ID CVE-2010-2063
Summary Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.
References
Vulnerable Configurations
  • Samba 3.0.0
    cpe:2.3:a:samba:samba:3.0.0
  • Samba 3.0.1
    cpe:2.3:a:samba:samba:3.0.1
  • Samba 3.0.2
    cpe:2.3:a:samba:samba:3.0.2
  • Samba 3.0.2a
    cpe:2.3:a:samba:samba:3.0.2a
  • Samba 3.0.3
    cpe:2.3:a:samba:samba:3.0.3
  • Samba 3.0.4
    cpe:2.3:a:samba:samba:3.0.4
  • Samba 3.0.4 release candidate 1
    cpe:2.3:a:samba:samba:3.0.4:rc1
  • Samba 3.0.5
    cpe:2.3:a:samba:samba:3.0.5
  • Samba 3.0.6
    cpe:2.3:a:samba:samba:3.0.6
  • Samba 3.0.7
    cpe:2.3:a:samba:samba:3.0.7
  • Samba 3.0.8
    cpe:2.3:a:samba:samba:3.0.8
  • Samba 3.0.9
    cpe:2.3:a:samba:samba:3.0.9
  • Samba 3.0.10
    cpe:2.3:a:samba:samba:3.0.10
  • Samba 3.0.11
    cpe:2.3:a:samba:samba:3.0.11
  • Samba 3.0.12
    cpe:2.3:a:samba:samba:3.0.12
  • Samba 3.0.13
    cpe:2.3:a:samba:samba:3.0.13
  • Samba 3.0.14
    cpe:2.3:a:samba:samba:3.0.14
  • Samba 3.0.14a
    cpe:2.3:a:samba:samba:3.0.14a
  • Samba 3.0.15
    cpe:2.3:a:samba:samba:3.0.15
  • Samba 3.0.16
    cpe:2.3:a:samba:samba:3.0.16
  • Samba 3.0.17
    cpe:2.3:a:samba:samba:3.0.17
  • Samba 3.0.18
    cpe:2.3:a:samba:samba:3.0.18
  • Samba 3.0.19
    cpe:2.3:a:samba:samba:3.0.19
  • Samba 3.0.20
    cpe:2.3:a:samba:samba:3.0.20
  • Samba 3.0.20a
    cpe:2.3:a:samba:samba:3.0.20a
  • Samba 3.0.20b
    cpe:2.3:a:samba:samba:3.0.20b
  • Samba 3.0.21
    cpe:2.3:a:samba:samba:3.0.21
  • Samba 3.0.21a
    cpe:2.3:a:samba:samba:3.0.21a
  • Samba 3.0.21b
    cpe:2.3:a:samba:samba:3.0.21b
  • Samba 3.0.21c
    cpe:2.3:a:samba:samba:3.0.21c
  • Samba 3.0.22
    cpe:2.3:a:samba:samba:3.0.22
  • Samba 3.0.23
    cpe:2.3:a:samba:samba:3.0.23
  • Samba 3.0.23a
    cpe:2.3:a:samba:samba:3.0.23a
  • Samba 3.0.23b
    cpe:2.3:a:samba:samba:3.0.23b
  • Samba 3.0.23c
    cpe:2.3:a:samba:samba:3.0.23c
  • Samba 3.0.23d
    cpe:2.3:a:samba:samba:3.0.23d
  • Samba 3.0.24
    cpe:2.3:a:samba:samba:3.0.24
  • Samba 3.0.25
    cpe:2.3:a:samba:samba:3.0.25
  • Samba 3.0.25 pre1
    cpe:2.3:a:samba:samba:3.0.25:pre1
  • Samba 3.0.25 pre2
    cpe:2.3:a:samba:samba:3.0.25:pre2
  • Samba 3.0.25 release candidate 1
    cpe:2.3:a:samba:samba:3.0.25:rc1
  • Samba 3.0.25 release candiate 2
    cpe:2.3:a:samba:samba:3.0.25:rc2
  • Samba 3.0.25 release candidate 3
    cpe:2.3:a:samba:samba:3.0.25:rc3
  • Samba 3.0.25a
    cpe:2.3:a:samba:samba:3.0.25a
