ID CVE-2007-0452
Summary smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop.
References
Vulnerable Configurations
  • Samba 3.0.6
    cpe:2.3:a:samba:samba:3.0.6
  • Samba 3.0.7
    cpe:2.3:a:samba:samba:3.0.7
  • Samba 3.0.8
    cpe:2.3:a:samba:samba:3.0.8
  • Samba 3.0.9
    cpe:2.3:a:samba:samba:3.0.9
  • Samba 3.0.10
    cpe:2.3:a:samba:samba:3.0.10
  • Samba 3.0.11
    cpe:2.3:a:samba:samba:3.0.11
  • Samba 3.0.12
    cpe:2.3:a:samba:samba:3.0.12
  • Samba 3.0.13
    cpe:2.3:a:samba:samba:3.0.13
  • Samba 3.0.14a
    cpe:2.3:a:samba:samba:3.0.14a
  • Samba 3.0.20
    cpe:2.3:a:samba:samba:3.0.20
  • Samba 3.0.20a
    cpe:2.3:a:samba:samba:3.0.20a
  • Samba 3.0.20b
    cpe:2.3:a:samba:samba:3.0.20b
  • Samba 3.0.21
    cpe:2.3:a:samba:samba:3.0.21
  • Samba 3.0.21a
    cpe:2.3:a:samba:samba:3.0.21a
  • Samba 3.0.21b
    cpe:2.3:a:samba:samba:3.0.21b
  • Samba 3.0.21c
    cpe:2.3:a:samba:samba:3.0.21c
  • Samba 3.0.22
    cpe:2.3:a:samba:samba:3.0.22
  • Samba 3.0.23
    cpe:2.3:a:samba:samba:3.0.23
  • Samba 3.0.23a
    cpe:2.3:a:samba:samba:3.0.23a
  • Samba 3.0.23b
    cpe:2.3:a:samba:samba:3.0.23b
  • Samba 3.0.23c
    cpe:2.3:a:samba:samba:3.0.23c
  • Samba 3.0.23d
    cpe:2.3:a:samba:samba:3.0.23d
CVSS
Base: 6.8 (as of 06-02-2007 - 10:40)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0060.NASL
    description Updated samba packages that fix a denial of service vulnerability are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. Samba provides file and printer sharing services to SMB/CIFS clients. A denial of service flaw was found in Samba's smbd daemon process. An authenticated user could send a specially crafted request which would cause a smbd child process to enter an infinite loop condition. By opening multiple CIFS sessions, an attacker could exhaust system resources. (CVE-2007-0452) Users of Samba should update to these packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 24364
    published 2007-02-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24364
    title RHEL 3 / 4 : samba (RHSA-2007:0060)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SAMBA-2553.NASL
    description A logic error in the deferred open code can lead to an infinite loop in Samba's smbd daemon (CVE-2007-0452). In addition the following changes are included with these packages : - Move tdb utils to the client package. - Add version of the package subversion to Samba vendor version suffix. - Fix time value reporting in libsmbclient; [#195285]. - Store and restore NT hashes as string compatible values; [#185053]. - Added winbindd null sid fix; [#185053]. - Fix from Alison Winters of SGI to build even if make_vscan is 0. - Send correct workstation name to prevent NT_STATUS_INVALID_WORKSTATION beeing returned in samlogon; [#148645], [#161051].
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27427
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27427
    title openSUSE 10 Security Update : samba (samba-2553)
  • NASL family Misc.
