Bug 1101992 (CVE-2014-0178) - CVE-2014-0178 samba: Uninitialized memory exposure
Summary: CVE-2014-0178 samba: Uninitialized memory exposure
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0178
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1102528 1105571 1105572 1105573 1105574
Blocks: 1102108
TreeView+ depends on / blocked
 
Reported: 2014-05-28 10:11 UTC by Vasyl Kaigorodov
Modified: 2021-06-02 06:10 UTC (History)
12 users (show)

Fixed In Version: samba 4.0.18, samba 4.1.8
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way Samba created responses for certain authenticated client requests when a shadow-copy VFS module was enabled. An attacker able to send an authenticated request could use this flaw to disclose limited portions of memory per each request.
Clone Of:
Environment:
Last Closed: 2014-07-18 08:32:47 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0867 0 normal SHIPPED_LIVE Moderate: samba security update 2014-07-09 20:17:12 UTC

Description Vasyl Kaigorodov 2014-05-28 10:11:37 UTC 
It was reported that Samba 3.6.6 to 4.1.7 are affected by a vulnerability
that allows an authenticated client to retrieve eight bytes of uninitialized
server memory when a shadow-copy VFS module is enabled.

In preparing a response to an authenticated FSCTL_GET_SHADOW_COPY_DATA
or FSCTL_SRV_ENUMERATE_SNAPSHOTS client request, affected versions of
Samba do not initialize 8 bytes of the 16 byte SRV_SNAPSHOT_ARRAY
response field. The uninitialized buffer is sent back to the client.

A non-default VFS module providing the get_shadow_copy_data_fn() hook
must be explicitly enabled for Samba to process the aforementioned
client requests. Therefore, only configurations with "shadow_copy" or
"shadow_copy2" specified for the "vfs objects" parameter are vulnerable.

To avoid the vulnerability, affected versions can be configured without
"shadow_copy" or "shadow_copy2" specified for the "vfs objects"
parameter. This is the default configuration.
Comment 1 Vasyl Kaigorodov 2014-05-28 10:12:25 UTC 
External References:

http://www.samba.org/samba/security/CVE-2014-0178
Comment 2 Vasyl Kaigorodov 2014-05-28 12:04:08 UTC 
Upstream commits:

http://git.samba.org/?p=samba.git;a=commitdiff;h=30e724cbff1ecd90e5a676831902d1e41ec1b347

http://git.samba.org/?p=samba.git;a=commitdiff;h=eb50fb8f3bf670bd7d1cf8fd4368ef4a73083696
Comment 3 Huzaifa S. Sidhpurwala 2014-05-29 06:57:24 UTC 
Statement:

This issue does not affect the version of samba as shipped with Red Hat Enterprise Linux 5 and 6. This issue does not affect the version of samba3x as shipped with Red Hat Enterprise Linux 5. This issue affects the version of samba4 as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this issue as having Low security impact, a future update may address this flaw.
Comment 4 Huzaifa S. Sidhpurwala 2014-05-29 06:58:27 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1102528]
Comment 9 Martin Prpič 2014-07-08 12:52:49 UTC 
IssueDescription:

A flaw was found in the way Samba created responses for certain authenticated client requests when a shadow-copy VFS module was enabled. An attacker able to send an authenticated request could use this flaw to disclose limited portions of memory per each request.
Comment 10 errata-xmlrpc 2014-07-09 16:18:39 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0867 https://rhn.redhat.com/errata/RHSA-2014-0867.html
Comment 12 Stefan Cornelius 2014-08-12 16:49:16 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1009 https://rhn.redhat.com/errata/RHSA-2014-1009.html
Note You need to log in before you can comment on or make changes to this bug.