Privacy and Legal Notice

CIAC INFORMATION BULLETIN

S-301: Samba Security and Bug Fix Update

[Red Hat RHSA-2008:0290-7]

May 30, 2008 12:00 GMT
[REVISED 5 Jun 2008]
[REVISED 27 Jun 2008]
PROBLEM: A heap-based buffer overflow flaw was found in the way Samba clients handle over-sized packets. If a client connected to a malicious Samba server, it was possible to execute arbitrary code as the Samba client user.
PLATFORM: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Debian GNU/Linux 4.0 (etch)
HP-UX running HP CIFS Server vA.02.01.*, vA.2.03.*, prior to vA.02.03.04 running on HP-UX B.11.11, B.11.23, and B.11.31
DAMAGE: Execute arbitrary code.
SOLUTION: Upgrade to the appropriate verison.
VULNERABILITY
ASSESSMENT:		 The risk is MEDIUM. A malicious Samba server could run arbitrary code on a Samba client as the Samba client user. Alternately, a malicious client could run arbitrary code on a Samba server with the permissions of the Samba server.
CVSS 2 BASE SCORE:
   TEMPORAL SCORE:
   VECTOR:		 5.5
4.3
(AV:N/AC:L/Au:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C)
LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-301.shtml
  ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2008-0290.html
  ADDITIONAL LINKS: http://www.debian.org/security/2008/dsa-1590
Visit Hewlett-Packard Subscription Service for:
HPSBUX02316 SSRT071495 rev. 1
  CVE: CVE-2008-1105 
REVISION HISTORY:
06/05/2008 - revised S-301 to add a link to Debian Security Advisory DSA-1590-1
             for Debian GNU/Linux 4.0 (etch).
06/27/2008 - revised S-232 to add a link to Hewlett-Packard's Subscription Service
             for: HPSBUX02341 SSRT080075 rev. 1 for HP-UX running HP CIFS Server 
			 vA.02.01.*, vA.2.03.*, prior to vA.02.03.04 running on HP-UX B.11.11, 
			 B.11.23, and B.11.31.






[***** Start Red Hat  RHSA-2008:0290-7 *****]

Critical: samba security and bug fix update

Advisory: RHSA-2008:0290-7
Type: Security Advisory
Severity: Critical
Issued on: 2008-05-28
Last updated on: 2008-05-28
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
OVAL: com.redhat.rhsa-20080290.xml
CVEs (cve.mitre.org): CVE-2008-1105

Details

Updated samba packages that fix a security issue and two bugs are now
available for Red Hat Enterprise Linux 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Samba is a suite of programs used by machines to share files, printers, and
other information.

A heap-based buffer overflow flaw was found in the way Samba clients handle
over-sized packets. If a client connected to a malicious Samba server, it
was possible to execute arbitrary code as the Samba client user. It was
also possible for a remote user to send a specially crafted print request
to a Samba server that could result in the server executing the vulnerable
client code, resulting in arbitrary code execution with the permissions of
the Samba server. (CVE-2008-1105)

Red Hat would like to thank Alin Rad Pop of Secunia Research for
responsibly disclosing this issue.

This update also addresses two issues which prevented Samba from joining
certain Windows domains with tightened security policies, and prevented
certain signed SMB content from working as expected:

* when some Windows® 2000-based domain controllers were set to use
mandatory signing, Samba clients would drop the connection because of an
error when generating signatures. This presented as a "Server packet had
invalid SMB signature" error to the Samba client. This update corrects the
signature generation error.

* Samba servers using the "net ads join" command to connect to a Windows
Server® 2003-based domain would fail with "failed to get schannel session
key from server" and "NT_STATUS_ACCESS_DENIED" errors. This update
correctly binds to the NETLOGON share, allowing Samba servers to connect to
the domain properly.