    NASL id SAMBA_3_0_24.NASL
    description According to its version number, the remote Samba server is affected by several flaws : - A denial of service issue occuring if an authenticated attacker sends a large number of CIFS session requests which will cause an infinite loop to occur in the smbd daemon, thus utilizing CPU resources and denying access to legitimate users ; - A remote format string vulnerability that could be exploited by an attacker with write access to a remote share by sending a malformed request to the remote service (this issue only affects installations sharing an AFS file system when the afsacl.so VFS module is loaded) - A remote buffer overflow vulnerability affecting the NSS lookup capability of the remote winbindd daemon
    last seen 2019-02-21
    modified 2018-07-27
    plugin id 24685
    published 2007-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24685
    title Samba < 3.0.24 Multiple Flaws
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2007-038-01.NASL
    description New samba packages are available for Slackware 10.0, 10.1, 10.2, and 11.0 to fix a denial-of-service security issue.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 24668
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24668
    title Slackware 10.0 / 10.1 / 10.2 / 11.0 : samba (SSA:2007-038-01)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-219.NASL
    description - Wed Feb 7 2007 Jay Fenlason 3.0.24-1.fc5 - New upstream release - Update the -man patch to work with 3.0.24 - This release fixes CVE-2007-0452 Samba smbd denial of service - Tue Sep 26 2006 Jay Fenlason 3.0.23c-1.fc5 - Include the newer smb.init that includes the configtest option - Upgrade to 3.0.23c, obsoleting the -samr_alias patch. - Wed Aug 9 2006 Jay Fenlason 3.0.23b-1.fc5 - New upstream release, fixing some annoying bugs. - Mon Jul 24 2006 Jay Fenlason 3.0.23a-1.fc5.1 - Fix the -logfiles patch to close bz#199607 Samba compiled with wrong log path. bz#199206 smb.conf has incorrect log file path - Mon Jul 24 2006 Jay Fenlason 3.0.23a-1.fc5 - Upgrade to new upstream 3.0.23a - include upstream samr_alias patch - Wed Jul 12 2006 Jay Fenlason 3.0.23-1.fc5 - Upgrade to 3.0.23 to close bz#197836 CVE-2006-3403 Samba denial of service - include related spec file, filter-requires-samba.sh and patch changes from rawhide. - include the fixed smb.init file from rawhide, closing bz#182560 Wrong retval for initscript when smbd is dead Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 24305
    published 2007-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24305
    title Fedora Core 5 : samba-3.0.24-1.fc5 (2007-219)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0060.NASL
    description From Red Hat Security Advisory 2007:0060 : Updated samba packages that fix a denial of service vulnerability are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. Samba provides file and printer sharing services to SMB/CIFS clients. A denial of service flaw was found in Samba's smbd daemon process. An authenticated user could send a specially crafted request which would cause a smbd child process to enter an infinite loop condition. By opening multiple CIFS sessions, an attacker could exhaust system resources. (CVE-2007-0452) Users of Samba should update to these packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67446
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67446
    title Oracle Linux 3 / 4 : samba (ELSA-2007-0060)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_F235FE7AB9CA11DBBF0F0013720B182D.NASL
    description The Samba Team reports : Internally Samba's file server daemon, smbd, implements support for deferred file open calls in an attempt to serve client requests that would otherwise fail due to a share mode violation. When renaming a file under certain circumstances it is possible that the request is never removed from the deferred open queue. smbd will then become stuck is a loop trying to service the open request. This bug may allow an authenticated user to exhaust resources such as memory and CPU on the server by opening multiple CIFS sessions, each of which will normally spawn a new smbd process, and sending each connection into an infinite loop.
