1a or later), as listed in SGI Security Advisory 20011002-01-P, ftp://patches.sgi.com/support/free/security/advisories/20011002-01-P
For SuSE Linux All versions:
Upgrade to the latest version of samba (2.0.10-0 or later), as listed in SuSE Security Announcement SuSE-SA:2001:021, http://www.suse.com/de/support/security/2001_021_samba_txt.txt
For FreeBSD FreeBSD Ports Collection prior to 2001-06-23: Upgrade to the latest version of samba (2.0.10 dated 2001-06-23 or later), as listed in FreeBSD-SA-01:45, ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:45.samba.asc
For other distributions:
Contact your vendor for upgrade or patch information, or see Samba Web site, http://us1.samba.org/samba/whatsnew/samba-2.2.1.html |
| Related URL |
CVE-2001-1162 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
