ID CVE-2007-5398
Summary Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.
References
Vulnerable Configurations
  • Samba 3.0.0
    cpe:2.3:a:samba:samba:3.0.0
  • Samba 3.0.1
    cpe:2.3:a:samba:samba:3.0.1
  • Samba 3.0.2
    cpe:2.3:a:samba:samba:3.0.2
  • Samba 3.0.2a
    cpe:2.3:a:samba:samba:3.0.2a
  • Samba 3.0.3
    cpe:2.3:a:samba:samba:3.0.3
  • Samba 3.0.4
    cpe:2.3:a:samba:samba:3.0.4
  • Samba 3.0.4 release candidate 1
    cpe:2.3:a:samba:samba:3.0.4:rc1
  • Samba 3.0.5
    cpe:2.3:a:samba:samba:3.0.5
  • Samba 3.0.6
    cpe:2.3:a:samba:samba:3.0.6
  • Samba 3.0.7
    cpe:2.3:a:samba:samba:3.0.7
  • Samba 3.0.8
    cpe:2.3:a:samba:samba:3.0.8
  • Samba 3.0.9
    cpe:2.3:a:samba:samba:3.0.9
  • Samba 3.0.10
    cpe:2.3:a:samba:samba:3.0.10
  • Samba 3.0.11
    cpe:2.3:a:samba:samba:3.0.11
  • Samba 3.0.12
    cpe:2.3:a:samba:samba:3.0.12
  • Samba 3.0.13
    cpe:2.3:a:samba:samba:3.0.13
  • Samba 3.0.14
    cpe:2.3:a:samba:samba:3.0.14
  • Samba 3.0.14a
    cpe:2.3:a:samba:samba:3.0.14a
  • Samba 3.0.15
    cpe:2.3:a:samba:samba:3.0.15
  • Samba 3.0.16
    cpe:2.3:a:samba:samba:3.0.16
  • Samba 3.0.17
    cpe:2.3:a:samba:samba:3.0.17
  • Samba 3.0.18
    cpe:2.3:a:samba:samba:3.0.18
  • Samba 3.0.19
    cpe:2.3:a:samba:samba:3.0.19
  • Samba 3.0.20
    cpe:2.3:a:samba:samba:3.0.20
  • Samba 3.0.20a
    cpe:2.3:a:samba:samba:3.0.20a
  • Samba 3.0.20b
    cpe:2.3:a:samba:samba:3.0.20b
  • Samba 3.0.21
    cpe:2.3:a:samba:samba:3.0.21
  • Samba 3.0.21a
    cpe:2.3:a:samba:samba:3.0.21a
  • Samba 3.0.21b
    cpe:2.3:a:samba:samba:3.0.21b
  • Samba 3.0.21c
    cpe:2.3:a:samba:samba:3.0.21c
  • Samba 3.0.22
    cpe:2.3:a:samba:samba:3.0.22
  • Samba 3.0.23
    cpe:2.3:a:samba:samba:3.0.23
  • Samba 3.0.23a
    cpe:2.3:a:samba:samba:3.0.23a
  • Samba 3.0.23b
    cpe:2.3:a:samba:samba:3.0.23b
  • Samba 3.0.23c
    cpe:2.3:a:samba:samba:3.0.23c
  • Samba 3.0.23d
    cpe:2.3:a:samba:samba:3.0.23d
  • Samba 3.0.24
    cpe:2.3:a:samba:samba:3.0.24
  • Samba 3.0.25
    cpe:2.3:a:samba:samba:3.0.25
  • Samba 3.0.25 pre1
    cpe:2.3:a:samba:samba:3.0.25:pre1
  • Samba 3.0.25 pre2
    cpe:2.3:a:samba:samba:3.0.25:pre2
  • Samba 3.0.25 release candidate 1
    cpe:2.3:a:samba:samba:3.0.25:rc1
  • Samba 3.0.25 release candiate 2
    cpe:2.3:a:samba:samba:3.0.25:rc2
  • Samba 3.0.25 release candidate 3
    cpe:2.3:a:samba:samba:3.0.25:rc3
  • Samba 3.0.25a
    cpe:2.3:a:samba:samba:3.0.25a
  • Samba 3.0.25b
    cpe:2.3:a:samba:samba:3.0.25b
  • Samba 3.0.25c
    cpe:2.3:a:samba:samba:3.0.25c
  • Samba 3.0.26
    cpe:2.3:a:samba:samba:3.0.26
  • Samba 3.0.26a
    cpe:2.3:a:samba:samba:3.0.26a
CVSS
Base: 9.3 (as of 19-11-2007 - 11:02)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-1017.NASL
    description Updated samba packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the 'winbind nss info' parameter in smb.conf is set to either 'sfu' or 'rfc2307', Samba users are incorrectly assigned the group ID of 0. (CVE-2007-4138) Red Hat would like to thank Alin Rad Pop of Secunia Research, Rick King, and the Samba developers for responsibly disclosing these issues. All Samba users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 28246
    published 2007-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28246
    title RHEL 5 : samba (RHSA-2007:1017)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-1016.NASL
    description Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the 'winbind nss info' parameter in smb.conf is set to either 'sfu' or 'rfc2307', Samba users are incorrectly assigned the group ID of 0. (CVE-2007-4138) Red Hat would like to thank Alin Rad Pop of Secunia Research, Rick King, and the Samba developers for responsibly disclosing these issues. All Samba users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 67059
    published 2013-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67059
    title CentOS 4 : samba (CESA-2007:1016)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2008-0001.NASL
    description I Service Console package security updates a. OpenPegasus PAM Authentication Buffer Overflow Alexander Sotirov from VMware Security Research discovered a buffer overflow vulnerability in the OpenPegasus Management server. This flaw could be exploited by a malicious remote user on the service console network to gain root access to the service console. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5360 to this issue. b. Updated Samba package An issue where attackers on the service console management network can cause a stack-based buffer overflow in the reply_netbios_packet function of nmbd in Samba. On systems where Samba is being used as a WINS server, exploiting this vulnerability can allow remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. An issue where attackers on the service console management network can exploit a vulnerability that occurs when Samba is configured as a Primary or Backup Domain controller. The vulnerability allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5398 and CVE-2007-4572 to these issues. Note: By default Samba is not configured as a WINS server or a domain controller and ESX is not vulnerable unless the