smbd in Samba 3.0.29 through 3.2.4 might allow remote attackers to read arbitrary memory and cause a denial of service via crafted (1) trans, (2) trans2, and (3) nttrans requests, related to a "cut&paste error" that causes an improper bounds check to be performed.

This update fixes a bug that allowed the client to retrieve arbitrary memory content from the server process. (CVE-2008-4314) Additionally another bug was fixed that affects environments that enabled registry shares by setting 'registry shares = yes'. In this case an authenticated user is accidentally allowed to access the root filesystem '/'. (CVE-2009-0022)

Malicious clients could potentially retrieve arbitrary memory content from a samba server (CVE-2008-4314).

It was discovered that Samba did not properly perform bounds checking in certain operations. A remote attacker could possibly exploit this to read arbitrary memory contents of the smb process, which could contain sensitive information or possibly have other impacts, such as a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

http://www.samba.org/samba/security/CVE-2008-4314.html

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200903-07 (Samba: Data disclosure)

    Samba does not properly check memory boundaries when handling trans,     rans2, and nttrans requests.
  Impact :

    A remote attacker could send specially crafted requests to a Samba     daemon, leading to the disclosure of arbitrary memory or to a Denial of     Service.
  Workaround :

    There is no known workaround at this time.

Malicious clients could potentially retrieve arbitrary memory content from a samba server. (CVE-2008-4314)

According to its banner, the version of the Samba server on the remote host is between 3.0.29 and 3.2.4 inclusive.  Such versions reportedly can potentially leak arbitrary memory contents of the 'smbd' process due to a missing bounds check on client-generated offsets of secondary 'trans', 'trans2', and 'nttrans' requests. 

According to its banner, the version of the Samba server on the remote host is between 3.0.29 and 3.2.4 inclusive. Such versions reportedly can potentially leak arbitrary memory contents of the 'smbd' process due to a missing bounds check on client-generated offsets of secondary 'trans', 'trans2', and 'nttrans' requests.

Note that Nessus has not actually tried to exploit this issue or determine if the fix has been applied.

Samba Team reports :

Samba 3.0.29 and beyond contain a change to deal with gcc 4 optimizations. Part of the change modified range checking for client-generated offsets of secondary trans, trans2 and nttrans requests. These requests are used to transfer arbitrary amounts of memory from clients to servers and back using small SMB requests and contain two offsets: One offset (A) pointing into the PDU sent by the client and one (B) to direct the transferred contents into the buffer built on the server side. While the range checking for offset (B) is correct, a cut and paste error lets offset (A) pass completely unchecked against overflow.

The buffers passed into trans, trans2 and nttrans undergo higher-level processing like DCE/RPC requests or listing directories. The missing bounds check means that a malicious client can make the server do this higher-level processing on arbitrary memory contents of the smbd process handling the request. It is unknown if that can be abused to pass arbitrary memory contents back to the client, but an important barrier is missing from the affected Samba versions.

New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, and -current to fix a possible security vulnerability involving the reading of uninitialized memory.

ID	Name	Product	Family	Severity
40197	openSUSE Security Update : cifs-mount (cifs-mount-410)	Nessus	SuSE Local Security Checks	high
39927	openSUSE Security Update : cifs-mount (cifs-mount-406)	Nessus	SuSE Local Security Checks	high
39926	openSUSE Security Update : cifs-mount (cifs-mount-320)	Nessus	SuSE Local Security Checks	high
37853	Ubuntu 8.10 : samba vulnerability (USN-680-1)	Nessus	Ubuntu Local Security Checks	critical
36755	Fedora 10 : samba-3.2.5-0.23.fc10 (2008-10612)	Nessus	Fedora Local Security Checks	high
35797	GLSA-200903-07 : Samba: Data disclosure	Nessus	Gentoo Local Security Checks	high
35025	SuSE 10 Security Update : Samba (ZYPP Patch Number 5819)	Nessus	SuSE Local Security Checks	high
35015	Fedora 8 : samba-3.0.33-0.fc8 (2008-10638)	Nessus	Fedora Local Security Checks	high
35014	Fedora 9 : samba-3.2.5-0.22.fc9 (2008-10518)	Nessus	Fedora Local Security Checks	high
4774	Samba 3.0.29 - 3.2.4 Potential Memory Disclosure	Nessus Network Monitor	Samba	medium
34993	Samba 3.0.29 - 3.2.4 Potential Memory Disclosure	Nessus	Misc.	medium
34976	FreeBSD : samba -- potential leakage of arbitrary memory contents (1583640d-be20-11dd-a578-0030843d3802)	Nessus	FreeBSD Local Security Checks	high
34971	Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / current : samba (SSA:2008-333-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2008-4314

critical

Tenable Plugins

high

high

high

critical

high

high

high

high

high

medium

medium

high

high