Samba < 3.0.27 Multiple Vulnerabilities

high Nessus Plugin ID 28228

Synopsis

The remote Samba server may be affected one or more vulnerabilities.

Description

According to its banner, the version of the Samba server on the remote host contains a boundary error in the 'reply_netbios_packet()' function in 'nmbd/nmbd_packets.c' when sending NetBIOS replies.
Provided the server is configured to run as a WINS server, a remote attacker can exploit this issue by sending multiple specially crafted WINS 'Name Registration' requests followed by a WINS 'Name Query' request, leading to a stack-based buffer overflow. This could also allow for the execution of arbitrary code.

There is also a stack buffer overflow in nmbd's logon request processing code that can be triggered by means of specially crafted GETDC mailslot requests when the affected server is configured as a Primary or Backup Domain Controller. Note that the Samba security team currently does not believe this particular issue can be exploited to execute arbitrary code remotely.

Solution

Upgrade to Samba version 3.0.27 or later.

See Also

https://secuniaresearch.flexerasoftware.com/secunia_research/2007-90/advisory/

https://www.securityfocus.com/archive/1/483744

http://us1.samba.org/samba/security/CVE-2007-4572.html

http://us1.samba.org/samba/security/CVE-2007-5398.html

https://www.securityfocus.com/archive/1/483742

https://www.securityfocus.com/archive/1/483743

Plugin Details

Severity: High

ID: 28228

File Name: samba_3_0_27.nasl

Version: 1.16

Type: remote

Family: Misc.

Published: 11/16/2007

Updated: 11/15/2018

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:samba:samba

Required KB Items: Settings/ParanoidReport, SMB/NativeLanManager

Exploit Ease: No known exploits are available

Reference Information

CVE: CVE-2007-4572, CVE-2007-5398

BID: 26454, 26455

CWE: 119