  • Samba 3.0.25b
    cpe:2.3:a:samba:samba:3.0.25b
  • Samba 3.0.25c
    cpe:2.3:a:samba:samba:3.0.25c
  • Samba 3.0.26
    cpe:2.3:a:samba:samba:3.0.26
  • Samba 3.0.26a
    cpe:2.3:a:samba:samba:3.0.26a
  • Samba 3.0.27
    cpe:2.3:a:samba:samba:3.0.27
  • cpe:2.3:a:samba:samba:3.0.27a
    cpe:2.3:a:samba:samba:3.0.27a
  • Samba 3.0.28
    cpe:2.3:a:samba:samba:3.0.28
  • cpe:2.3:a:samba:samba:3.0.28a
    cpe:2.3:a:samba:samba:3.0.28a
  • Samba 3.0.29
    cpe:2.3:a:samba:samba:3.0.29
  • Samba 3.0.30
    cpe:2.3:a:samba:samba:3.0.30
  • Samba 3.0.31
    cpe:2.3:a:samba:samba:3.0.31
  • Samba 3.0.32
    cpe:2.3:a:samba:samba:3.0.32
  • Samba 3.0.33
    cpe:2.3:a:samba:samba:3.0.33
  • Samba 3.0.34
    cpe:2.3:a:samba:samba:3.0.34
  • Samba 3.0.35
    cpe:2.3:a:samba:samba:3.0.35
  • Samba 3.0.36
    cpe:2.3:a:samba:samba:3.0.36
  • Samba 3.0.37
    cpe:2.3:a:samba:samba:3.0.37
  • Samba 3.1.0
    cpe:2.3:a:samba:samba:3.1.0
  • cpe:2.3:a:samba:samba:3.2
    cpe:2.3:a:samba:samba:3.2
  • Samba 3.2.0
    cpe:2.3:a:samba:samba:3.2.0
  • Samba 3.2.1
    cpe:2.3:a:samba:samba:3.2.1
  • Samba 3.2.2
    cpe:2.3:a:samba:samba:3.2.2
  • Samba 3.2.3
    cpe:2.3:a:samba:samba:3.2.3
  • Samba 3.2.4
    cpe:2.3:a:samba:samba:3.2.4
  • Samba 3.2.5
    cpe:2.3:a:samba:samba:3.2.5
  • Samba 3.2.6
    cpe:2.3:a:samba:samba:3.2.6
  • Samba 3.2.7
    cpe:2.3:a:samba:samba:3.2.7
  • Samba 3.2.8
    cpe:2.3:a:samba:samba:3.2.8
  • Samba 3.2.9
    cpe:2.3:a:samba:samba:3.2.9
  • Samba 3.2.10
    cpe:2.3:a:samba:samba:3.2.10
  • Samba 3.2.11
    cpe:2.3:a:samba:samba:3.2.11
  • Samba 3.2.12
    cpe:2.3:a:samba:samba:3.2.12
  • Samba 3.2.13
    cpe:2.3:a:samba:samba:3.2.13
  • Samba 3.2.14
    cpe:2.3:a:samba:samba:3.2.14
  • Samba 3.2.15
    cpe:2.3:a:samba:samba:3.2.15
  • cpe:2.3:a:samba:samba:3.3
    cpe:2.3:a:samba:samba:3.3
  • Samba 3.3.0
    cpe:2.3:a:samba:samba:3.3.0
  • Samba 3.3.1
    cpe:2.3:a:samba:samba:3.3.1
  • Samba 3.3.2
    cpe:2.3:a:samba:samba:3.3.2
  • Samba 3.3.3
    cpe:2.3:a:samba:samba:3.3.3
  • Samba 3.3.4
    cpe:2.3:a:samba:samba:3.3.4
  • Samba 3.3.5
    cpe:2.3:a:samba:samba:3.3.5
  • Samba 3.3.6
    cpe:2.3:a:samba:samba:3.3.6
  • Samba 3.3.7
    cpe:2.3:a:samba:samba:3.3.7
  • Samba 3.3.8
    cpe:2.3:a:samba:samba:3.3.8
  • Samba 3.3.9
    cpe:2.3:a:samba:samba:3.3.9
  • Samba 3.3.10
    cpe:2.3:a:samba:samba:3.3.10
  • Samba 3.3.11
    cpe:2.3:a:samba:samba:3.3.11
  • Samba 3.3.12