administrator has changed the default configuration. This vulnerability can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. c. Updated util-linux package The patch addresses an issue where the mount and umount utilities in util-linux call the setuid and setgid functions in the wrong order and do not check the return values, which could allow attackers to gain elevated privileges via helper application such as mount.nfs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5191 to this issue. d. Updated Perl package The update addresses an issue where the regular expression engine in Perl can be used to issue a specially crafted regular expression that allows the attacker to run arbitrary code with the permissions level of the current Perl user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5116 to this issue. e. Updated OpenSSL package A flaw in the SSL_get_shared_ciphers() function could allow an attacker to cause a buffer overflow problem by sending ciphers to applications that use the function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-3108, and CVE-2007-5135 to these issues.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 40372
    published 2009-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40372
    title VMSA-2008-0001 : Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-1034.NASL
    description Updated samba packages that fix a security issue are now available for Red Hat Enterprise Linux 4.5 Extended Update Support. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash, or execute arbitrary code. (CVE-2007-5398) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue. Users of Samba should upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2014-05-02
    plugin id 63844
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63844
    title RHEL 4 : samba (RHSA-2007:1034)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2007-009.NASL
    description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2007-009 applied. This update contains several security fixes for a large number of programs.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 29723
    published 2007-12-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29723
    title Mac OS X Multiple Vulnerabilities (Security Update 2007-009)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20071115_SAMBA_ON_SL5_X.NASL
    description A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the 'winbind nss info' parameter in smb.conf is set to either 'sfu' or 'rfc2307', Samba users are incorrectly assigned the group ID of 0. (CVE-2007-4138)
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60309
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60309
    title Scientific Linux Security Update : samba on SL5.x, SL4.x, SL3.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-1016.NASL
    description From Red Hat Security Advisory 2007:1016 : Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the 'winbind nss info' parameter in smb.conf is set to either 'sfu' or 'rfc2307', Samba users are incorrectly assigned the group ID of 0. (CVE-2007-4138) Red Hat would like to thank Alin Rad Pop of Secunia Research, Rick King, and the Samba developers for responsibly disclosing these issues. All Samba users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67597
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67597
    title Oracle Linux 4 : samba (ELSA-2007-1016)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-1016.NASL
    description Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the 'winbind nss info' parameter in smb.conf is set to either 'sfu' or 'rfc2307', Samba users are incorrectly assigned the group ID of 0. (CVE-2007-4138) Red Hat would like to thank Alin Rad Pop of Secunia Research, Rick King, and the Samba developers for responsibly disclosing these issues. All Samba users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 28245
    published 2007-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28245
    title RHEL 4 : samba (RHSA-2007:1016)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_X86_114685.NASL
    description SunOS 5.9_x86: Samba Patch. Date this patch was last updated by Sun : Dec/22/10
    last seen 2018-09-01
    modified 2016-12-09
    plugin id 13609
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13609
    title Solaris 9 (x86) : 114685-17
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_114684.NASL
    description SunOS 5.9: Samba Patch. Date this patch was last updated by Sun : Dec/22/10
    last seen 2018-09-02
    modified 2016-12-09
    plugin id 13559
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13559
    title Solaris 9 (sparc) : 114684-17
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-544-1.NASL
    description Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) Alin Rad Pop of Secunia Research discovered that nmbd did not properly check the length of netbios packets. When samba is configured as a WINS server, a remote attacker could send multiple crafted requests resulting in the execution of arbitrary code with root privileges. (CVE-2007-5398). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28251
