Samba SMB/CIFS packet fragment re-assembly code buffer overflow

samba-smbcifs-smbd-bo (11550)

High Risk

Description:

Samba is vulnerable to a buffer overflow in the SMB/CIFS packet fragment re-assembly code in the smbd daemon. A remote attacker could connect to TCP port 139 or 445 and send a specially-crafted SMB/CIFS packet to overflow a buffer to overwrite memory, and possibly execute arbitrary code on the system with root privileges.

Platforms Affected:

• Conectiva, Linux 6.0
• Conectiva, Linux 7.0
• Conectiva, Linux 8.0
• Debian, Debian Linux 3.0
• FreeBSD, FreeBSD Ports Collection
• Gentoo, Linux
• HP, CIFS-9000 Server A.01.09
• HP, HP-UX 11.00
• HP, HP-UX 11.11
• HP, HP-UX 11.22
• Immunix, Immunix OS 6.2
• Immunix, Immunix OS 7+-beta
• Immunix, Immunix OS 7.0
• MandrakeSoft, Mandrake Linux 8.0 PPC
• MandrakeSoft, Mandrake Linux 8.0
• MandrakeSoft, Mandrake Linux 8.1 IA64
• MandrakeSoft, Mandrake Linux 8.1
• MandrakeSoft, Mandrake Linux 8.2
• MandrakeSoft, Mandrake Linux 8.2 PPC
• MandrakeSoft, Mandrake Linux 9.0
• MandrakeSoft, Mandrake Linux Corporate Server 2.1
• MandrakeSoft, Mandrake Multi Network Firewall 8.2
• OpenPKG, OpenPKG 1.1
• OpenPKG, OpenPKG 1.2
• OpenPKG, OpenPKG CURRENT
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Linux 6.2
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.1 for iSeries
• RedHat, Linux 7.1 for pSeries
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• RedHat, Linux 8.0
• RedHat, Linux 9.0
• RedHat, Linux Advanced Workstation 2.1 Itanium
• Samba, Samba 2.0.0
• Samba, Samba 2.0.1
• Samba, Samba 2.0.10
• Samba, Samba 2.0.2
• Samba, Samba 2.0.3
• Samba, Samba 2.0.4
• Samba, Samba 2.0.5
• Samba, Samba 2.0.6
• Samba, Samba 2.0.7
• Samba, Samba 2.0.8
• Samba, Samba 2.0.9
• Samba, Samba 2.2.0
• Samba, Samba 2.2.0a
• Samba, Samba 2.2.1a
• Samba, Samba 2.2.2
• Samba, Samba 2.2.3
• Samba, Samba 2.2.3a
• Samba, Samba 2.2.4
• Samba, Samba 2.2.5
• Samba, Samba 2.2.6
• Samba, Samba 2.2.7
• Samba, Samba 2.2.7a
• SCO, Caldera OpenLinux Server 3.1.1
• SCO, Caldera OpenLinux Workstation 3.1.1
• SCO, Caldera OpenServer 5.0.5
• SCO, Caldera OpenServer 5.0.6
• SCO, Caldera OpenServer 5.0.7
• SGI, IRIX 6.5
• SGI, IRIX 6.5 20
• SGI, IRIX 6.5.1
• SGI, IRIX 6.5.10
• SGI, IRIX 6.5.10f
• SGI, IRIX 6.5.10m
• SGI, IRIX 6.5.11
• SGI, IRIX 6.5.11f
• SGI, IRIX 6.5.11m
• SGI, IRIX 6.5.12
• SGI, IRIX 6.5.12f
• SGI, IRIX 6.5.12m
• SGI, IRIX 6.5.13
• SGI, IRIX 6.5.13f
• SGI, IRIX 6.5.13m
• SGI, IRIX 6.5.14
• SGI, IRIX 6.5.14f
• SGI, IRIX 6.5.14m
• SGI, IRIX 6.5.15
• SGI, IRIX 6.5.15f
• SGI, IRIX 6.5.15m
• SGI, IRIX 6.5.16
• SGI, IRIX 6.5.16f
• SGI, IRIX 6.5.16m
• SGI, IRIX 6.5.17
• SGI, IRIX 6.5.17f
• SGI, IRIX 6.5.17m
• SGI, IRIX 6.5.18
• SGI, IRIX 6.5.18f
• SGI, IRIX 6.5.18m
• SGI, IRIX 6.5.19
• SGI, IRIX 6.5.19f
• SGI, IRIX 6.5.19m
• SGI, IRIX 6.5.2
• SGI, IRIX 6.5.20
• SGI, IRIX 6.5.20f
• SGI, IRIX 6.5.20m
• SGI, IRIX 6.5.21
• SGI, IRIX 6.5.21f
• SGI, IRIX 6.5.21m
• SGI, IRIX 6.5.22
• SGI, IRIX 6.5.22m
• SGI, IRIX 6.5.23
• SGI, IRIX 6.5.23m
• SGI, IRIX 6.5.24
• SGI, IRIX 6.5.24m
• SGI, IRIX 6.5.25
• SGI, IRIX 6.5.26
• SGI, IRIX 6.5.27
• SGI, IRIX 6.5.28
• SGI, IRIX 6.5.2f
• SGI, IRIX 6.5.2m
• SGI, IRIX 6.5.3
• SGI, IRIX 6.5.3f
• SGI, IRIX 6.5.3m
• SGI, IRIX 6.5.4
• SGI, IRIX 6.5.4f
• SGI, IRIX 6.5.4m
• SGI, IRIX 6.5.5
• SGI, IRIX 6.5.5f
• SGI, IRIX 6.5.5m
• SGI, IRIX 6.5.6
• SGI, IRIX 6.5.6f
• SGI, IRIX 6.5.6m
• SGI, IRIX 6.5.7
• SGI, IRIX 6.5.7f
• SGI, IRIX 6.5.7m
• SGI, IRIX 6.5.8
• SGI, IRIX 6.5.8f
• SGI, IRIX 6.5.8m
• SGI, IRIX 6.5.9
• SGI, IRIX 6.5.9f
• SGI, IRIX 6.5.9m
• Sun, Cobalt Qube 3
• Sun, Cobalt RaQ 4
• Sun, Cobalt RaQ 550
• Sun, Cobalt RaQ XTR
• Sun, Linux 5.0
• Sun, Solaris 9
• SuSE, Linux Enterprise Server 8
• SuSE, SuSE eMail Server 3.1
• SuSE, SuSE eMail Server III
• SuSE, SuSE Linux 7.1
• SuSE, SuSE Linux 7.2
• SuSE, SuSE Linux 7.3
• SuSE, SuSE Linux 8.0
• SuSE, SuSE Linux 8.1
• SuSE, SuSE Linux Connectivity Server
• SuSE, SuSE Linux Database Server
• SuSE, SuSE Linux Enterprise Server 7.0
• SuSE, SuSE Linux Firewall
• SuSE, SuSE Linux Office Server
• Trustix, Secure Linux 1.01
• Trustix, Secure Linux 1.1
• Trustix, Secure Linux 1.2
• Trustix, Secure Linux 1.5

