FreeBSD : samba -- potential leakage of arbitrary memory contents (1583640d-be20-11dd-a578-0030843d3802)

High Nessus Plugin ID 34976


The remote FreeBSD host is missing one or more security-related updates.


Samba Team reports :

Samba 3.0.29 and beyond contain a change to deal with gcc 4 optimizations. Part of the change modified range checking for client-generated offsets of secondary trans, trans2 and nttrans requests. These requests are used to transfer arbitrary amounts of memory from clients to servers and back using small SMB requests and contain two offsets: One offset (A) pointing into the PDU sent by the client and one (B) to direct the transferred contents into the buffer built on the server side. While the range checking for offset (B) is correct, a cut and paste error lets offset (A) pass completely unchecked against overflow.

The buffers passed into trans, trans2 and nttrans undergo higher-level processing like DCE/RPC requests or listing directories. The missing bounds check means that a malicious client can make the server do this higher-level processing on arbitrary memory contents of the smbd process handling the request. It is unknown if that can be abused to pass arbitrary memory contents back to the client, but an important barrier is missing from the affected Samba versions.


Update the affected packages.

See Also

Plugin Details

Severity: High

ID: 34976

File Name: freebsd_pkg_1583640dbe2011dda5780030843d3802.nasl

Version: $Revision: 1.11 $

Type: local

Published: 2008/12/01

Modified: 2013/06/21

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:ja-samba, p-cpe:/a:freebsd:freebsd:samba, p-cpe:/a:freebsd:freebsd:samba3, p-cpe:/a:freebsd:freebsd:samba32-devel, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2008/11/29

Vulnerability Publication Date: 2008/11/27

Reference Information

CVE: CVE-2008-4314

Secunia: 32813

CWE: 200