DescriptionHuzaifa S. Sidhpurwala
2013-10-11 04:06:20 UTC
It was found that samba versions 3.4.0 and above was vulnerable to heap-based buffer overflow flaw, in the client processing of DCE-RPC packets. This is due to incorrect checking of the DCE-RPC fragment length in the client code.
The DCE-RPC client code is part of the winbindd authentication and identity mapping daemon, which is commonly configured as part of many server installations (when joined to an Active Directory Domain). A malicious Active Directory Domain Controller or man-in-the-middle attacker impersonating an Active Directory Domain Controller could achieve root-level access by compromising the winbindd process.
As per upstream:
Samba server versions 3.4.0 - 3.4.17 and versions 3.5.0 - 3.5.22 are also vulnerable to a denial of service attack (server crash) due to a similar error in the server code of those versions.
Samba server versions 3.6.0 and above (including all 3.6.x versions, all 4.0.x versions and 4.1.0) are not vulnerable to this problem.
Upstream flaw bug:
https://bugzilla.samba.org/show_bug.cgi?id=10185
Comment 1Huzaifa S. Sidhpurwala
2013-10-11 04:11:05 UTC
Acknowledgements:
Red Hat would like to thank the Samba project for reporting this issue.
Upstream acknowledges Stefan Metzmacher and Michael Adam of SerNet as the
original reporters of this issue.
Comment 9Huzaifa S. Sidhpurwala
2013-12-09 05:51:19 UTC
Statement:
This issue does not affect the version of samba as shipped with Red Hat Enterprise Linux 5.
Comment 10Huzaifa S. Sidhpurwala
2013-12-09 05:52:07 UTC