The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Samba: buffer overflow of chain_reply

Synthesis of the vulnerability 

An unauthenticated attacker can send a malicious SMB query, in order to generate a buffer overflow in Samba, leading to a denial of service or to code execution.
Impacted software: Debian, HP-UX, Mandriva Linux, NLD, OES, OpenSolaris, openSUSE, Solaris, RHEL, Samba, Slackware, SLES, ESX.
Severity of this computer vulnerability: 3/4.
Creation date: 16/06/2010.
Références of this announce: BID-40884, c02627925, c02787667, CERTA-2002-AVI-268, CERTA-2010-AVI-266, CERTA-2011-AVI-174, CVE-2010-2063, DSA-2061-1, HPSBUX02609, HPSBUX02657, MDVSA-2010:119, RHSA-2010:0488-01, SSA:2010-169-01, SSRT100147, SSRT100460, SUSE-SA:2010:025, SUSE-SR:2010:014, VIGILANCE-VUL-9712, VMSA-2010-0013, VMSA-2010-0013.1, VMSA-2010-0013.2, VMSA-2010-0013.3.

Description of the vulnerability 

The SMB protocol can fragment long messages across several packets ("chained packets").

The chain_reply() function of the source/smbd/process.c file manages these sequences of packets. However, if a packet indicates an invalid offset, a buffer overflow occurs.

An unauthenticated attacker can therefore send a malicious SMB query, in order to generate a buffer overflow in Samba, leading to a denial of service or to code execution.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat impacts software or systems such as Debian, HP-UX, Mandriva Linux, NLD, OES, OpenSolaris, openSUSE, Solaris, RHEL, Samba, Slackware, SLES, ESX.

Our Vigil@nce team determined that the severity of this computer vulnerability alert is important.

The trust level is of type confirmed by the editor, with an origin of intranet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this cybersecurity weakness.

Solutions for this threat 

Samba: version 3.3.13.
Version 3.3.13 is corrected:
  http://www.samba.org/samba/download/

Samba: patch for chain_reply.
A patch is available in information sources.

Debian: new samba packages.
New packages are available:
  samba-*_3.2.5-4lenny12

HP-UX: CIFS Server version A.02.03.06/A.02.04.02.
The version A.02.03.06/A.02.04.02 is corrected:
  http://software.hp.com/

HP-UX: CIFS Server versions A.02.03.06, A.02.04.04 and A.03.01.01.
Versions A.02.03.06, A.02.04.04 and A.03.01.01 are corrected:
  http://software.hp.com/

Mandriva: new samba packages.
New packages are available:
  Mandriva Linux 2008.0: samba-3.0.37-0.4mdv2008.0
  Mandriva Linux 2009.0: samba-3.3.12-0.3mdv2009.0
  Mandriva Linux 2009.1: samba-3.3.12-0.3mdv2009.1
  Corporate 4.0: samba-3.0.37-0.4.20060mlcs
  Mandriva Enterprise Server 5: samba-3.3.12-0.3mdvmes5.1

RHEL 3, 4, 5: new samba packages.
New packages are available:
Red Hat Enterprise Linux version 3:
  samba-3.0.9-1.3E.17
Red Hat Enterprise Linux version 4:
  samba-3.0.33-0.19.el4_8.1
Red Hat Enterprise Linux version 5:
  samba-3.0.33-3.29.el5_5
  samba3x-3.3.8-0.52.el5_5

Slackware: new samba packages.
New packages are available:
Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/samba-3.0.37-i486-2_slack10.0.tgz
Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/samba-3.0.37-i486-2_slack10.1.tgz
Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/samba-3.0.37-i486-2_slack10.2.tgz
Slackware 11.0:
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/samba-3.0.37-i486-2_slack11.0.tgz
Slackware 12.0:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/samba-3.0.37-i486-2_slack12.0.tgz
Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/samba-3.0.37-i486-2_slack12.1.tgz
Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/samba-3.2.15-i486-2_slack12.2.tgz
Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/samba-3.2.15-i486-2_slack13.0.txz

Solaris: patch for Samba.
A patch is available:
OpenSolaris :
  snv_111b + 6961961
Solaris 10 :
  SPARC: 119757-18
  X86: 119758-18
Solaris 9 :
  SPARC: 114684-16
  X86: 114685-16

SUSE: new packages (02/08/2010).
New packages are available, as indicated in information sources.

SUSE: new samba packages.
New packages are available, as indicated in information sources.

VMware ESX: patch for Service Console.
A patch is available:
ESX 3.0.3 :
  http://download3.vmware.com/software/vi/ESX303-201102401-SG.zip
  http://kb.vmware.com/kb/1031234
ESX 3.5 :
  http://download3.vmware.com/software/vi/ESX350-201008405-SG.zip
  http://download3.vmware.com/software/vi/ESX350-201008407-SG.zip
  http://download3.vmware.com/software/vi/ESX350-201008410-SG.zip
  http://download3.vmware.com/software/vi/ESX350-201008411-SG.zip
  http://download3.vmware.com/software/vi/ESX350-201008412-SG.zip
ESX 4.0 :
  http://bit.ly/adhjEu
ESX 4.1 :
  http://bit.ly/a3Ffw8
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerabilities database. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.