Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.

The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries :

  - GNU cpio
  - GNU cpio on 64-bit
  - GNU tar
  - Kerberos 5
  - Perl
  - PostgreSQL
  - Safe Module for Perl Automagic Methods
  - Samba smbd

From Red Hat Security Advisory 2010:0488 :

Updated samba and samba3x packages that fix one security issue are now available for Red Hat Enterprise Linux 3, 4, and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support.

The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Samba is a suite of programs used by machines to share files, printers, and other information.

An input sanitization flaw was found in the way Samba parsed client data. A malicious client could send a specially crafted SMB packet to the Samba server, resulting in arbitrary code execution with the privileges of the Samba server (smbd). (CVE-2010-2063)

Red Hat would like to thank the Samba team for responsibly reporting this issue. Upstream acknowledges Jun Mao as the original reporter.

Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically.

An input sanitization flaw was found in the way Samba parsed client data. A malicious client could send a specially crafted SMB packet to the Samba server, resulting in arbitrary code execution with the privileges of the Samba server (smbd). (CVE-2010-2063)

After installing this update, the smb service will be restarted automatically.

The remote host is affected by the vulnerability described in GLSA-201206-22 (Samba: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Samba. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with root       privileges, cause a Denial of Service condition, take ownership of shared       files, or bypass file permissions. Furthermore, a local attacker may be       able to cause a Denial of Service condition or obtain sensitive       information in a Samba credentials file.
  Workaround :

    There is no known workaround at this time.

This update of the Samba server package fixes the following security issues :

  - A buffer overrun was possible in chain_reply code in     3.3.x and below, which could be used to crash the samba     server or potentially execute code. (CVE-2010-2063)

  - Take extra care that a mount point of mount.cifs does     not get changed during mount. (CVE-2010-0787)

Also, the following bugs have been fixed :

  - Honor interface list in net ads dns register.
    (bnc#606947)

  - An uninitialized variable read could cause smbd to crash     (bso#7254, bnc#605935).

a. Service Console update for cpio

   The service console package cpio is updated to version 2.5-6.RHEL3    for ESX 3.x versions and updated to version 2.6-23.el5_4.1 for    ESX 4.x versions.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2005-4268 and CVE-2010-0624 to the issues    addressed in the update for ESX 3.x and the names CVE-2007-4476 and    CVE-2010-0624 to the issues addressed in the update for ESX 4.x.

b. Service Console update for tar

   The service console package tar is updated to version    1.13.25-16.RHEL3 for ESX 3.x versions and updated to version    1.15.1-23.0.1.el5_4.2 for ESX 4.x versions.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-0624 to the issue addressed in the    update for ESX 3.x and the names CVE-2007-4476 and CVE-2010-0624    to the issues addressed in the update for ESX 4.x.

c. Service Console update for samba

   The service console packages for samba are updated to version    samba-3.0.9-1.3E.17vmw, samba-client-3.0.9-1.3E.17vmw and    samba-common-3.0.9-1.3E.17vmw.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-2063 to the issue addressed in this    update.

   Note :
   The issue mentioned above is present in the Samba server (smbd) and    is not present in the Samba client or Samba common packages.

   To determine if your system has Samba server installed do a    'rpm -q samba`.

   The following lists when the Samba server is installed on the ESX    service console :

   - ESX 4.0, ESX 4.1      The Samba server is not present on ESX 4.0 and ESX 4.1.

   - ESX 3.5      The Samba server is present if an earlier patch for Samba has been      installed.

   - ESX 3.0.3      The Samba server is present if ESX 3.0.3 was upgraded from an      earlier version of ESX 3 and a Samba patch was installed on that      version.

   The Samba server is not needed to operate the service console and    can be be disabled without loss of functionality to the service    console.

d. Service Console update for krb5

   The service console package krb5 is updated to version 1.2.7-72    for ESX 3.x versions and to version 1.6.1-36.el5_5.4 for ESX 4.x    versions.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-1321 to the issue addressed in    these updates.

e. Service Console update for perl

   The service console package perl is updated to version    5.8.0-101.EL3 for ESX 3.x versions and version 5.8.8-32.el5_5.1    for ESX 4.x versions.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-1168 and CVE-2010-1447 to the issues    addressed in the update for ESX 3.x and the names CVE-2008-5302,    CVE-2008-5303, CVE-2010-1168, and CVE-2010-1447 to the issues    addressed in the update for ESX 4.x.

The remote host is running a version of Mac OS X 10.6 or 10.5 that does not have Security Update 2010-005 applied. 

This security update contains fixes for the following products :

  - ATS
  - CFNetwork
  - ClamAV
  - CoreGraphics
  - libsecurity
  - PHP
  - Samba

This update of the Samba server package fixes security issues and bugs.

Following security issues were fixed: CVE-2010-2063: A buffer overrun was possible in chain_reply code in 3.3.x and below, which could be used to crash the samba server or potentially execute code.

CVE-2010-0787: Take extra care that a mount point of mount.cifs isn't changed during mount.

Also the following bugs were fixed :

  - Honor 'interfaces' list in net ad dns register.
    (bnc#606947)

  - An uninitialized variable read could cause an smbd     crash; (bso#7254); (bnc#605935).