    cpe:2.3:a:samba:samba:3.3.12
CVSS
Base: 7.5 (as of 18-06-2010 - 08:46)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description Samba chain_reply Memory Corruption (Linux x86). CVE-2010-2063. Remote exploit for linux platform
id EDB-ID:16860
last seen 2016-02-02
modified 2010-09-04
published 2010-09-04
reporter metasploit
source https://www.exploit-db.com/download/16860/
title Samba chain_reply Memory Corruption Linux x86
metasploit via4
description This exploits a memory corruption vulnerability present in Samba versions prior to 3.3.13. When handling chained response packets, Samba fails to validate the offset value used when building the next part. By setting this value to a number larger than the destination buffer size, an attacker can corrupt memory. Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will cause the header of the input buffer chunk to be corrupted. After close inspection, it appears that 3.0.x versions of Samba are not exploitable. Since they use an "InputBuffer" size of 0x20441, an attacker cannot cause memory to be corrupted in an exploitable way. It is possible to corrupt the heap header of the "InputBuffer", but it didn't seem possible to get the chunk to be processed again prior to process exit. In order to gain code execution, this exploit attempts to overwrite a "talloc chunk" destructor function pointer. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the nx memory protection. NOTE: It is possible to make exploitation attempts indefinitely since Samba forks for user sessions in the default configuration.
id MSF:EXPLOIT/LINUX/SAMBA/CHAIN_REPLY
last seen 2018-08-26
modified 2017-07-24
published 2010-07-16
reliability Good
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/chain_reply.rb
title Samba chain_reply Memory Corruption (Linux x86)
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_CIFS-MOUNT-7072.NASL
    description This update of the Samba server package fixes the following security issues : - A buffer overrun was possible in chain_reply code in 3.3.x and below, which could be used to crash the samba server or potentially execute code. (CVE-2010-2063) - Take extra care that a mount point of mount.cifs does not get changed during mount. (CVE-2010-0787) Also, the following bugs have been fixed : - Honor interface list in net ads dns register. (bnc#606947) - An uninitialized variable read could cause smbd to crash (bso#7254, bnc#605935).
