It was found that samba versions 3.4.0 and above was vulnerable to heap-based buffer overflow flaw, in the client processing of DCE-RPC packets. This is due to incorrect checking of the DCE-RPC fragment length in the client code. The DCE-RPC client code is part of the winbindd authentication and identity mapping daemon, which is commonly configured as part of many server installations (when joined to an Active Directory Domain). A malicious Active Directory Domain Controller or man-in-the-middle attacker impersonating an Active Directory Domain Controller could achieve root-level access by compromising the winbindd process. As per upstream: Samba server versions 3.4.0 - 3.4.17 and versions 3.5.0 - 3.5.22 are also vulnerable to a denial of service attack (server crash) due to a similar error in the server code of those versions. Samba server versions 3.6.0 and above (including all 3.6.x versions, all 4.0.x versions and 4.1.0) are not vulnerable to this problem. Upstream flaw bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Acknowledgements: Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Stefan Metzmacher and Michael Adam of SerNet as the original reporters of this issue.
Statement: This issue does not affect the version of samba as shipped with Red Hat Enterprise Linux 5.
Public via: http://www.samba.org/samba/security/CVE-2013-4408
Created samba tracking bugs for this issue: Affects: fedora-all [bug 1039454]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1805 https://rhn.redhat.com/errata/RHSA-2013-1805.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:1806 https://rhn.redhat.com/errata/RHSA-2013-1806.html
This issue has been addressed in following products: Red Hat Storage 2.1 Via RHSA-2014:0009 https://rhn.redhat.com/errata/RHSA-2014-0009.html