59579

GLSA-201502-15

http://www.samba.org/samba/security/CVE-2014-0239

67691

1030309

The remote host is affected by the vulnerability described in GLSA-201502-15 (Samba: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Samba. Please review       the CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker may be able to execute arbitrary code,       cause a Denial of Service condition, bypass intended file restrictions,       or obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

samba was updated to version 4.1.9 to fix four security issues and various non-security bugs.

These security issues were fixed :

  - Fix nmbd denial of service (CVE-2014-0244)

  - Fix segmentation fault in smbd_marshall_dir_entry()'s     SMB_FIND_FILE_UNIX handler (CVE-2014-3493)

  - Malformed FSCTL_SRV_ENUMERATE_SNAPSHOTS response     (CVE-2014-0178)

  - DNS: Don't reply to replies (CVE-2014-0239)

Christof Schmitt discovered that Samba incorrectly initialized a certain response field when vfs shadow copy was enabled. A remote authenticated attacker could use this issue to possibly obtain sensitive information. This issue only affected Ubuntu 13.10 and Ubuntu 14.04 LTS. (CVE-2014-0178)

It was discovered that the Samba internal DNS server incorrectly handled QR fields when processing incoming DNS messages. A remote attacker could use this issue to cause Samba to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0239)

Daniel Berteaud discovered that the Samba NetBIOS name service daemon incorrectly handled certain malformed packets. A remote attacker could use this issue to cause Samba to consume resources, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 13.10, and Ubuntu 14.04 LTS. (CVE-2014-0244)

Simon Arlott discovered that Samba incorrectly handled certain unicode path names. A remote authenticated attacker could use this issue to cause Samba to stop responding, resulting in a denial of service.
(CVE-2014-3493).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New samba packages are available for Slackware 14.0, 14.1, and
-current to fix security issues.

Versions of Samba older than 4.0.18 or 4.1.8 are unpatched for the following vulnerabilities:

  - An error in the 'dns_process_send()' function in the internal DNS server can cause an infinite loop that results in denial of service, due to the server not checking the 'reply' flag in a DNS packet header when processing a request. (CVE-2014-0239)

  - A flaw in the 'vfswrap_fsctl()' function that is triggered when responding to authenticated FSCTL_GET_SHADOW_COPY_DATA or FSCTL_SRV_ENUMERATE_SNAPSHOTS client requests can result in the exposure of eight bytes of uninitialized memory. This affects versions of Samba 3.6.6 and onward. (CVE-2014-0178)

According to its banner, the version of Samba running on the remote host is 3.5.x or 3.6.x prior to 3.6.25 / 4.1.x prior to 4.1.8. It is, therefore, potentially affected by the following vulnerabilities :

  - An error exists related to GET_SHADOW_COPY_DATA() and     FSCTL_SRV_ENUMERATE_SNAPSHOTS() request handling in     which the SRV_SNAPSHOT_ARRAY response field is not     properly initialized. Therefore, configurations with     'shadow_copy' or 'shadow-copy2' specified for the     'vfs objects' parameter can allow the disclosure of     uninitialized memory contents. (CVE-2014-0178)

  - A denial of service vulnerability exists due to the     internal DNS server failing to check the 'reply' flag in     DNS packet headers. A remote attacker, via a forged     response packet that triggers a communication loop, can     cause the consumption of CPU processing and bandwidth.
    (CVE-2014-0239)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of Samba running on the remote host is 4.x prior to 4.0.18 and is, therefore, potentially affected by the following vulnerabilities :

  - An error exists related to 'GET_SHADOW_COPY_DATA' or     'FSCTL_SRV_ENUMERATE_SNAPSHOTS' request handling and     'vfs objects' parameter configurations of 'shadow_copy'     or 'shadow_copy2' that could allow disclosure of     uninitialized memory contents. (CVE-2014-0178)

  - An error exists related to handling the 'reply' flag     DNS packet headers that could allow denial of service     attacks. (CVE-2014-0239)

Note that Nessus has relied only on the self-reported version number and has not actually tried to exploit these issues or determine if the associated patch has been applied.

ID	Name	Product	Family	Severity
81536	GLSA-201502-15 : Samba: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
76341	openSUSE Security Update : samba (openSUSE-SU-2014:0859-1)	Nessus	SuSE Local Security Checks	medium
76275	Ubuntu 10.04 LTS / 12.04 LTS / 13.10 / 14.04 LTS : samba vulnerabilities (USN-2257-1)	Nessus	Ubuntu Local Security Checks	medium
76207	Slackware 14.0 / 14.1 / current : samba (SSA:2014-175-04)	Nessus	Slackware Local Security Checks	medium
3540	Samba 4.0.x < 4.0.18 / 4.1.x < 4.1.8 Multiple Vulnerabilities	Nessus Network Monitor	Samba	medium
74290	Samba 3.5.x / 3.6.x < 3.6.25 / 4.1.x < 4.1.8 Multiple Vulnerabilities	Nessus	Misc.	low
74242	Samba 4.x < 4.0.18 Multiple Vulnerabilities	Nessus	Misc.	low

CVE-2014-0239

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

critical

medium

medium

medium

medium

low

low