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 49835
    published 2010-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49835
    title SuSE 10 Security Update : Samba (ZYPP Patch Number 7072)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-119.NASL
    description A vulnerability has been discovered and corrected in samba : Samba versions 3.0.x, 3.2.x and 3.3.x are affected by a memory corruption vulnerability. Code dealing with the chaining of SMB1 packets did not correctly validate an input field provided by the client, making it possible for a specially crafted packet to crash the server or potentially cause the server to execute arbitrary code (CVE-2010-2063). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90 The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 47042
    published 2010-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47042
    title Mandriva Linux Security Advisory : samba (MDVSA-2010:119)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2010-0013_REMOTE.NASL
    description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries : - GNU cpio - GNU cpio on 64-bit - GNU tar - Kerberos 5 - Perl - PostgreSQL - Safe Module for Perl Automagic Methods - Samba smbd
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 89741
    published 2016-03-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89741
    title VMware ESX Multiple Vulnerabilities (VMSA-2010-0013) (remote check)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2010-0013.NASL
    description a. Service Console update for cpio The service console package cpio is updated to version 2.5-6.RHEL3 for ESX 3.x versions and updated to version 2.6-23.el5_4.1 for ESX 4.x versions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-4268 and CVE-2010-0624 to the issues addressed in the update for ESX 3.x and the names CVE-2007-4476 and CVE-2010-0624 to the issues addressed in the update for ESX 4.x. b. Service Console update for tar The service console package tar is updated to version 1.13.25-16.RHEL3 for ESX 3.x versions and updated to version 1.15.1-23.0.1.el5_4.2 for ESX 4.x versions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-0624 to the issue addressed in the update for ESX 3.x and the names CVE-2007-4476 and CVE-2010-0624 to the issues addressed in the update for ESX 4.x. c. Service Console update for samba The service console packages for samba are updated to version samba-3.0.9-1.3E.17vmw, samba-client-3.0.9-1.3E.17vmw and samba-common-3.0.9-1.3E.17vmw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2063 to the issue addressed in this update. Note : The issue mentioned above is present in the Samba server (smbd) and is not present in the Samba client or Samba common packages. To determine if your system has Samba server installed do a 'rpm -q samba`. The following lists when the Samba server is installed on the ESX service console : - ESX 4.0, ESX 4.1 The Samba server is not present on ESX 4.0 and ESX 4.1. - ESX 3.5 The Samba server is present if an earlier patch for Samba has been installed. - ESX 3.0.3 The Samba server is present if ESX 3.0.3 was upgraded from an earlier version of ESX 3 and a Samba patch was installed on that version. The Samba server is not needed to operate the service console and can be be disabled without loss of functionality to the service console. d. Service Console update for krb5 The service console package krb5 is updated to version 1.2.7-72 for ESX 3.x versions and to version 1.6.1-36.el5_5.4 for ESX 4.x versions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1321 to the issue addressed in these updates. e. Service Console update for perl The service console package perl is updated to version 5.8.0-101.EL3 for ESX 3.x versions and version 5.8.8-32.el5_5.1 for ESX 4.x versions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1168 and CVE-2010-1447 to the issues addressed in the update for ESX 3.x and the names CVE-2008-5302, CVE-2008-5303, CVE-2010-1168, and CVE-2010-1447 to the issues addressed in the update for ESX 4.x.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 49085
    published 2010-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49085
    title VMSA-2010-0013 : VMware ESX third-party updates for Service Console
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20100616_SAMBA_ON_SL3_X.NASL
    description An input sanitization flaw was found in the way Samba parsed client data. A malicious client could send a specially crafted SMB packet to the Samba server, resulting in arbitrary code execution with the privileges of the Samba server (smbd). (CVE-2010-2063) After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60805
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60805
    title Scientific Linux Security Update : samba on SL3.x, SL4.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-951-1.NASL
    description Jun Mao discovered that Samba did not correctly validate SMB1 packet contents. An unauthenticated remote attacker could send specially crafted network traffic that could execute arbitrary code as the root user. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 47035
    published 2010-06-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47035
    title Ubuntu 6.06 LTS / 8.04 LTS / 9.04 : samba vulnerability (USN-951-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0488.NASL
    description Updated samba and samba3x packages that fix one security issue are now available for Red Hat Enterprise Linux 3, 4, and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Samba is a suite of programs used by machines to share files, printers, and other information. An input sanitization flaw was found in the way Samba parsed client data. A malicious client could send a specially crafted SMB packet to the Samba server, resulting in arbitrary code execution with the privileges of the Samba server (smbd). (CVE-2010-2063) Red Hat would like to thank the Samba team for responsibly reporting this issue. Upstream acknowledges Jun Mao as the original reporter. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 47034
    published 2010-06-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47034
    title RHEL 3 / 4 / 5 : samba and samba3x (RHSA-2010:0488)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12622.NASL
    description This update of the Samba server package fixes the following security issue : - A buffer overrun was possible in chain_reply code in 3.3.x and below, which could be used to crash the samba server or potentially execute code. (CVE-2010-2063) Also, the following bug has been fixed : - An uninitialized variable read could cause smbd to crash (bso#7254, bnc#605935).
