Bug 1018032 (CVE-2013-4408)

Summary: CVE-2013-4408 samba: Heap-based buffer overflow due to incorrect DCE-RPC fragment length field check
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aavati, asn, gdeschner, gmollett, jkurik, jrusnack, pfrields, rfortier, sbose, security-response-team, ssaha, vagarwal, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-06 19:10:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1018033, 1018034, 1018035, 1018036, 1018037, 1018038, 1018039, 1018040, 1018041, 1020116, 1039454    
Bug Blocks: 1016554    

Description Huzaifa S. Sidhpurwala 2013-10-11 04:06:20 UTC 
It was found that samba versions 3.4.0 and above was vulnerable to heap-based buffer overflow flaw, in the client processing of DCE-RPC packets. This is due to incorrect checking of the DCE-RPC fragment length in the client code.

The DCE-RPC client code is part of the winbindd authentication and identity mapping daemon, which is commonly configured as part of many server installations (when joined to an Active Directory Domain). A malicious Active Directory Domain Controller or man-in-the-middle attacker impersonating an Active Directory Domain Controller could achieve root-level access by compromising the winbindd process.

As per upstream:

Samba server versions 3.4.0 - 3.4.17 and versions 3.5.0 - 3.5.22 are also vulnerable to a denial of service attack (server crash) due to a similar error in the server code of those versions.

Samba server versions 3.6.0 and above (including all 3.6.x versions, all 4.0.x versions and 4.1.0) are not vulnerable to this problem.

Upstream flaw bug:
https://bugzilla.samba.org/show_bug.cgi?id=10185
Comment 1 Huzaifa S. Sidhpurwala 2013-10-11 04:11:05 UTC 
Acknowledgements:

Red Hat would like to thank the Samba project for reporting this issue.
Upstream acknowledges Stefan Metzmacher and Michael Adam of SerNet as the
original reporters of this issue.
Comment 9 Huzaifa S. Sidhpurwala 2013-12-09 05:51:19 UTC 
Statement:

This issue does not affect the version of samba as shipped with Red Hat Enterprise Linux 5.
Comment 10 Huzaifa S. Sidhpurwala 2013-12-09 05:52:07 UTC 
Public via:

http://www.samba.org/samba/security/CVE-2013-4408
Comment 11 Huzaifa S. Sidhpurwala 2013-12-09 06:58:42 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1039454]
Comment 12 errata-xmlrpc 2013-12-09 23:38:05 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1805 https://rhn.redhat.com/errata/RHSA-2013-1805.html
Comment 13 errata-xmlrpc 2013-12-10 00:18:33 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1806 https://rhn.redhat.com/errata/RHSA-2013-1806.html
Comment 14 errata-xmlrpc 2014-01-06 18:34:22 UTC 
This issue has been addressed in following products:

  Red Hat Storage 2.1

Via RHSA-2014:0009 https://rhn.redhat.com/errata/RHSA-2014-0009.html