| VID |
23035 |
| Severity |
40 |
| Port |
139 |
| Protocol |
TCP |
| Class |
Samba |
| Detailed Description |
The Samba server, according to its version number, may be vulnerable to a buffer overflow when receiving specially crafted SMB fragment packets.
Samba is the most-widely used software that allows access Windows networks from non-Windows clients. The security flaw in Samba from 2.0.x to 2.2.7a could allow a remote attacker to anonymously gain Super User (root) privileges on a server running a Samba server. A buffer overrun condition exists in the SMB/CIFS packet fragment re-assembly code in smbd which would allow an attacker to cause smbd to overwrite arbitrary areas of memory in its own process address space. This could allow a skilled attacker to inject binary specific exploit code into smbd, and possibly execute arbitrary code on the system with root privileges.
* References:
http://www.samba.org/samba/whatsnew/samba-2.2.8.html
http://www.kb.cert.org/vuls/id/298233
* Platforms Affected:
Samba from 2.0.x to 2.2.7a |
| Recommendation |
Upgrade to the latest version of Samba (2.2.8 or later), available from the Samba Web site, http://samba.org/samba/whatsnew/samba-2.2.8.html
For Debian GNU/Linux 3.0:
Upgrade to the latest samba package (2.2.3a-12.1 or later), as listed in Debian Security Advisory DSA-262-1, http://www.debian.org/security/2003/dsa-262
For Mandrake Linux:
Upgrade to the latest version of samba (2.2.7a-8 or later), as listed in MandrakeSoft Security Advisory MDKSA-2003:032, http://www.securityfocus.com/archive/1/315325
For Gentoo Linux:
Upgrade to the latest version of samba (2.2.8 or later), as listed in Gentoo Linux Security Announcement 200303-11, http://www.linuxsecurity.com/advisories/gentoo_advisory-2965.html
For other distributions:
Contact your vendor for upgrade or patch information.
-- OR --
If the above methods are not suitable, as a workaround, the following methods are available.
* Using host based protection
One of the simplest fixes in this case is to use the 'hosts allow' and 'hosts deny' options in the Samba smb.conf configuration file to allow access to your Samba server by only selected hosts; for example:
hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
hosts deny = 0.0.0.0/0
* Using a IPC$ share deny
You can also use a more specific control on the IPC$ share that is used in the recently discovered security hole. This allows you to offer access to other shares while denying access to IPC$ from potentially untrustworthy hosts.
To do that you could use:
[ipc$]
hosts allow = 192.168.115.0/24 127.0.0.1
hosts deny = 0.0.0.0/0
this would tell Samba that IPC$ connections are not allowed from anywhere but the two listed places (localhost and a local subnet). Connections to other shares would still be allowed. The IPC$ share is the only share that is always accessible anonymously. |
| Related URL |
CVE-2003-0085,CVE-2003-0086 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
11550 (ISS) |
|