    published 2007-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28251
    title Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : samba vulnerabilities (USN-544-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-544-2.NASL
    description USN-544-1 fixed two vulnerabilities in Samba. Fixes for CVE-2007-5398 are unchanged, but the upstream changes for CVE-2007-4572 introduced a regression in all releases which caused Linux smbfs mounts to fail. Additionally, Dapper and Edgy included an incomplete patch which caused configurations using NetBIOS to fail. A proper fix for these regressions does not exist at this time, and so the patch addressing CVE-2007-4572 has been removed. This vulnerability is believed to be an unexploitable denial of service, but a future update will address this issue. We apologize for the inconvenience. Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) Alin Rad Pop of Secunia Research discovered that nmbd did not properly check the length of netbios packets. When samba is configured as a WINS server, a remote attacker could send multiple crafted requests resulting in the execution of arbitrary code with root privileges. (CVE-2007-5398). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28288
    published 2007-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28288
    title Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : samba regression (USN-544-2)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2007-320-01.NASL
    description New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, and -current to fix security issues.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 28277
    published 2007-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28277
    title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / current : samba (SSA:2007-320-01)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-1013.NASL
    description Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) Red Hat would like to thank Alin Rad Pop of Secunia Research, and the Samba developers for responsibly disclosing these issues. Users of Samba are advised to ugprade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 37627
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37627
    title CentOS 3 : samba (CESA-2007:1013)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_CIFS-MOUNT-4719.NASL
    description This update fixes two buffer overflows in nmbd (CVE-2007-4572 / CVE-2007-5398). Remote attackers could potentially exploit them to execute arbitrary code. The updated packages additionally contain fixes for numerous other defects. Please refer to the package changelog for details.
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29391
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29391
    title SuSE 10 Security Update : Samba (ZYPP Patch Number 4719)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200711-29.NASL
    description The remote host is affected by the vulnerability described in GLSA-200711-29 (Samba: Execution of arbitrary code) Two vulnerabilities have been reported in nmbd. Alin Rad Pop (Secunia Research) discovered a boundary checking error in the reply_netbios_packet() function which could lead to a stack-based buffer overflow (CVE-2007-5398). The Samba developers discovered a boundary error when processing GETDC logon requests also leading to a buffer overflow (CVE-2007-4572). Impact : To exploit the first vulnerability, a remote unauthenticated attacker could send specially crafted WINS 'Name Registration' requests followed by a WINS 'Name Query' request. This might lead to execution of arbitrary code with elevated privileges. Note that this vulnerability is exploitable only when WINS server support is enabled in Samba. The second vulnerability could be exploited by sending specially crafted 'GETDC' mailslot requests, but requires Samba to be configured as a Primary or Backup Domain Controller. It is not believed the be exploitable to execute arbitrary code. Workaround : To work around the first vulnerability, disable WINS support in Samba by setting 'wins support = no' in the 'global' section of your smb.conf and restart Samba.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 28318
    published 2007-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28318
    title GLSA-200711-29 : Samba: Execution of arbitrary code
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-1013.NASL
    description Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) Red Hat would like to thank Alin Rad Pop of Secunia Research, and the Samba developers for responsibly disclosing these issues. Users of Samba are advised to ugprade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 28244
    published 2007-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28244
    title RHEL 2.1 / 3 : samba (RHSA-2007:1013)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-224.NASL