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 24826
    published 2007-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24826
    title FreeBSD : samba -- potential Denial of Service bug in smbd (f235fe7a-b9ca-11db-bf0f-0013720b182d)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1257.NASL
    description Several remote vulnerabilities have been discovered in samba, a free implementation of the SMB/CIFS protocol, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-0452 It was discovered that incorrect handling of deferred file open calls may lead to an infinite loop, which results in denial of service. - CVE-2007-0454 'zybadawg333' discovered that the AFS ACL mapping VFS plugin performs insecure format string handling, which may lead to the execution of arbitrary code.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 24296
    published 2007-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24296
    title Debian DSA-1257-1 : samba - several vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0060.NASL
    description Updated samba packages that fix a denial of service vulnerability are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. Samba provides file and printer sharing services to SMB/CIFS clients. A denial of service flaw was found in Samba's smbd daemon process. An authenticated user could send a specially crafted request which would cause a smbd child process to enter an infinite loop condition. By opening multiple CIFS sessions, an attacker could exhaust system resources. (CVE-2007-0452) Users of Samba should update to these packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 24358
    published 2007-02-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24358
    title CentOS 3 / 4 : samba (CESA-2007:0060)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-220.NASL
    description - Thu Nov 16 2006 Jay Fenlason 3.0.24-1.fc6 - New upstream release - Update the -man patch to work with 3.0.24 - This release fixes CVE-2007-0452 Samba smbd denial of service Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 24306
    published 2007-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24306
    title Fedora Core 6 : samba-3.0.24-1.fc6 (2007-220)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0061.NASL
    description Updated samba packages that fix a denial of service vulnerability are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Samba provides file and printer sharing services to SMB/CIFS clients. A denial of service flaw was found in Samba's smbd daemon process. An authenticated user could send a specially crafted request which would cause a smbd child process to enter an infinite loop condition. By opening multiple CIFS sessions, an attacker could exhaust system resources (CVE-2007-0452). Users of Samba should update to these packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 25314
    published 2007-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25314
    title RHEL 5 : samba (RHSA-2007:0061)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-034.NASL
    description A logic error in the deferred open code for smbd may allow an authenticated user to exhaust resources such as memory and CPU on the server by opening multiple CIFS sessions, each of which will normally spawn a new smbd process, and sending each connection into an infinite loop. (CVE-2007-0452) The name of a file on the server's share is used as the format string when setting an NT security descriptor through the afsacl.so VFS plugin. (CVE-2007-0454) Updated packages have been patched to address these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24647
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24647
    title Mandrake Linux Security Advisory : samba (MDKSA-2007:034)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-419-1.NASL
    description A flaw was discovered in Samba's file opening code, which in certain situations could lead to an endless loop, resulting in a denial of service. (CVE-2007-0452) A format string overflow was discovered in Samba's ACL handling on AFS shares. Remote users with access to an AFS share could create crafted filenames and execute arbitrary code with root privileges. (CVE-2007-0454). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28011
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28011
    title Ubuntu 5.10 / 6.06 LTS / 6.10 : samba vulnerabilities (USN-419-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SAMBA-2556.NASL
    description A logic error in the deferred open code can lead to an infinite loop in Samba's smbd daemon. (CVE-2007-0452) In addition the following changes are included with these packages : - Move tdb utils to the client package. - The version string of binaries reported by the -V option now include the package version control system version number. - Fix time value reporting in libsmbclient; [#195285]. - Store and restore NT hashes as string compatible values; [#185053]. - Added winbindd null sid fix; [#185053]. - Fix from Alison Winters of SGI to build even if make_vscan is 0. - Send correct workstation name to prevent NT_STATUS_INVALID_WORKSTATION beeing returned in samlogon; [#148645], [#161051].
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29575
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29575
    title SuSE 10 Security Update : samba (ZYPP Patch Number 2556)
oval via4
accepted 2013-04-29T04:21:54.520-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop.
family unix
id oval:org.mitre.oval:def:9758
status accepted
submitted 2010-07-09T03:56:16-04:00
title smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop.
