Bug 1191325 (CVE-2015-0240) - CVE-2015-0240 samba: talloc free on uninitialized stack pointer in netlogon server could lead to remote-code execution
Summary: CVE-2015-0240 samba: talloc free on uninitialized stack pointer in netlogon s...
Status: CLOSED ERRATA
Alias: CVE-2015-0240
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,public=20150223,repor...
Keywords: Security
Depends On: 1191338 1191339 1191340 1191341 1191343 1191344 1191387 1191388 1191608 1191879 1191880 1191881 1191882 1191883 1191884 1191885 1191886 1194132
Blocks: 1191352
TreeView+ depends on / blocked
 
Reported: 2015-02-11 05:02 UTC by Huzaifa S. Sidhpurwala
Modified: 2016-01-20 21:14 UTC (History)
29 users (show)

(edit)
An uninitialized pointer use flaw was found in the Samba daemon (smbd). A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd (by default, the root user).
Clone Of:
(edit)
Last Closed: 2015-02-24 07:30:07 UTC


Attachments (Terms of Use)
Upstream patch against git-master (1.52 KB, patch)
2015-02-11 14:40 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0249 normal SHIPPED_LIVE Critical: samba3x security update 2015-02-23 15:52:03 UTC
Samba Project 11077 None None None Never
Red Hat Product Errata RHSA-2015:0250 normal SHIPPED_LIVE Critical: samba4 security update 2015-02-23 15:51:51 UTC
Red Hat Product Errata RHSA-2015:0251 normal SHIPPED_LIVE Critical: samba security update 2015-02-23 15:51:36 UTC
Red Hat Product Errata RHSA-2015:0252 normal SHIPPED_LIVE Important: samba security update 2015-02-23 20:28:49 UTC
Red Hat Product Errata RHSA-2015:0253 normal SHIPPED_LIVE Critical: samba3x security update 2015-02-23 16:23:18 UTC
Red Hat Product Errata RHSA-2015:0254 normal SHIPPED_LIVE Critical: samba security update 2015-02-23 16:34:06 UTC
Red Hat Product Errata RHSA-2015:0255 normal SHIPPED_LIVE Critical: samba4 security update 2015-02-23 16:33:40 UTC
Red Hat Product Errata RHSA-2015:0256 normal SHIPPED_LIVE Critical: samba security update 2015-02-23 18:33:04 UTC
Red Hat Product Errata RHSA-2015:0257 normal SHIPPED_LIVE Critical: samba security update 2015-02-23 16:46:22 UTC

Description Huzaifa S. Sidhpurwala 2015-02-11 05:02:33 UTC
As per upstream samba advisory:

All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an unexpected code execution vulnerability in the smbd file server daemon.

A malicious client could send packets that may set up the stack in such a way that the freeing of memory in a subsequent anonymous netlogon packet could allow execution of arbitrary code. This code would execute with root privileges.

Comment 8 Huzaifa S. Sidhpurwala 2015-02-11 14:40:31 UTC
Created attachment 990468 [details]
Upstream patch against git-master

Comment 13 Huzaifa S. Sidhpurwala 2015-02-12 07:46:27 UTC
Acknowledgements:

Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Richard van Eeden of Microsoft Vulnerability Research as the original reporter of this issue.

Comment 14 Huzaifa S. Sidhpurwala 2015-02-12 07:56:32 UTC
Statement:

This issue does not affect the version of samba package as shipped with Red Hat Enterprise Linux 4 and 5. It does affect the version of samba as shipped with Red Hat Enterprise Linux 6 and 7, as well as the version of samba3x shipped with Red Hat Enterprise Linux 5 and the version of samba4 as shipped with Red Hat Enterprise Linux 6.

Red Hat Product Security has determined that this vulnerability has Important impact on Red Hat Enterprise Linux 7 because the Samba version shipped in this version of the operating system only executes the vulnerable code after a memory allocation failure, making it more difficult to exploit this flaw.

Comment 18 Huzaifa S. Sidhpurwala 2015-02-12 08:36:20 UTC
Mitigation:

On Samba versions 4.0.0 and above, add the line:

rpc_server:netlogon=disabled

to the [global] section of your smb.conf. For Samba versions 3.6.x and
earlier, this workaround is not available.

Comment 31 errata-xmlrpc 2015-02-23 10:52:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0251 https://rhn.redhat.com/errata/RHSA-2015-0251.html

Comment 32 errata-xmlrpc 2015-02-23 10:52:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0250 https://rhn.redhat.com/errata/RHSA-2015-0250.html

Comment 33 errata-xmlrpc 2015-02-23 10:52:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:0249 https://rhn.redhat.com/errata/RHSA-2015-0249.html

Comment 34 errata-xmlrpc 2015-02-23 11:23:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.6 Long Life
  Red Hat Enterprise Linux 5.9 EUS - Server Only

Via RHSA-2015:0253 https://rhn.redhat.com/errata/RHSA-2015-0253.html

Comment 35 errata-xmlrpc 2015-02-23 11:34:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only

Via RHSA-2015:0255 https://rhn.redhat.com/errata/RHSA-2015-0255.html

Comment 36 errata-xmlrpc 2015-02-23 11:34:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 AUS
  Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only

Via RHSA-2015:0254 https://rhn.redhat.com/errata/RHSA-2015-0254.html

Comment 37 errata-xmlrpc 2015-02-23 11:47:05 UTC
This issue has been addressed in the following products:

  Red Hat Storage 2.1

Via RHSA-2015:0257 https://rhn.redhat.com/errata/RHSA-2015-0257.html

Comment 38 errata-xmlrpc 2015-02-23 13:33:27 UTC
This issue has been addressed in the following products:

  Red Hat Storage 3 for RHEL 6

Via RHSA-2015:0256 https://rhn.redhat.com/errata/RHSA-2015-0256.html

Comment 39 errata-xmlrpc 2015-02-23 15:29:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0252 https://rhn.redhat.com/errata/RHSA-2015-0252.html

Comment 40 Huzaifa S. Sidhpurwala 2015-02-24 07:29:41 UTC
This issue has been addressed in Fedora 20 and Fedora 21 via the following security advisories:

https://admin.fedoraproject.org/updates/samba-4.1.17-1.fc20
https://admin.fedoraproject.org/updates/samba-4.1.17-1.fc21


Note You need to log in before you can comment on or make changes to this bug.