It was reported that Samba 3.6.6 to 4.1.7 are affected by a vulnerability that allows an authenticated client to retrieve eight bytes of uninitialized server memory when a shadow-copy VFS module is enabled. In preparing a response to an authenticated FSCTL_GET_SHADOW_COPY_DATA or FSCTL_SRV_ENUMERATE_SNAPSHOTS client request, affected versions of Samba do not initialize 8 bytes of the 16 byte SRV_SNAPSHOT_ARRAY response field. The uninitialized buffer is sent back to the client. A non-default VFS module providing the get_shadow_copy_data_fn() hook must be explicitly enabled for Samba to process the aforementioned client requests. Therefore, only configurations with "shadow_copy" or "shadow_copy2" specified for the "vfs objects" parameter are vulnerable. To avoid the vulnerability, affected versions can be configured without "shadow_copy" or "shadow_copy2" specified for the "vfs objects" parameter. This is the default configuration.
External References: http://www.samba.org/samba/security/CVE-2014-0178
Upstream commits: http://git.samba.org/?p=samba.git;a=commitdiff;h=30e724cbff1ecd90e5a676831902d1e41ec1b347 http://git.samba.org/?p=samba.git;a=commitdiff;h=eb50fb8f3bf670bd7d1cf8fd4368ef4a73083696
Statement: This issue does not affect the version of samba as shipped with Red Hat Enterprise Linux 5 and 6. This issue does not affect the version of samba3x as shipped with Red Hat Enterprise Linux 5. This issue affects the version of samba4 as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this issue as having Low security impact, a future update may address this flaw.
Created samba tracking bugs for this issue: Affects: fedora-all [bug 1102528]
IssueDescription: A flaw was found in the way Samba created responses for certain authenticated client requests when a shadow-copy VFS module was enabled. An attacker able to send an authenticated request could use this flaw to disclose limited portions of memory per each request.
This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:0867 https://rhn.redhat.com/errata/RHSA-2014-0867.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1009 https://rhn.redhat.com/errata/RHSA-2014-1009.html