    description The samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. If samba is configured as a Primary or Backup Domain Controller, this could be used by a remote attacker to send malicious logon requests and possibly cause a denial of service (CVE-2007-4572). As well, Alin Rad Pop of Secunia Research found that nmbd did not properly check the length of netbios packets. If samba is configured as a WINS server, this could be used by a remote attacker able to send multiple crafted requests to nmbd, resulting in the execution of arbitrary code with root privileges (CVE-2007-5398). Update : This update corrects all known regressions with previous Samba updates due to the security fixes to correct CVE-2007-4572.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 28274
    published 2007-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28274
    title Mandrake Linux Security Advisory : samba (MDKSA-2007:224-3)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_A63B15F997FF11DC9E480016179B2DD5.NASL
    description The Samba Team reports : Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the 'wins support' parameter has been enabled in smb.conf. Samba developers have discovered what is believed to be a non-exploitable buffer over in nmbd during the processing of GETDC logon server requests. This code is only used when the Samba server is configured as a Primary or Backup Domain Controller.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 28317
    published 2007-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28317
    title FreeBSD : samba -- multiple vulnerabilities (a63b15f9-97ff-11dc-9e48-0016179b2dd5)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1409.NASL
    description This update fixes all currently known regressions introduced with the previous two revisions of DSA-1409. The original text is reproduced below : Several local/remote vulnerabilities have been discovered in samba, a LanManager-like file and printer server for Unix. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-5398 Alin Rad Pop of Secunia Research discovered that nmbd did not properly check the length of netbios packets. When samba is configured as a WINS server, a remote attacker could send multiple crafted requests resulting in the execution of arbitrary code with root privileges. - CVE-2007-4572 Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 28298
    published 2007-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28298
    title Debian DSA-1409-3 : samba - several vulnerabilities
  • NASL family Misc.
    NASL id SAMBA_3_0_27.NASL
    description According to its banner, the version of the Samba server on the remote host contains a boundary error in the 'reply_netbios_packet()' function in 'nmbd/nmbd_packets.c' when sending NetBIOS replies. Provided the server is configured to run as a WINS server, a remote attacker can exploit this issue by sending multiple specially crafted WINS 'Name Registration' requests followed by a WINS 'Name Query' request, leading to a stack-based buffer overflow. This could also allow for the execution of arbitrary code. There is also a stack buffer overflow in nmbd's logon request processing code that can be triggered by means of specially crafted GETDC mailslot requests when the affected server is configured as a Primary or Backup Domain Controller. Note that the Samba security team currently does not believe this particular issue can be exploited to execute arbitrary code remotely.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 28228
    published 2007-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28228
    title Samba < 3.0.27 Multiple Vulnerabilities
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-1013.NASL
    description From Red Hat Security Advisory 2007:1013 : Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) Red Hat would like to thank Alin Rad Pop of Secunia Research, and the Samba developers for responsibly disclosing these issues. Users of Samba are advised to ugprade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67596
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67596
    title Oracle Linux 3 : samba (ELSA-2007-1013)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-3402.NASL
    description Security Fixes : - CVE-2007-4572 - CVE-2007-5398 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 28229
    published 2007-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28229
    title Fedora 7 : samba-3.0.27-0.fc7 (2007-3402)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_CIFS-MOUNT-4740.NASL
    description This update fixes two buffer overflows in nmbd (CVE-2007-4572, CVE-2007-5398). Remote attackers could potentially exploit them to execute arbitrary code. The updated packages additionally contain fixes for numerous other defects. Please refer to the package changelog for details.
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 28370
    published 2007-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28370
    title openSUSE 10 Security Update : cifs-mount (cifs-mount-4740)
oval via4
  • accepted 2013-04-29T04:03:46.255-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.
    family unix
    id oval:org.mitre.oval:def:10230
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.
    version 24
  • accepted 2015-04-20T04:02:27.981-04:00
    class vulnerability
    contributors
    • name Pai Peng
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.