    last seen 2019-02-21
    modified 2012-04-23
    plugin id 47568
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47568
    title SuSE9 Security Update : Samba (YOU Patch Number 12622)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201206-22.NASL
    description The remote host is affected by the vulnerability described in GLSA-201206-22 (Samba: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Samba. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with root privileges, cause a Denial of Service condition, take ownership of shared files, or bypass file permissions. Furthermore, a local attacker may be able to cause a Denial of Service condition or obtain sensitive information in a Samba credentials file. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 59675
    published 2012-06-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59675
    title GLSA-201206-22 : Samba: Multiple vulnerabilities
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2010-169-01.NASL
    description New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and 13.0 to fix a security issue.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 47047
    published 2010-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47047
    title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 : samba (SSA:2010-169-01)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2010-0488.NASL
    description Updated samba and samba3x packages that fix one security issue are now available for Red Hat Enterprise Linux 3, 4, and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Samba is a suite of programs used by machines to share files, printers, and other information. An input sanitization flaw was found in the way Samba parsed client data. A malicious client could send a specially crafted SMB packet to the Samba server, resulting in arbitrary code execution with the privileges of the Samba server (smbd). (CVE-2010-2063) Red Hat would like to thank the Samba team for responsibly reporting this issue. Upstream acknowledges Jun Mao as the original reporter. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 47101
    published 2010-06-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47101
    title CentOS 3 / 4 / 5 : samba / samba3x (CESA-2010:0488)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_CIFS-MOUNT-100613.NASL
    description This update of the Samba server package fixes the following security issues : - A buffer overrun was possible in chain_reply code in 3.3.x and below, which could be used to crash the samba server or potentially execute code. (CVE-2010-2063) - Take extra care that a mount point of mount.cifs does not get changed during mount. (CVE-2010-0787) Also, the following bugs have been fixed : - Honor interface list in net ads dns register. (bnc#606947) - An uninitialized variable read could cause smbd to crash (bso#7254, bnc#605935).
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 50894
    published 2010-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50894
    title SuSE 11 Security Update : (SAT Patch Number 2544)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2061.NASL
    description Jun Mao discovered that Samba, an implementation of the SMB/CIFS protocol for Unix systems, is not properly handling certain offset values when processing chained SMB1 packets. This enables an unauthenticated attacker to write to an arbitrary memory location resulting in the possibility to execute arbitrary code with root privileges or to perform denial of service attacks by crashing the samba daemon.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 47103
    published 2010-06-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47103
    title Debian DSA-2061-1 : samba - memory corruption
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0488.NASL
    description From Red Hat Security Advisory 2010:0488 : Updated samba and samba3x packages that fix one security issue are now available for Red Hat Enterprise Linux 3, 4, and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Samba is a suite of programs used by machines to share files, printers, and other information. An input sanitization flaw was found in the way Samba parsed client data. A malicious client could send a specially crafted SMB packet to the Samba server, resulting in arbitrary code execution with the privileges of the Samba server (smbd). (CVE-2010-2063) Red Hat would like to thank the Samba team for responsibly reporting this issue. Upstream acknowledges Jun Mao as the original reporter. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 68051
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68051
    title Oracle Linux 3 / 4 / 5 : samba / samba3x (ELSA-2010-0488)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20100616_SAMBA_AND_SAMBA3X_ON_SL5_X.NASL
    description An input sanitization flaw was found in the way Samba parsed client data. A malicious client could send a specially crafted SMB packet to the Samba server, resulting in arbitrary code execution with the privileges of the Samba server (smbd). (CVE-2010-2063) After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60804
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60804
    title Scientific Linux Security Update : samba and samba3x on SL5.x i386/x86_64
  • NASL family Misc.