Users of Samba are advised to upgrade to these updated packages, which
contain a backported patch to resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Enterprise Linux (v. 5 server)
SRPMS:
samba-3.0.28-1.el5_2.1.src.rpm     c8744eed3b3769a88d42ea5e40b6f913
 
IA-32:
samba-3.0.28-1.el5_2.1.i386.rpm     ff885e0c6bb806e4c776dc11637033f9
samba-client-3.0.28-1.el5_2.1.i386.rpm     d0c0753383c698e8a867e962a1dc6eac
samba-common-3.0.28-1.el5_2.1.i386.rpm     aad625501297c2215fc2e92ac7de3883
samba-swat-3.0.28-1.el5_2.1.i386.rpm     3ed5051cf26776579da9171c1ea06422
 
IA-64:
samba-3.0.28-1.el5_2.1.ia64.rpm     bffc7c59bf4b4d95c93d8133e1a809c0
samba-client-3.0.28-1.el5_2.1.ia64.rpm     c4409b5b9c1019f3da1ba632c251f8de
samba-common-3.0.28-1.el5_2.1.ia64.rpm     d52867fd43964687848e71fffe1ba56f
samba-swat-3.0.28-1.el5_2.1.ia64.rpm     dd4acaae5a4b7536732296d0f878f07d
 
PPC:
samba-3.0.28-1.el5_2.1.ppc.rpm     a192b606484547a9ea07c0625dbe00c0
samba-client-3.0.28-1.el5_2.1.ppc.rpm     f57a6af5082cf952d1813cb169c199dc
samba-common-3.0.28-1.el5_2.1.ppc.rpm     b367994c453c9e020473572efa594ab6
samba-common-3.0.28-1.el5_2.1.ppc64.rpm     b02df5a8353e945211b1f3c77a3ecd4c
samba-swat-3.0.28-1.el5_2.1.ppc.rpm     776e8cd67a4bdc85d64614c53badfcbd
 
s390x:
samba-3.0.28-1.el5_2.1.s390x.rpm     71dca4f7a4313504bac85b43fcfd201d
samba-client-3.0.28-1.el5_2.1.s390x.rpm     edde80529204f370233bd8b83fdde688
samba-common-3.0.28-1.el5_2.1.s390.rpm     62fe1fcdc613f81d778559c66f817733
samba-common-3.0.28-1.el5_2.1.s390x.rpm     bdcd4149da834ae6f4380c0baaa94924
samba-swat-3.0.28-1.el5_2.1.s390x.rpm     20a9a28c2428a1dc12d992992a2b5ba8
 
x86_64:
samba-3.0.28-1.el5_2.1.x86_64.rpm     28b93c0ca44a2d5bf4715e376cb029a4
samba-client-3.0.28-1.el5_2.1.x86_64.rpm     b352852eab120e68a912d2b6c7719cb2
samba-common-3.0.28-1.el5_2.1.i386.rpm     aad625501297c2215fc2e92ac7de3883
samba-common-3.0.28-1.el5_2.1.x86_64.rpm     490e730fe6ec48a1799bb50c983684e0
samba-swat-3.0.28-1.el5_2.1.x86_64.rpm     f7150764465b0f724cbce295d1d06e4b
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
samba-3.0.28-1.el5_2.1.src.rpm     c8744eed3b3769a88d42ea5e40b6f913
 
IA-32:
samba-3.0.28-1.el5_2.1.i386.rpm     ff885e0c6bb806e4c776dc11637033f9
samba-client-3.0.28-1.el5_2.1.i386.rpm     d0c0753383c698e8a867e962a1dc6eac
samba-common-3.0.28-1.el5_2.1.i386.rpm     aad625501297c2215fc2e92ac7de3883
samba-swat-3.0.28-1.el5_2.1.i386.rpm     3ed5051cf26776579da9171c1ea06422
 
x86_64:
samba-3.0.28-1.el5_2.1.x86_64.rpm     28b93c0ca44a2d5bf4715e376cb029a4
samba-client-3.0.28-1.el5_2.1.x86_64.rpm     b352852eab120e68a912d2b6c7719cb2
samba-common-3.0.28-1.el5_2.1.i386.rpm     aad625501297c2215fc2e92ac7de3883
samba-common-3.0.28-1.el5_2.1.x86_64.rpm     490e730fe6ec48a1799bb50c983684e0
samba-swat-3.0.28-1.el5_2.1.x86_64.rpm     f7150764465b0f724cbce295d1d06e4b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

444637 - Join fails with stricter w2k3 security options set
446724 - CVE-2008-1105 Samba client buffer overflow
447380 - Signing issue: "Server packet had invalid SMB signature" with some Win2K servers


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1105
http://www.redhat.com/security/updates/classification/#critical

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/


[***** End Red Hat  RHSA-2008:0290-7 *****]
CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin.
DOE-CIRC can be contacted at: 
    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/