Bug 1511899 (CVE-2017-14746)

Summary: CVE-2017-14746 samba: Use-after-free in processing SMB1 requests
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abokovoy, anoopcs, asn, gdeschner, jarrpa, kabbott, lmohanty, madam, mjc, newman.chuck, sbose, security-response-team, sisharma, ssorce, vdas, yersinia.spiros
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the way samba servers handled certain SMB1 requests. An unauthenticated attacker could send specially-crafted SMB1 requests to cause the server to crash or execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:30:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1512817, 1514313, 1514314, 1514315, 1514316, 1515692, 1531098    
Bug Blocks: 1512469    

Description Huzaifa S. Sidhpurwala 2017-11-10 11:53:16 UTC 
As per upstream advisory:

All versions of Samba from 4.0.0 onwards are vulnerable to a use after free vulnerability, where a malicious SMB1 request can be used to control the contents of heap memory via a deallocated heap pointer. It is possible this may be used to compromise the SMB server.
Comment 1 Huzaifa S. Sidhpurwala 2017-11-10 11:53:33 UTC 
Mitigation:

Prevent SMB1 access to the server by setting the parameter:

"server min protocol = SMB2"

to the [global] section of your smb.conf and restart smbd. This prevents and SMB1 access to the server. Note this could cause older clients to be unable to connect to the server.
Comment 3 Huzaifa S. Sidhpurwala 2017-11-17 03:50:07 UTC 
Acknowledgements:

Name: the Samba project
Upstream: Yihan Lian (Qihoo 360 Gear Team), Zhibin Hu (Qihoo 360 Gear Team)
Comment 5 Huzaifa S. Sidhpurwala 2017-11-21 08:59:23 UTC 
External References:

https://www.samba.org/samba/security/CVE-2017-14746.html
Comment 6 Huzaifa S. Sidhpurwala 2017-11-21 09:01:27 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1515692]
Comment 8 errata-xmlrpc 2017-11-27 04:13:36 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.3 for RHEL 6
  Red Hat Gluster Storage 3.3 for RHEL 7

Via RHSA-2017:3261 https://access.redhat.com/errata/RHSA-2017:3261
Comment 9 errata-xmlrpc 2017-11-27 04:39:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:3260 https://access.redhat.com/errata/RHSA-2017:3260
Comment 10 errata-xmlrpc 2017-11-29 08:04:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:3278 https://access.redhat.com/errata/RHSA-2017:3278