Samba < 3.0.27 Multiple Vulnerabilities

This script is Copyright (C) 2007-2014 Tenable Network Security, Inc.


Synopsis :

The remote Samba server may be affected one or more vulnerabilities.

Description :

According to its banner, the version of the Samba server on the remote
host contains a boundary error in the 'reply_netbios_packet()'
function in 'nmbd/nmbd_packets.c' when sending NetBIOS replies.
Provided the server is configured to run as a WINS server, a remote
attacker can exploit this issue by sending multiple specially crafted
WINS 'Name Registration' requests followed by a WINS 'Name Query'
request, leading to a stack-based buffer overflow. This could also
allow for the execution of arbitrary code.

There is also a stack buffer overflow in nmbd's logon request
processing code that can be triggered by means of specially crafted
GETDC mailslot requests when the affected server is configured as a
Primary or Backup Domain Controller. Note that the Samba security team
currently does not believe this particular issue can be exploited to
execute arbitrary code remotely.

See also :

http://secunia.com/secunia_research/2007-90/advisory/
http://www.securityfocus.com/archive/1/483744
http://us1.samba.org/samba/security/CVE-2007-4572.html
http://us1.samba.org/samba/security/CVE-2007-5398.html
http://www.securityfocus.com/archive/1/483742
http://www.securityfocus.com/archive/1/483743

Solution :

Upgrade to Samba version 3.0.27 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Misc.

Nessus Plugin ID: 28228 ()

Bugtraq ID: 26454
26455

CVE ID: CVE-2007-4572
CVE-2007-5398