Remedy:

Upgrade to the latest version of Samba (2.2.8 or later), available from the Samba Web site. See References.

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest samba package (2.2.3a-12.1 or later), as listed in DSA-262-1 for more information. See References.

For Red Hat Linux:
Upgrade to the latest samba package, as listed below. Refer to RHSA-2003:095-23 for more information. See References.

Red Hat 6.2: 2.0.10-1.62 or later
Red Hat 7.0: 2.0.10-1.7.0 or later
Red Hat 7.1: 2.0.10-4.7.1 or later
Red Hat 7.2: 2.2.7-2.7.2 or later
Red Hat 7.3: 2.2.7-2.7.3 or later
Red Hat 8.0: 2.2.7-4.8.0 or later
Red Hat 9: 2.2.7a-7.9.0 or later

For Gentoo Linux:
Upgrade to the latest version of sambai (2.2.8 or later), as listed in Gentoo Linux Security Announcement 200303-11. See References.

For Mandrake Linux:
Upgrade to the latest samba package (2.2.7a-8.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2003:032:samba. See References.

For Apple Mac OS X and Mac OS X Server:
Samba ships with Mac OS X and Mac OS X Server, but is not enabled by default. Upgrade to Security Update 2003-03-24, available at the Apple Computer, Inc. Security Updates site. See References.

For OpenPKG:
Upgrade to the latest samba package as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2003.021 for more information. See References.

OpenPKG CURRENT: 2.2.8-20030316 or later
OpenPKG 1.0: 2.2.7a-1.2.1 or later
OpenPKG 1.1: 2.2.5-1.1.2 or later

For Trustix Secure Linux 1.1, 1.2, and 1.5:
Upgrade to the latest samba package (2.2.8-1tr or later), as listed in Trustix Secure Linux Security Advisory #2003-0011. See References.

For SuSE Linux:
Upgrade to the latest samba or samba-client package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2003:016 for more information. See References.

SuSE 8.1 (Intel): 2.2.5-160 or later
SuSE 8.0 (Intel): 2.2.3a-169 or later
SuSE 7.3 (Intel): 2.2.1a-213 or later
SuSE 7.3 (Sparc): 2.2.1a-73 or later
SuSE 7.3 (PPC): 2.2.1a-147 or later
SuSE 7.2 (Intel): 2.2.0a-48 or later
SuSE 7.1 (Intel): 2.0.10-27 or later
SuSE 7.1 (AXP): 2.0.10-21 or later

For Immunix OS 6.2, 7.0, and 7+:
Upgrade to the latest version of openssl (2.0.10-2_imnx_2 or later), as listed in Immunix OS Security Advisory IMNX-2003-7+-001-01. See References.