    NASL id SAMBA_3_3_13.NASL
    description According to its banner, the version of Samba running on the remote host is a version of 3.x before 3.3.13. Such versions are affected by a memory corruption vulnerability when handling specially crafted SMB1 packets. By exploiting this flaw, a remote, unauthenticated attacker could crash the affected service or potentially execute arbitrary code subject to the privileges of the user running the affected application.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 47036
    published 2010-06-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47036
    title Samba 3.x < 3.3.13 SMB1 Packet Chaining Memory Corruption
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_CIFS-MOUNT-100613.NASL
    description This update of the Samba server package fixes security issues and bugs. Following security issues were fixed: CVE-2010-2063: A buffer overrun was possible in chain_reply code in 3.3.x and below, which could be used to crash the samba server or potentially execute code. CVE-2010-0787: Take extra care that a mount point of mount.cifs isn't changed during mount. Also the following bugs were fixed : - Honor 'interfaces' list in net ad dns register. (bnc#606947) - An uninitialized variable read could cause an smbd crash; (bso#7254); (bnc#605935).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 47570
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47570
    title openSUSE Security Update : cifs-mount (openSUSE-SU-2010:0346-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_CIFS-MOUNT-100613.NASL
    description This update of the Samba server package fixes security issues and bugs. Following security issues were fixed: CVE-2010-2063: A buffer overrun was possible in chain_reply code in 3.3.x and below, which could be used to crash the samba server or potentially execute code. CVE-2010-0787: Take extra care that a mount point of mount.cifs isn't changed during mount. Also the following bugs were fixed : - Honor 'interfaces' list in net ad dns register. (bnc#606947) - An uninitialized variable read could cause an smbd crash; (bso#7254); (bnc#605935).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 47572
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47572
    title openSUSE Security Update : cifs-mount (openSUSE-SU-2010:0346-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2010-005.NASL
    description The remote host is running a version of Mac OS X 10.6 or 10.5 that does not have Security Update 2010-005 applied. This security update contains fixes for the following products : - ATS - CFNetwork - ClamAV - CoreGraphics - libsecurity - PHP - Samba
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 48424
    published 2010-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=48424
    title Mac OS X Multiple Vulnerabilities (Security Update 2010-005)
oval via4
  • accepted 2015-04-20T04:00:24.933-04:00
    class vulnerability
    contributors
    • name Sudha Akula
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.
    family unix
    id oval:org.mitre.oval:def:12427
    status accepted
    submitted 2011-01-31T13:53:30.000-05:00
    title CIFS Server (Samba), Remote Execution of Arbitrary Code, Denial of Service (DoS)
    version 44
  • accepted 2010-11-15T04:00:40.449-05:00
    class vulnerability
    contributors
    name Varun
    organization Hewlett-Packard
    definition_extensions
    comment VMware ESX Server 3.5.0 is installed
    oval oval:org.mitre.oval:def:5887
    description Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.
    family unix
    id oval:org.mitre.oval:def:7115
    status accepted
    submitted 2010-10-01T16:37:39.000-05:00
    title VMware ESX,Service Console update for samba.
    version 5
  • accepted 2013-04-29T04:22:49.617-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.
    family unix
    id oval:org.mitre.oval:def:9859
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.
