Bug 1191325 (CVE-2015-0240)

Summary: CVE-2015-0240 samba: talloc free on uninitialized stack pointer in netlogon server could lead to remote-code execution
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: aavati, asn, bressers, dsafford, fweimer, gdeschner, herrmann, ira, jrivera, madam, nlevinki, pgurusid, rcyriac, rfortier, rhack, rjoseph, rkratky, rlowe, rmonk, sbhaloth, sbose, sdenham, security-response-team, smohan, snagar, ssaha, vagarwal, vbellur, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An uninitialized pointer use flaw was found in the Samba daemon (smbd). A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd (by default, the root user).
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-24 07:30:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1191338, 1191339, 1191340, 1191341, 1191343, 1191344, 1191387, 1191388, 1191608, 1191879, 1191880, 1191881, 1191882, 1191883, 1191884, 1191885, 1191886, 1194132    
Bug Blocks: 1191352    
Attachments:
Description Flags
Upstream patch against git-master none

Description Huzaifa S. Sidhpurwala 2015-02-11 05:02:33 UTC
As per upstream samba advisory:

All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an unexpected code execution vulnerability in the smbd file server daemon.

A malicious client could send packets that may set up the stack in such a way that the freeing of memory in a subsequent anonymous netlogon packet could allow execution of arbitrary code. This code would execute with root privileges.

Comment 8 Huzaifa S. Sidhpurwala 2015-02-11 14:40:31 UTC
Created attachment 990468 [details]
Upstream patch against git-master

Comment 13 Huzaifa S. Sidhpurwala 2015-02-12 07:46:27 UTC
Acknowledgements:

Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Richard van Eeden of Microsoft Vulnerability Research as the original reporter of this issue.

Comment 14 Huzaifa S. Sidhpurwala 2015-02-12 07:56:32 UTC
Statement:

This issue does not affect the version of samba package as shipped with Red Hat Enterprise Linux 4 and 5. It does affect the version of samba as shipped with Red Hat Enterprise Linux 6 and 7, as well as the version of samba3x shipped with Red Hat Enterprise Linux 5 and the version of samba4 as shipped with Red Hat Enterprise Linux 6.

Red Hat Product Security has determined that this vulnerability has Important impact on Red Hat Enterprise Linux 7 because the Samba version shipped in this version of the operating system only executes the vulnerable code after a memory allocation failure, making it more difficult to exploit this flaw.

Comment 18 Huzaifa S. Sidhpurwala 2015-02-12 08:36:20 UTC
Mitigation:

On Samba versions 4.0.0 and above, add the line:

rpc_server:netlogon=disabled

to the [global] section of your smb.conf. For Samba versions 3.6.x and
earlier, this workaround is not available.

Comment 31 errata-xmlrpc 2015-02-23 10:52:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0251 https://rhn.redhat.com/errata/RHSA-2015-0251.html

Comment 32 errata-xmlrpc 2015-02-23 10:52:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0250 https://rhn.redhat.com/errata/RHSA-2015-0250.html

Comment 33 errata-xmlrpc 2015-02-23 10:52:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:0249 https://rhn.redhat.com/errata/RHSA-2015-0249.html

Comment 34 errata-xmlrpc 2015-02-23 11:23:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.6 Long Life
  Red Hat Enterprise Linux 5.9 EUS - Server Only

Via RHSA-2015:0253 https://rhn.redhat.com/errata/RHSA-2015-0253.html

Comment 35 errata-xmlrpc 2015-02-23 11:34:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only

Via RHSA-2015:0255 https://rhn.redhat.com/errata/RHSA-2015-0255.html

Comment 36 errata-xmlrpc 2015-02-23 11:34:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 AUS
  Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only

Via RHSA-2015:0254 https://rhn.redhat.com/errata/RHSA-2015-0254.html

Comment 37 errata-xmlrpc 2015-02-23 11:47:05 UTC
This issue has been addressed in the following products:

  Red Hat Storage 2.1

Via RHSA-2015:0257 https://rhn.redhat.com/errata/RHSA-2015-0257.html

Comment 38 errata-xmlrpc 2015-02-23 13:33:27 UTC
This issue has been addressed in the following products:

  Red Hat Storage 3 for RHEL 6

Via RHSA-2015:0256 https://rhn.redhat.com/errata/RHSA-2015-0256.html

Comment 39 errata-xmlrpc 2015-02-23 15:29:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0252 https://rhn.redhat.com/errata/RHSA-2015-0252.html

Comment 40 Huzaifa S. Sidhpurwala 2015-02-24 07:29:41 UTC
This issue has been addressed in Fedora 20 and Fedora 21 via the following security advisories:

https://admin.fedoraproject.org/updates/samba-4.1.17-1.fc20
https://admin.fedoraproject.org/updates/samba-4.1.17-1.fc21