Bug 1101992 – CVE-2014-0178 samba: Uninitialized memory exposure

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1101992 - (CVE-2014-0178) CVE-2014-0178 samba: Uninitialized memory exposure

Summary:	CVE-2014-0178 samba: Uninitialized memory exposure

Status:	CLOSED ERRATA

Aliases:	CVE-2014-0178

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20140528,reported=2...
Keywords:	Security

Depends On:	1105571 1102528 1105572 1105573 1105574
Blocks:	1102108
	Show dependency tree / graph

Reported:	2014-05-28 06:11 EDT by Vasyl Kaigorodov
Modified:	2015-11-04 01:21 EST (History)
CC List:	11 users (show)

See Also:
Fixed In Version:	samba 4.0.18, samba 4.1.8
Doc Type:	Bug Fix
Doc Text:	A flaw was found in the way Samba created responses for certain authenticated client requests when a shadow-copy VFS module was enabled. An attacker able to send an authenticated request could use this flaw to disclose limited portions of memory per each request.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-07-18 04:32:47 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:0867	normal	SHIPPED_LIVE	Moderate: samba security update	2014-07-09 16:17:12 EDT

Groups: None (edit)

Description Vasyl Kaigorodov 2014-05-28 06:11:37 EDT

It was reported that Samba 3.6.6 to 4.1.7 are affected by a vulnerability
that allows an authenticated client to retrieve eight bytes of uninitialized
server memory when a shadow-copy VFS module is enabled.

In preparing a response to an authenticated FSCTL_GET_SHADOW_COPY_DATA
or FSCTL_SRV_ENUMERATE_SNAPSHOTS client request, affected versions of
Samba do not initialize 8 bytes of the 16 byte SRV_SNAPSHOT_ARRAY
response field. The uninitialized buffer is sent back to the client.

A non-default VFS module providing the get_shadow_copy_data_fn() hook
must be explicitly enabled for Samba to process the aforementioned
client requests. Therefore, only configurations with "shadow_copy" or
"shadow_copy2" specified for the "vfs objects" parameter are vulnerable.

To avoid the vulnerability, affected versions can be configured without
"shadow_copy" or "shadow_copy2" specified for the "vfs objects"
parameter. This is the default configuration.

Comment 1 Vasyl Kaigorodov 2014-05-28 06:12:25 EDT

External References:

http://www.samba.org/samba/security/CVE-2014-0178

Comment 2 Vasyl Kaigorodov 2014-05-28 08:04:08 EDT

Upstream commits:

http://git.samba.org/?p=samba.git;a=commitdiff;h=30e724cbff1ecd90e5a676831902d1e41ec1b347

http://git.samba.org/?p=samba.git;a=commitdiff;h=eb50fb8f3bf670bd7d1cf8fd4368ef4a73083696

Comment 3 Huzaifa S. Sidhpurwala 2014-05-29 02:57:24 EDT

Statement:

This issue does not affect the version of samba as shipped with Red Hat Enterprise Linux 5 and 6. This issue does not affect the version of samba3x as shipped with Red Hat Enterprise Linux 5. This issue affects the version of samba4 as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this issue as having Low security impact, a future update may address this flaw.

Comment 4 Huzaifa S. Sidhpurwala 2014-05-29 02:58:27 EDT

Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1102528]

Comment 8 Martin Prpič 2014-07-08 04:29:27 EDT

Acknowledgments:

Red Hat would like to thank the Samba project for reporting this issue. The Samba project acknowledges Christof Schmitt as the original reporter.

Comment 9 Martin Prpič 2014-07-08 08:52:49 EDT

IssueDescription:

A flaw was found in the way Samba created responses for certain authenticated client requests when a shadow-copy VFS module was enabled. An attacker able to send an authenticated request could use this flaw to disclose limited portions of memory per each request.

Comment 10 errata-xmlrpc 2014-07-09 12:18:39 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0867 https://rhn.redhat.com/errata/RHSA-2014-0867.html

Comment 12 Stefan Cornelius 2014-08-12 12:49:16 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1009 https://rhn.redhat.com/errata/RHSA-2014-1009.html

Note You need to log in before you can comment on or make changes to this bug.