Bug 1101992 (CVE-2014-0178)

Summary: CVE-2014-0178 samba: Uninitialized memory exposure
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abokovoy, asn, carnil, gdeschner, gmollett, jkurik, jrusnack, mjc, osoukup, sbose, sisharma, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.0.18, samba 4.1.8 Doc Type: Bug Fix
Doc Text:
A flaw was found in the way Samba created responses for certain authenticated client requests when a shadow-copy VFS module was enabled. An attacker able to send an authenticated request could use this flaw to disclose limited portions of memory per each request.
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-18 08:32:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1102528, 1105571, 1105572, 1105573, 1105574    
Bug Blocks: 1102108    

Description Vasyl Kaigorodov 2014-05-28 10:11:37 UTC
It was reported that Samba 3.6.6 to 4.1.7 are affected by a vulnerability
that allows an authenticated client to retrieve eight bytes of uninitialized
server memory when a shadow-copy VFS module is enabled.

In preparing a response to an authenticated FSCTL_GET_SHADOW_COPY_DATA
or FSCTL_SRV_ENUMERATE_SNAPSHOTS client request, affected versions of
Samba do not initialize 8 bytes of the 16 byte SRV_SNAPSHOT_ARRAY
response field. The uninitialized buffer is sent back to the client.

A non-default VFS module providing the get_shadow_copy_data_fn() hook
must be explicitly enabled for Samba to process the aforementioned
client requests. Therefore, only configurations with "shadow_copy" or
"shadow_copy2" specified for the "vfs objects" parameter are vulnerable.

To avoid the vulnerability, affected versions can be configured without
"shadow_copy" or "shadow_copy2" specified for the "vfs objects"
parameter. This is the default configuration.

Comment 1 Vasyl Kaigorodov 2014-05-28 10:12:25 UTC
External References:

http://www.samba.org/samba/security/CVE-2014-0178

Comment 3 Huzaifa S. Sidhpurwala 2014-05-29 06:57:24 UTC
Statement:

This issue does not affect the version of samba as shipped with Red Hat Enterprise Linux 5 and 6. This issue does not affect the version of samba3x as shipped with Red Hat Enterprise Linux 5. This issue affects the version of samba4 as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this issue as having Low security impact, a future update may address this flaw.

Comment 4 Huzaifa S. Sidhpurwala 2014-05-29 06:58:27 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1102528]

Comment 9 Martin Prpič 2014-07-08 12:52:49 UTC
IssueDescription:

A flaw was found in the way Samba created responses for certain authenticated client requests when a shadow-copy VFS module was enabled. An attacker able to send an authenticated request could use this flaw to disclose limited portions of memory per each request.

Comment 10 errata-xmlrpc 2014-07-09 16:18:39 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0867 https://rhn.redhat.com/errata/RHSA-2014-0867.html

Comment 12 Stefan Cornelius 2014-08-12 16:49:16 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1009 https://rhn.redhat.com/errata/RHSA-2014-1009.html