This update of the Samba server package fixes the following security issue :

  - A buffer overrun was possible in chain_reply code in     3.3.x and below, which could be used to crash the samba     server or potentially execute code. (CVE-2010-2063)

Also, the following bug has been fixed :

  - An uninitialized variable read could cause smbd to crash     (bso#7254, bnc#605935).

Jun Mao discovered that Samba, an implementation of the SMB/CIFS protocol for Unix systems, is not properly handling certain offset values when processing chained SMB1 packets. This enables an unauthenticated attacker to write to an arbitrary memory location resulting in the possibility to execute arbitrary code with root privileges or to perform denial of service attacks by crashing the samba daemon.

Updated samba and samba3x packages that fix one security issue are now available for Red Hat Enterprise Linux 3, 4, and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support.

The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Samba is a suite of programs used by machines to share files, printers, and other information.

An input sanitization flaw was found in the way Samba parsed client data. A malicious client could send a specially crafted SMB packet to the Samba server, resulting in arbitrary code execution with the privileges of the Samba server (smbd). (CVE-2010-2063)

Red Hat would like to thank the Samba team for responsibly reporting this issue. Upstream acknowledges Jun Mao as the original reporter.

Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically.

New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and 13.0 to fix a security issue.

A vulnerability has been discovered and corrected in samba :

Samba versions 3.0.x, 3.2.x and 3.3.x are affected by a memory corruption vulnerability. Code dealing with the chaining of SMB1 packets did not correctly validate an input field provided by the client, making it possible for a specially crafted packet to crash the server or potentially cause the server to execute arbitrary code (CVE-2010-2063).

Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4 90

The updated packages have been patched to correct this issue.

According to its banner, the version of Samba running on the remote host is a version of 3.x before 3.3.13. Such versions are affected by a memory corruption vulnerability when handling specially crafted SMB1 packets.

By exploiting this flaw, a remote, unauthenticated attacker could crash the affected service or potentially execute arbitrary code subject to the privileges of the user running the affected application.

Jun Mao discovered that Samba did not correctly validate SMB1 packet contents. An unauthenticated remote attacker could send specially crafted network traffic that could execute arbitrary code as the root user.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of Samba 3.x earlier than 3.3.13 are potentially affected by a memory corruption vulnerability when handling specially crafted SMB1 packets.  A remote unauthenticated attacker, exploiting this flaw, could crash the affected service or potentially execute arbitrary code subject to the privileges of the user running the affected application.

ID	Name	Product	Family	Severity
89741	VMware ESX Multiple Vulnerabilities (VMSA-2010-0013) (remote check)	Nessus	VMware ESX Local Security Checks	high
68051	Oracle Linux 3 / 4 / 5 : samba / samba3x (ELSA-2010-0488)	Nessus	Oracle Linux Local Security Checks	high
60805	Scientific Linux Security Update : samba on SL3.x, SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
60804	Scientific Linux Security Update : samba and samba3x on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
59675	GLSA-201206-22 : Samba: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
50894	SuSE 11 Security Update : (SAT Patch Number 2544)	Nessus	SuSE Local Security Checks	high
49835	SuSE 10 Security Update : Samba (ZYPP Patch Number 7072)	Nessus	SuSE Local Security Checks	high
49085	VMSA-2010-0013 : VMware ESX third-party updates for Service Console	Nessus	VMware ESX Local Security Checks	high
48424	Mac OS X Multiple Vulnerabilities (Security Update 2010-005)	Nessus	MacOS X Local Security Checks	high
47572	openSUSE Security Update : cifs-mount (openSUSE-SU-2010:0346-1)	Nessus	SuSE Local Security Checks	high
47570	openSUSE Security Update : cifs-mount (openSUSE-SU-2010:0346-1)	Nessus	SuSE Local Security Checks	high
47568	SuSE9 Security Update : Samba (YOU Patch Number 12622)	Nessus	SuSE Local Security Checks	high
47103	Debian DSA-2061-1 : samba - memory corruption	Nessus	Debian Local Security Checks	high
47101	CentOS 3 / 4 / 5 : samba / samba3x (CESA-2010:0488)	Nessus	CentOS Local Security Checks	high
47047	Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 : samba (SSA:2010-169-01)	Nessus	Slackware Local Security Checks	high
47042	Mandriva Linux Security Advisory : samba (MDVSA-2010:119)	Nessus	Mandriva Local Security Checks	high
47036	Samba 3.x < 3.3.13 SMB1 Packet Chaining Memory Corruption	Nessus	Misc.	high
47035	Ubuntu 6.06 LTS / 8.04 LTS / 9.04 : samba vulnerability (USN-951-1)	Nessus	Ubuntu Local Security Checks	high
47034	RHEL 3 / 4 / 5 : samba and samba3x (RHSA-2010:0488)	Nessus	Red Hat Local Security Checks	high
5572	Samba 3.x < 3.3.13 SMB1 Packet Chaining Memory Corruption	Nessus Network Monitor	Samba	critical

Detections

Analytics

CVE-2010-2063

critical

Tenable Plugins

high

high

high

high

critical

high

high

high

high

high

high

high

high

high

high

high

high

high

high

critical