Samba encrypted password change request buffer overflow

samba-password-change-bo (10683)

High Risk

Description:

Samba is vulnerable to a stack-based buffer overflow, caused by improper bounds checking of encrypted password change requests. By sending a malformed encrypted password to the Samba server in a password change request, a remote attacker could overflow a buffer and execute arbitrary code on the system with root privileges, once the malformed password is decrypted.

Consequences:

Gain Access

Remedy:

Upgrade to the latest version of Samba (2.2.7 or later), available from the Samba Web site. See References.

— OR —

Apply the patch for this vulnerability, available from the Samba Web site. See References.

For Red Hat Linux:
Upgrade to the latest Samba package, as listed below. Refer to RHSA-2002:266-05 for more information. See References.

Red Hat 7.3: 2.2.7-1.7.3 or later
Red Hat 8.0: 2.2.7-2 or later

For Conectiva Linux:
Upgrade to the latest Samba package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2002:550 for more information. See References.

Conectiva 6.0: 2.0.9-2U60_2cl or later
Conectiva 7.0: 2.2.1a-1U70_2cl or later
Conectiva 8.0: 2.2.3a-2U80_1cl or later

For Gentoo Linux:
Upgrade to the latest Samba package, as listed in Gentoo Linux Security Announcement 200211-007. See References.

For SuSE Linux:
Upgrade to the latest Samba package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2002:045 for more information. See References.

SuSE 8.1 (Intel): 2.2.5-124 or later
SuSE 8.0 (Intel): 2.2.3a-165 or later
SuSE 7.3 (Intel): 2.2.1a-206 or later
SuSE 7.2 (Intel): 2.2.0a-45 or later
SuSE 7.3 (Sparc): 2.2.1a-69 or later
SuSE 7.3 (PPC Power PC): 2.2.1a-141 or later

For Trustix Secure Linux 1.5:
Upgrade to the latest Samba package (2.2.7-2tr or later), as listed in Trustix Secure Linux Security Advisory #2002-0080 for more information. See References.

For Mandrake Linux:
Upgrade to the latest samba package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2002:081 : samba for more information. See References.

Mandrake Linux 8.1: 2.2.2-3.3mdk or later
Mandrake Linux 8.2: 2.2.3a-10.1mdk or later
Mandrake Linux 9.0: 2.2.7-2.1mdk or later

For OpenPKG:
Upgrade to the latest samba package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2002.012 for more information. See References.

OpenPKG 1.0: 2.2.2-1.0.1 or later
OpenPKG 1.1: 2.2.5-1.1.1 or later
OpenPKG Current: 2.2.7-20021120 or later

For Debian GNU/Linux:
Upgrade to the latest samba package, as listed below. Refer to DSA-200-1 for more information. See References.

Debian GNU/Linux 3.0 (woody): 2.2.3a-12 or later

For SGI IRIX:
Upgrade to the latest version of Samba (2.2.7 or later), as listed in SGI Security Advisory 20021204-01-I. See References.

For Hewlett-Packard HP 9000 Servers:
Upgrade to CIFS Server 2.2 version A.01.09.01, as listed in Hewlett-Packard Company Security Bulletin HPSBUX0212-230. See References.

For Caldera OpenLinux 3.1.1 (Workstation and Server):
Upgrade to the latest version of samba (2.2.2-7 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2003-017.0. See References.

For Sun Solaris 9:
Apply the appropriate patch for your system, as listed in Sun Alert ID: 51082. See References.

As a workaround, refer to Sun Alert ID: 51082 for more information. See References.

For Caldera OpenLinux 3.1.1 Workstation and Server:
Upgrade to the appropriate fixed packages, as listed in SCO Security Advisory CSSA-2003-017.0. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• Caldera International, Inc. Security Advisory CSSA-2003-017.0: OpenLinux: Various serious Samba vulnerabilities.
• CIAC Information Bulletin N-019: Samba Encrypted Password Buffer Overrun Vulnerability.
• CIAC information Bulletin N-023: HP - Vulnerability in CIFS/9000 Samba Server2.2.
• Conectiva Linux Announcement CLSA-2002:550: samba.
• Gentoo Linux Security Announcement 200211-007 : samba .
• Hewlett-Packard Company Security Bulletin HPSBUX0212-230: SSRT2437 Sec. Vulnerability in CIFS/9000 Samba Server2 2.
• Samba Web site: SAMBA - opening windows to a wider world.
• Samba Web site : Release Notes for Samba.
• SCO Security Advisory CSSA-2003-017.0: OpenLinux: Various serious Samba vulnerabilities.
• SGI Security Advisory 20021204-01-I: Samba Security Vulnerability.
• Sun Alert ID: 53580: Security Vulnerability in Samba(7) Versions 2.2.2 Through 2.2.6 May Allow Remote User Unauthorized Privileges.
• Trustix Secure Linux Security Advisory #2002-0080: samba - Remote hole.
• BID-6210: Samba Server Encrypted Password Buffer Overrun Vulnerability
• CVE-2002-1318: Buffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string.
• DSA-200: samba -- remote exploit
• MDKSA-2002:081: Updated samba packages fix potential root compromise
• MDKSA-2003:024: Updated packages fix multiple vulnerabilities
• OpenPKG-SA-2002.012: Samba
• RHSA-2002-266: New samba packages available to fix potential security vulnerability
• SUSE-SA:2002:045: samba: possible remote code execution
• US-CERT VU#958321: Samba contains a remotely exploitable stack buffer overflow