    version 24
packetstorm via4
data source https://packetstormsecurity.com/files/download/91907/chain_reply.rb.txt
id PACKETSTORM:91907
last seen 2016-12-05
published 2010-07-17
reporter jduck
source https://packetstormsecurity.com/files/91907/Samba-chain_reply-Memory-Corruption-Linux-x86.html
title Samba chain_reply Memory Corruption (Linux x86)
redhat via4
advisories
bugzilla
id 601419
title CVE-2010-2063 samba: memory corruption vulnerability
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhsa:tst:20060015001
    • OR
      • AND
        • comment samba is earlier than 0:3.0.9-1.3E.17
          oval oval:com.redhat.rhsa:tst:20100488002
        • comment samba is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060003
      • AND
        • comment samba-client is earlier than 0:3.0.9-1.3E.17
          oval oval:com.redhat.rhsa:tst:20100488008
        • comment samba-client is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060007
      • AND
        • comment samba-common is earlier than 0:3.0.9-1.3E.17
          oval oval:com.redhat.rhsa:tst:20100488006
        • comment samba-common is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060009
      • AND
        • comment samba-swat is earlier than 0:3.0.9-1.3E.17
          oval oval:com.redhat.rhsa:tst:20100488004
        • comment samba-swat is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060005
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20060016001
    • OR
      • AND
        • comment samba is earlier than 0:3.0.33-0.19.el4_8.1
          oval oval:com.redhat.rhsa:tst:20100488011
        • comment samba is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060003
      • AND
        • comment samba-client is earlier than 0:3.0.33-0.19.el4_8.1
          oval oval:com.redhat.rhsa:tst:20100488013
        • comment samba-client is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060007
      • AND
        • comment samba-common is earlier than 0:3.0.33-0.19.el4_8.1
          oval oval:com.redhat.rhsa:tst:20100488014
        • comment samba-common is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060009
      • AND
        • comment samba-swat is earlier than 0:3.0.33-0.19.el4_8.1
          oval oval:com.redhat.rhsa:tst:20100488012
        • comment samba-swat is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070060005
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • OR
      • AND
        • comment libsmbclient is earlier than 0:3.0.33-3.29.el5_5
          oval oval:com.redhat.rhsa:tst:20100488022
        • comment libsmbclient is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488023
      • AND
        • comment libsmbclient-devel is earlier than 0:3.0.33-3.29.el5_5
          oval oval:com.redhat.rhsa:tst:20100488024
        • comment libsmbclient-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488025
      • AND
        • comment samba is earlier than 0:3.0.33-3.29.el5_5
          oval oval:com.redhat.rhsa:tst:20100488016
        • comment samba is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070061003
      • AND
        • comment samba-client is earlier than 0:3.0.33-3.29.el5_5
          oval oval:com.redhat.rhsa:tst:20100488018
        • comment samba-client is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070061009
      • AND
        • comment samba-common is earlier than 0:3.0.33-3.29.el5_5
          oval oval:com.redhat.rhsa:tst:20100488020
        • comment samba-common is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070061005
      • AND
        • comment samba-swat is earlier than 0:3.0.33-3.29.el5_5
          oval oval:com.redhat.rhsa:tst:20100488026
        • comment samba-swat is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070061007
      • AND
        • comment libtalloc is earlier than 0:1.2.0-52.el5_5
          oval oval:com.redhat.rhsa:tst:20100488048
        • comment libtalloc is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488049
      • AND
        • comment libtalloc-devel is earlier than 0:1.2.0-52.el5_5
          oval oval:com.redhat.rhsa:tst:20100488032
        • comment libtalloc-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488033
      • AND
