| Summary: | CVE-2014-3560 samba: remote code execution in nmbd | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aavati, abokovoy, asn, bressers, gdeschner, jlayton, jrusnack, jsmith.fedora, nlevinki, rfortier, rhs-bugs, sbose, shaines, smohan, ssaha, ssorce, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | samba 4.1.11, samba 4.0.21 | Doc Type: | Bug Fix |
| Doc Text: |
A heap-based buffer overflow flaw was found in Samba's NetBIOS message block daemon (nmbd). An attacker on the local network could use this flaw to send specially crafted packets that, when processed by nmbd, could possibly lead to arbitrary code execution with root privileges.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-08-05 20:13:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1126011, 1126012, 1126013, 1126014, 1126015, 1126022, 1126023 | ||
| Bug Blocks: | 1126016 | ||
|
Description
Vincent Danen
2014-08-01 15:16:57 UTC
Created samba tracking bugs for this issue: Affects: fedora-all [bug 1126015] We are rating this issue as Important. To exploit this issue the following conditions must be met: nmbd must be running on the target host and listening to the network. An attacker must have local network access. An attacker must be able to run a fake SMB master on the network. If a host is running nmbd on the public internet, this cannot be exploited by network traffic from a different subnet. This issue was introduced via the following upstream commit: https://git.samba.org/?p=samba.git;a=commitdiff;h=d25370fb477dd733fae6c1ee1a67e32a78236779 Note that the commit linked in comment 6 introduced the same bug in both unstrcpy() and nstrcpy() macros. Only unstrcpy() was corrected by patches linked in comment 0. The nstrcpy() bug has not security impact, as that macro is not used anywhere in the Samba source code. (In reply to Tomas Hoger from comment #7) > Note that the commit linked in comment 6 introduced the same bug in both > unstrcpy() and nstrcpy() macros. Only unstrcpy() was corrected by patches > linked in comment 0. The nstrcpy() bug has not security impact, as that > macro is not used anywhere in the Samba source code. nstrcpy() was removed upstream via: https://git.samba.org/?p=samba.git;a=commitdiff;h=fb9d8c402614556d7a36f9e9efb72b3f4afe838a IssueDescription: A heap-based buffer overflow flaw was found in Samba's NetBIOS message block daemon (nmbd). An attacker on the local network could use this flaw to send specially crafted packets that, when processed by nmbd, could possibly lead to arbitrary code execution with root privileges. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1009 https://rhn.redhat.com/errata/RHSA-2014-1009.html This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1008 https://rhn.redhat.com/errata/RHSA-2014-1008.html |