Platforms Affected:

• Conectiva Linux 6.0
• Conectiva Linux 7.0
• Conectiva Linux 8.0
• Debian Debian Linux 3.0
• Gentoo Linux
• MandrakeSoft Mandrake Linux 8.1
• MandrakeSoft Mandrake Linux 8.2
• MandrakeSoft Mandrake Linux 9.0
• Novell SuSE Linux Enterprise Server 7.0
• Novell SuSE Linux Enterprise Server
• OpenPKG OpenPKG 1.0
• OpenPKG OpenPKG 1.1
• OpenPKG OpenPKG CURRENT
• RedHat Linux 7
• RedHat Linux 7.1
• RedHat Linux 7.2
• RedHat Linux 7.3
• RedHat Linux 8.0
• Samba Samba 2.2.2
• Samba Samba 2.2.3
• Samba Samba 2.2.4
• Samba Samba 2.2.5
• Samba Samba 2.2.6
• SCO Caldera OpenLinux Server 3.1.1
• SCO Caldera OpenLinux Workstation 3.1.1
• SGI IRIX 6.5
• SGI IRIX 6.5.1
• SGI IRIX 6.5.10
• SGI IRIX 6.5.10f
• SGI IRIX 6.5.10m
• SGI IRIX 6.5.11
• SGI IRIX 6.5.11f
• SGI IRIX 6.5.11m
• SGI IRIX 6.5.12
• SGI IRIX 6.5.12f
• SGI IRIX 6.5.12m
• SGI IRIX 6.5.13
• SGI IRIX 6.5.13f
• SGI IRIX 6.5.13m
• SGI IRIX 6.5.14
• SGI IRIX 6.5.14f
• SGI IRIX 6.5.14m
• SGI IRIX 6.5.15
• SGI IRIX 6.5.15f
• SGI IRIX 6.5.15m
• SGI IRIX 6.5.16
• SGI IRIX 6.5.16f
• SGI IRIX 6.5.16m
• SGI IRIX 6.5.17
• SGI IRIX 6.5.17f
• SGI IRIX 6.5.17m
• SGI IRIX 6.5.18
• SGI IRIX 6.5.2f
• SGI IRIX 6.5.2m
• SGI IRIX 6.5.3
• SGI IRIX 6.5.3f
• SGI IRIX 6.5.3m
• SGI IRIX 6.5.4
• SGI IRIX 6.5.4f
• SGI IRIX 6.5.4m
• SGI IRIX 6.5.5
• SGI IRIX 6.5.5f
• SGI IRIX 6.5.5m
• SGI IRIX 6.5.6
• SGI IRIX 6.5.6f
• SGI IRIX 6.5.6m
• SGI IRIX 6.5.7
• SGI IRIX 6.5.7f
• SGI IRIX 6.5.7m
• SGI IRIX 6.5.8
• SGI IRIX 6.5.8f
• SGI IRIX 6.5.8m
• SGI IRIX 6.5.9
• SGI IRIX 6.5.9f
• SGI IRIX 6.5.9m
• Sun Solaris 9
• SuSE SuSE eMail Server 3.1
• SuSE SuSE eMail Server III
• SUSE SuSE Linux 7.0
• SUSE SuSE Linux 7.2
• SUSE SuSE Linux 7.3
• SUSE SuSE Linux 8.0
• SUSE SuSE Linux 8.1
• SuSE SuSE Linux Connectivity Server
• SuSE SuSE Linux Database Server
• SuSE SuSE Linux Firewall
• SuSE SuSE Linux Office Server
• Trustix Secure Linux 1.5

Reported:

Nov 20, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page