        • comment libtdb is earlier than 0:1.1.2-52.el5_5
          oval oval:com.redhat.rhsa:tst:20100488050
        • comment libtdb is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488051
      • AND
        • comment libtdb-devel is earlier than 0:1.1.2-52.el5_5
          oval oval:com.redhat.rhsa:tst:20100488036
        • comment libtdb-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488037
      • AND
        • comment samba3x is earlier than 0:3.3.8-0.52.el5_5
          oval oval:com.redhat.rhsa:tst:20100488028
        • comment samba3x is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488029
      • AND
        • comment samba3x-client is earlier than 0:3.3.8-0.52.el5_5
          oval oval:com.redhat.rhsa:tst:20100488042
        • comment samba3x-client is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488043
      • AND
        • comment samba3x-common is earlier than 0:3.3.8-0.52.el5_5
          oval oval:com.redhat.rhsa:tst:20100488030
        • comment samba3x-common is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488031
      • AND
        • comment samba3x-doc is earlier than 0:3.3.8-0.52.el5_5
          oval oval:com.redhat.rhsa:tst:20100488034
        • comment samba3x-doc is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488035
      • AND
        • comment samba3x-domainjoin-gui is earlier than 0:3.3.8-0.52.el5_5
          oval oval:com.redhat.rhsa:tst:20100488040
        • comment samba3x-domainjoin-gui is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488041
      • AND
        • comment samba3x-swat is earlier than 0:3.3.8-0.52.el5_5
          oval oval:com.redhat.rhsa:tst:20100488044
        • comment samba3x-swat is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488045
      • AND
        • comment samba3x-winbind is earlier than 0:3.3.8-0.52.el5_5
          oval oval:com.redhat.rhsa:tst:20100488052
        • comment samba3x-winbind is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488053
      • AND
        • comment samba3x-winbind-devel is earlier than 0:3.3.8-0.52.el5_5
          oval oval:com.redhat.rhsa:tst:20100488046
        • comment samba3x-winbind-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488047
      • AND
        • comment tdb-tools is earlier than 0:1.1.2-52.el5_5
          oval oval:com.redhat.rhsa:tst:20100488038
        • comment tdb-tools is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20100488039
rhsa
id RHSA-2010:0488
released 2010-06-16
severity Critical
title RHSA-2010:0488: samba and samba3x security update (Critical)
rpms
  • samba-0:3.0.9-1.3E.17
  • samba-client-0:3.0.9-1.3E.17
  • samba-common-0:3.0.9-1.3E.17
  • samba-swat-0:3.0.9-1.3E.17
  • samba-0:3.0.33-0.19.el4_8.1
  • samba-client-0:3.0.33-0.19.el4_8.1
  • samba-common-0:3.0.33-0.19.el4_8.1
  • samba-swat-0:3.0.33-0.19.el4_8.1
  • libsmbclient-0:3.0.33-3.29.el5_5
  • libsmbclient-devel-0:3.0.33-3.29.el5_5
  • samba-0:3.0.33-3.29.el5_5
  • samba-client-0:3.0.33-3.29.el5_5
  • samba-common-0:3.0.33-3.29.el5_5
  • samba-swat-0:3.0.33-3.29.el5_5
  • libtalloc-0:1.2.0-52.el5_5
  • libtalloc-devel-0:1.2.0-52.el5_5
  • libtdb-0:1.1.2-52.el5_5
  • libtdb-devel-0:1.1.2-52.el5_5
  • samba3x-0:3.3.8-0.52.el5_5
  • samba3x-client-0:3.3.8-0.52.el5_5
  • samba3x-common-0:3.3.8-0.52.el5_5
  • samba3x-doc-0:3.3.8-0.52.el5_5
  • samba3x-domainjoin-gui-0:3.3.8-0.52.el5_5
  • samba3x-swat-0:3.3.8-0.52.el5_5
  • samba3x-winbind-0:3.3.8-0.52.el5_5
  • samba3x-winbind-devel-0:3.3.8-0.52.el5_5
  • tdb-tools-0:1.1.2-52.el5_5
refmap via4
apple APPLE-SA-2010-08-24-1
bid 40884
confirm
debian DSA-2061
hp
  • HPSBUX02609
  • HPSBUX02657
  • SSRT100147
  • SSRT100460
idefense 20100616 Samba 3.3.12 Memory Corruption Vulnerability
mandriva MDVSA-2010:119
mlist [samba-announce] 20100616 Samba 3.3.13 Security Release Available for Download
osvdb 65518
sectrack 1024107
secunia
  • 40145
  • 40210
  • 40221
  • 40293
  • 42319
slackware SSA:2010-169-01
suse SUSE-SR:2010:014
ubuntu USN-951-1
vupen
  • ADV-2010-1486
  • ADV-2010-1504
  • ADV-2010-1505
  • ADV-2010-1507
  • ADV-2010-1517
  • ADV-2010-3063
xf samba-smb1-code-execution(59481)
Last major update 26-08-2011 - 23:40
Published 17-06-2010 - 12:30
Last modified 30-10-2018 - 12:25
Back to Top