version 24
redhat via4
advisories
  • bugzilla
    id 225513
    title CVE-2007-0452 Samba smbd denial of service
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 3 is installed
        oval oval:com.redhat.rhsa:tst:20060015001
      • OR
        • AND
          • comment samba is earlier than 0:3.0.9-1.3E.12
            oval oval:com.redhat.rhsa:tst:20070060002
          • comment samba is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060003
        • AND
          • comment samba-client is earlier than 0:3.0.9-1.3E.12
            oval oval:com.redhat.rhsa:tst:20070060006
          • comment samba-client is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060007
        • AND
          • comment samba-common is earlier than 0:3.0.9-1.3E.12
            oval oval:com.redhat.rhsa:tst:20070060008
          • comment samba-common is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060009
        • AND
          • comment samba-swat is earlier than 0:3.0.9-1.3E.12
            oval oval:com.redhat.rhsa:tst:20070060004
          • comment samba-swat is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060005
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhsa:tst:20060016001
      • OR
        • AND
          • comment samba is earlier than 0:3.0.10-1.4E.11
            oval oval:com.redhat.rhsa:tst:20070060011
          • comment samba is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060003
        • AND
          • comment samba-client is earlier than 0:3.0.10-1.4E.11
            oval oval:com.redhat.rhsa:tst:20070060013
          • comment samba-client is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060007
        • AND
          • comment samba-common is earlier than 0:3.0.10-1.4E.11
            oval oval:com.redhat.rhsa:tst:20070060012
          • comment samba-common is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060009
        • AND
          • comment samba-swat is earlier than 0:3.0.10-1.4E.11
            oval oval:com.redhat.rhsa:tst:20070060014
          • comment samba-swat is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060005
    rhsa
    id RHSA-2007:0060
    released 2007-02-15
    severity Moderate
    title RHSA-2007:0060: samba security update (Moderate)
  • bugzilla
    id 225519
    title CVE-2007-0452 Samba smbd denial of service
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • OR
      • AND
        • comment samba is earlier than 0:3.0.23c-2.el5.2
          oval oval:com.redhat.rhsa:tst:20070061002
        • comment samba is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070061003
      • AND
        • comment samba-client is earlier than 0:3.0.23c-2.el5.2
          oval oval:com.redhat.rhsa:tst:20070061008
        • comment samba-client is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070061009
      • AND
        • comment samba-common is earlier than 0:3.0.23c-2.el5.2
          oval oval:com.redhat.rhsa:tst:20070061004
        • comment samba-common is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070061005
      • AND
        • comment samba-swat is earlier than 0:3.0.23c-2.el5.2
          oval oval:com.redhat.rhsa:tst:20070061006
        • comment samba-swat is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070061007
    rhsa
    id RHSA-2007:0061
    released 2007-03-14
    severity Moderate
    title RHSA-2007:0061: samba security update (Moderate)
rpms
  • samba-0:3.0.9-1.3E.12
  • samba-client-0:3.0.9-1.3E.12
  • samba-common-0:3.0.9-1.3E.12
  • samba-swat-0:3.0.9-1.3E.12
  • samba-0:3.0.10-1.4E.11
  • samba-client-0:3.0.10-1.4E.11
  • samba-common-0:3.0.10-1.4E.11
  • samba-swat-0:3.0.10-1.4E.11
  • samba-0:3.0.23c-2.el5.2
  • samba-client-0:3.0.23c-2.el5.2
  • samba-common-0:3.0.23c-2.el5.2
  • samba-swat-0:3.0.23c-2.el5.2
refmap via4
bid 22395
bugtraq
  • 20070205 [SAMBA-SECURITY] CVE-2007-0452: Potential DoS against smbd in Samba 3.0.6 - 3.0.23d
  • 20070207 rPSA-2007-0026-1 samba samba-swat
confirm
debian DSA-1257
fedora
  • FEDORA-2007-219
  • FEDORA-2007-220
gentoo GLSA-200702-01
hp
  • HPSBUX02204
  • SSRT071341
mandriva MDKSA-2007:034
osvdb 33100
sectrack 1017587
secunia
  • 24021
  • 24030
  • 24046
  • 24060
  • 24067
  • 24076
  • 24101
  • 24140
  • 24145
  • 24151
  • 24188
  • 24284
  • 24792
sgi 20070201-01-P
slackware SSA:2007-038-01
sreason 2219
sunalert 200588
suse SUSE-SA:2007:016
trustix 2007-0007
ubuntu USN-419-1
vupen
  • ADV-2007-0483
  • ADV-2007-1278
xf samba-smbd-filerename-dos(32301)
Last major update 07-03-2011 - 21:49
Published 05-02-2007 - 21:28
Last modified 16-10-2018 - 12:32
Back to Top