    family unix
    id oval:org.mitre.oval:def:5811
    status accepted
    submitted 2008-06-30T13:13:25.000-04:00
    title HP-UX running HP CIFS Server (Samba), Remote Execution of Arbitrary Code
    version 41
redhat via4
advisories
  • bugzilla
    id 358831
    title Buffer Overflow Vulnerability
    oval
    AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhba:tst:20070026001
    • OR
      • AND
        • comment samba is earlier than 0:3.0.9-1.3E.14.1
          oval oval:com.redhat.rhsa:tst:20071013002
        • comment samba is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060003
      • AND
        • comment samba-client is earlier than 0:3.0.9-1.3E.14.1
          oval oval:com.redhat.rhsa:tst:20071013006
        • comment samba-client is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060007
      • AND
        • comment samba-common is earlier than 0:3.0.9-1.3E.14.1
          oval oval:com.redhat.rhsa:tst:20071013008
        • comment samba-common is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060009
      • AND
        • comment samba-swat is earlier than 0:3.0.9-1.3E.14.1
          oval oval:com.redhat.rhsa:tst:20071013004
        • comment samba-swat is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060005
    rhsa
    id RHSA-2007:1013
    released 2007-11-15
    severity Critical
    title RHSA-2007:1013: samba security update (Critical)
  • bugzilla
    id 358831
    title Buffer Overflow Vulnerability
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • OR
      • AND
        • comment samba is earlier than 0:3.0.25b-1.el4_6.2
          oval oval:com.redhat.rhsa:tst:20071016002
        • comment samba is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060003
      • AND
        • comment samba-client is earlier than 0:3.0.25b-1.el4_6.2
          oval oval:com.redhat.rhsa:tst:20071016008
        • comment samba-client is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060007
      • AND
        • comment samba-common is earlier than 0:3.0.25b-1.el4_6.2
          oval oval:com.redhat.rhsa:tst:20071016004
        • comment samba-common is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060009
      • AND
        • comment samba-swat is earlier than 0:3.0.25b-1.el4_6.2
          oval oval:com.redhat.rhsa:tst:20071016006
        • comment samba-swat is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060005
    rhsa
    id RHSA-2007:1016
    released 2007-11-15
    severity Critical
    title RHSA-2007:1016: samba security update (Critical)
  • bugzilla
    id 358831
    title Buffer Overflow Vulnerability
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment samba is earlier than 0:3.0.25b-1.el5_1.2
          oval oval:com.redhat.rhsa:tst:20071017002
        • comment samba is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070061003
      • AND
        • comment samba-client is earlier than 0:3.0.25b-1.el5_1.2
          oval oval:com.redhat.rhsa:tst:20071017004
        • comment samba-client is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070061009
      • AND
        • comment samba-common is earlier than 0:3.0.25b-1.el5_1.2
          oval oval:com.redhat.rhsa:tst:20071017006
        • comment samba-common is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070061005
      • AND
        • comment samba-swat is earlier than 0:3.0.25b-1.el5_1.2
          oval oval:com.redhat.rhsa:tst:20071017008
        • comment samba-swat is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070061007
    rhsa
    id RHSA-2007:1017
    released 2007-11-15
    severity Critical
    title RHSA-2007:1017: samba security update (Critical)
rpms
  • samba-0:3.0.9-1.3E.14.1
  • samba-client-0:3.0.9-1.3E.14.1
  • samba-common-0:3.0.9-1.3E.14.1
  • samba-swat-0:3.0.9-1.3E.14.1
  • samba-0:3.0.25b-1.el4_6.2
  • samba-client-0:3.0.25b-1.el4_6.2
  • samba-common-0:3.0.25b-1.el4_6.2
  • samba-swat-0:3.0.25b-1.el4_6.2
  • samba-0:3.0.25b-1.el5_1.2
  • samba-client-0:3.0.25b-1.el5_1.2
  • samba-common-0:3.0.25b-1.el5_1.2
  • samba-swat-0:3.0.25b-1.el5_1.2
refmap via4
apple APPLE-SA-2007-12-17
bid 26455
bugtraq
  • 20071115 Secunia Research: Samba "reply_netbios_packet()" Buffer OverflowVulnerability
  • 20080108 VMSA-2008-0001 Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages
  • 20080123 UPDATED VMSA-2008-0001.1 Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages
cert TA07-352A
confirm
debian DSA-1409
fedora FEDORA-2007-3402
gentoo GLSA-200711-29
hp
  • HPSBUX02316
  • HPSBUX02341
  • SSRT071495
  • SSRT080075
mandriva MDKSA-2007:224
misc http://secunia.com/secunia_research/2007-90/advisory/
mlist [Security-announce] 20080107 VMSA-2008-0001 Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages
sectrack 1018953
secunia
  • 27450
  • 27679
  • 27682
  • 27691
  • 27701
  • 27720
  • 27731
  • 27742
  • 27787
  • 27927
  • 28136
  • 28368
  • 29341
  • 30484
  • 30835
slackware SSA:2007-320-01
sreason 3372
sunalert 237764
suse SUSE-SA:2007:065
ubuntu USN-544-1
vupen
  • ADV-2007-3869
  • ADV-2007-4238
  • ADV-2008-0064
  • ADV-2008-0859
  • ADV-2008-1712
  • ADV-2008-1908
xf samba-replynetbiospacket-bo(38502)
Last major update 07-03-2011 - 22:00
Published 16-11-2007 - 13:46
Last modified 30-10-2018 - 12:25
Back to Top