The Winbind nss_info extension (nsswitch/idmap_ad.c) in idmap_ad.so in Samba 3.0.25 through 3.0.25c, when the "winbind nss info" option is set to rfc2307 or sfu, grants all local users the privileges of gid 0 when the (1) RFC2307 or (2) Services for UNIX (SFU) primary group attribute is not defined.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2007-1017 advisory.

  - The Winbind nss_info extension (nsswitch/idmap_ad.c) in idmap_ad.so in Samba 3.0.25 through 3.0.25c, when     the winbind nss info option is set to rfc2307 or sfu, grants all local users the privileges of gid 0     when the (1) RFC2307 or (2) Services for UNIX (SFU) primary group attribute is not defined.
    (CVE-2007-4138)

  - Stack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup     Domain controller, allows remote attackers to have an unknown impact via crafted GETDC mailslot requests,     related to handling of GETDC logon server requests. (CVE-2007-4572)

  - Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba     3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code     via crafted WINS Name Registration requests followed by a WINS Name Query request. (CVE-2007-5398)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2007:1016 :

Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Samba is a suite of programs used by machines to share files, printers, and other information.

A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398)

A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572)

A flaw was found in the way Samba assigned group IDs under certain conditions. If the 'winbind nss info' parameter in smb.conf is set to either 'sfu' or 'rfc2307', Samba users are incorrectly assigned the group ID of 0. (CVE-2007-4138)

Red Hat would like to thank Alin Rad Pop of Secunia Research, Rick King, and the Samba developers for responsibly disclosing these issues.

All Samba users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues.

Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Samba is a suite of programs used by machines to share files, printers, and other information.

A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398)

A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572)

A flaw was found in the way Samba assigned group IDs under certain conditions. If the 'winbind nss info' parameter in smb.conf is set to either 'sfu' or 'rfc2307', Samba users are incorrectly assigned the group ID of 0. (CVE-2007-4138)

Red Hat would like to thank Alin Rad Pop of Secunia Research, Rick King, and the Samba developers for responsibly disclosing these issues.

All Samba users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues.

A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398)

A heap based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572)

A flaw was found in the way Samba assigned group IDs under certain conditions. If the 'winbind nss info' parameter in smb.conf is set to either 'sfu' or 'rfc2307', Samba users are incorrectly assigned the group ID of 0. (CVE-2007-4138)

According to its banner, the version of the Samba server installed on the remote host is affected by a local privilege escalation vulnerability. Specifically, the Winbind nss_info extension, when the 'winbind nss info' option is set to 'rfc2307' or 'sfu', grants local users the privileges of gid 0 if the 'RFC2307' or 'Services for UNIX' primary group attribute is not defined.

Updated samba packages that fix security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Samba is a suite of programs used by machines to share files, printers, and other information.

A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398)

A heap based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572)

A flaw was found in the way Samba assigned group IDs under certain conditions. If the 'winbind nss info' parameter in smb.conf is set to either 'sfu' or 'rfc2307', Samba users are incorrectly assigned the group ID of 0. (CVE-2007-4138)

Red Hat would like to thank Alin Rad Pop of Secunia Research, Rick King, and the Samba developers for responsibly disclosing these issues.

All Samba users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues.

This release fixes a security bug in the 3.0.25 series. It also add some bug fixes initially stated to be released in the suppressed 3.0.25d version.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Samba development team reports :

The idmap_ad.so library provides an nss_info extension to Winbind for retrieving a user's home directory path, login shell and primary group id from an Active Directory domain controller. This functionality is enabled by defining the 'winbind nss info' smb.conf option to either 'sfu' or 'rfc2307'.

Both the Windows 'Identity Management for Unix' and 'Services for Unix' MMC plug-ins allow a user to be assigned a primary group for Unix clients that differs from the user's Windows primary group. When the rfc2307 or sfu nss_info plugin has been enabled, in the absence of either the RFC2307 or SFU primary group attribute, Winbind will assign a primary group ID of 0 to the domain user queried using the getpwnam() C library call.

New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, and 12.0 to fix a security issue and various other bugs.

According to its banner, the version of the Samba server installed on the remote host is affected by a flaw where a local attacker can gain group-0 access.  In order for the exploit to work, the local system must be configured to use Microsoft Active Directory and return a NULL value for the group ID.  Successful exploitation would result in the local attacker gaining elevated access on the local machine.

ID	Name	Product	Family	Severity
180601	Oracle Linux 5 : Critical: / samba (ELSA-2007-1017)	Nessus	Oracle Linux Local Security Checks	critical
67597	Oracle Linux 4 : samba (ELSA-2007-1016)	Nessus	Oracle Linux Local Security Checks	high
67059	CentOS 4 : samba (CESA-2007:1016)	Nessus	CentOS Local Security Checks	high
60309	Scientific Linux Security Update : samba on SL5.x, SL4.x, SL3.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
17719	Samba idmap_ad.so Winbind nss_info Extension Local Privilege Escalation	Nessus	Misc.	medium
28246	RHEL 5 : samba (RHSA-2007:1017)	Nessus	Red Hat Local Security Checks	high
28245	RHEL 4 : samba (RHSA-2007:1016)	Nessus	Red Hat Local Security Checks	high
27754	Fedora 7 : samba-3.0.26a-0.fc7 (2007-2145)	Nessus	Fedora Local Security Checks	medium
26087	FreeBSD : samba -- nss_info plugin privilege escalation vulnerability (2bc96f18-683f-11dc-82b6-02e0185f8d72)	Nessus	FreeBSD Local Security Checks	medium
26054	Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 : samba (SSA:2007-255-02)	Nessus	Slackware Local Security Checks	medium
4208	Samba < 3.0.26 'idmap_ad.co' Local Privilege Escalation	Nessus Network Monitor	Samba	low

Detections

Analytics

CVE-2007-4138

high

Tenable Plugins

critical

high

high

high

medium

high

high

medium

medium

medium

low