For Conectiva Linux:
Upgrade to the latest samba package, as listed below. Refer to Connectiva Linux Security Announcement CLSA-2003:615 for more information. See References.

Conectiva Linux 6.0: 2.0.9-2U60_3cl or later
Conectiva Linux 7.0: 2.2.8-1U70_1cl or later
Conectiva Linux 8: 2.2.8-1U80_1cl or later

For FreeBSD Ports Collection:
Upgrade to the latest ports collection, as listed in FreeBSD Security Notice FreeBSD-SN-03:01. See References.

For HP-UX releases 11.0 and 11.11:
Download and install the latest smbd file (11.00 or later), as listed in Hewlett-Packard Company Security Bulletin HPSBUX0304-253. See References.

For HP-UX releases 11.22:
Upgrade to the latest version of HP CIFS/9000 Server (A.01.09.02 or later), when it becomes available from the Hewlett-Packard Company Web site. See References.

For Caldera OpenLinux 3.1.1 (Workstation and Server):
Upgrade to the latest version of samba (2.2.2-7 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2003-017.0. See References.

For Sun Solaris 9:
Apply the appropriate patch for your system, as listed below. Refer to Sun Alert ID: 53581 for more information. See References.

Solaris 9 (Sparc): 114684-02 or later
Solaris 9 (Intel): 114685-02 or later

For Caldera OpenServer 5.0.5, 5.0.6, and 5.0.7:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory CSSA-2003-SCO.13.1. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• Apple Computer, Inc. Security Updates, Security Update 2003-03-24 at http://docs.info.apple.com/article.html?artnum=61798.
• Caldera International, Inc. Security Advisory CSSA-2003-017.0, OpenLinux: Various serious Samba vulnerabilities at ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-017.0.txt.
• CIAC Information Bulletin N-055, Samba smbd Buffer Overrun Vulnerability at http://www.ciac.org/ciac/bulletins/n-055.shtml.
• Conectiva Linux Security Announcement CLSA-2003:615, samba at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000615.
• FreeBSD Security Notice FreeBSD-SN-03:01, security issue in samba ports at http://www.linuxsecurity.com/advisories/freebsd_advisory-3128.html. (From LinuxSecurity archive)
• Gentoo Linux Security Announcement 200303-11, samba -- buffer overrun at http://www.linuxsecurity.com/advisories/gentoo_advisory-2965.html. (From LinuxSecurity archive)
• Hewlett-Packard Company Web site, Welcome HP Web site at http://www.hp.com/.
• Immunix OS Security Advisory IMNX-2003-7+-001-01, samba at http://www.linuxsecurity.com/advisories/immunix_advisory-3092.html. (From LinuxSecurity archive)
• Samba Web site, Samba - opening Windows to a wider world at http://us4.samba.org/samba/.
• SCO Security Advisory CSSA-2003-SCO.13.1, OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : Samba security update available avaliable for download. at http://www.linuxsecurity.com/content/view/105345/98/. (From LinuxSecurity archive)
• SGI Security Advisory 20030302-01-I, SMB/CIFS Security Vulnerability in Samba at ftp://patches.sgi.com/support/free/security/advisories/20030302-01-I.
• Sun Alert ID: 53581, Security Vulnerability in Samba(7) versions 2.2.2 through 2.2.8 May Allow Remote User Unauthorized Privileges at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F53581&zone_32=category%3Asecurity.
• Sun Alert ID: 53924, Sun Cobalt Samba Versions Earlier Than 2.2.8 May Allow Remote Unauthorized Root Privileges at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F53924&zone_32=category%3Asecurity.
• Trustix Secure Linux Security Advisory #2003-0011, samba -- Remote root compromise at http://www.trustix.net/errata/2003/0011/.
• BID-7106: Samba SMB/CIFS Packet Assembling Buffer Overflow Vulnerability
• CVE-2003-0085: Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.
• DSA-262: samba -- remote exploit
• MDKSA-2003:032: Updated samba packages fix remote root vulnerability
• OpenPKG-SA-2003.021: Samba
• RHSA-2003-095: New samba packages fix security vulnerabilities
• RHSA-2003-096: samba security update
• RHSA-2003-226: Updated samba packages fix security vulnerabilities
• SA8299: Samba Packet Fragment Re-assembly Buffer Overflow
• SUSE-SA:2003:016: samba: remote command execution

Reported:

Mar 14, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page