Samba < 3.0.27 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 4285

Synopsis

The remote Samba server may be affected one or more vulnerabilities.

Description

According to its banner, the version of the Samba server on the remote host contains a boundary error in the 'reply_netbios_packet()' function in 'nmbd/nmbd_packets.c' when sending NetBIOS replies. Provided the server is configured to run as a WINS server, a remote attacker can exploit this issue by sending multiple specially-crafted WINS 'Name Registration' requests followed by a WINS 'Name Query' request, leading to a stack-based buffer overflow and allow for execution of arbitrary code.
There is also a stack buffer overflow in nmbd's logon request processing code that can be triggered by means of specially-crafted GETDC mailslot requests when the affected server is configured as a Primary or Backup Domain Controller. The Samba security team currently does not believe this particular vulnerability can be exploited to execute arbitrary code remotely.

Solution

Upgrade to version 3.0.27 or later.

See Also

http://secunia.com/secunia_research/2007-90/advisory

http://www.securityfocus.com/archive/1/483744

http://us1.samba.org/samba/security/CVE-2007-4572.html

http://us1.samba.org/samba/security/CVE-2007-5398.html

http://www.securityfocus.com/archive/1/483742

http://www.securityfocus.com/archive/1/483743

http://www.securityfocus.com/archive/1/[email protected]

Plugin Details

Severity: Critical

ID: 4285

File Name: 4285.prm

Family: Samba

Published: 2007/11/15

Modified: 2016/01/19

Dependencies: 8740

Nessus ID: 28228

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:samba:samba

Patch Publication Date: 2007/11/16

Vulnerability Publication Date: 2007/11/16

Reference Information

CVE: CVE-2007-4572, CVE-2007-5398

BID: 26454, 26455

OSVDB: 39179, 39180