| VID |
23091 |
| Severity |
40 |
| Port |
139 |
| Protocol |
TCP |
| Class |
Samba |
| Detailed Description |
The Samba server, according to its version number, an arbitrary file access vulnerability.
Samba is an Open Source/Free Software package that provides seamless file and print services to SMB/CIFS clients. Samba versions 2.2.x through 2.2.11 and 3.0.x through 3.0.5 could allow a remote attacker to gain unauthorized access to files which exist outside of the share's defined path. This issue is due to a failure of the application to properly validate user-supplied file names. An attacker needs a valid account to exploit this flaw.
* Note: If this check solely relied on the version number of the remote Samba server to assess this vulnerability, then this might be a false positive.
* References:
http://us1.samba.org/samba/news/#security_2.2.12
* Platforms Affected:
Samba 2.2.x through 2.2.11
Samba 3.0.x through 3.0.5
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of samba (3.0.7 or 2.2.12 or later), available from the Samba Web site at http://samba.org/samba/samba.html
For SuSE Linux:
Upgrade to the latest samba package, as listed in SuSE Security Announcement SUSE-SA:2004:035 at http://www.linuxsecurity.com/advisories/suse_advisory-4907.html
For Trustix Secure Linux:
Upgrade to the latest samba package, as listed in Trustix Secure Linux Security Advisory #2004-0051 at http://www.linuxsecurity.com/advisories/trustix_advisory-4884.html
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2004-0815 (CVE) |
| Related URL |
11281 (SecurityFocus) |
| Related URL |
17556 (ISS) |
|
