__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                      Samba Buffer Overrun Vulnerabilities

July 23, 2004 18:00 GMT                                           Number O-186
[REVISED 26 Jul 2004]
[REVISED 27 Jul 2004]
[REVISED  5 Aug 2004]
[REVISED  6 Aug 2004]
[REVISED 26 Oct 2004]
[REVISED 07 Jan 2005]
______________________________________________________________________________
PROBLEM:       Buffer overrun vulnerabilities were found in Samba's 
               v3.0.0-3.0.4 and v2.2.x-2.2.9 regarding basic HTTP 
               authentication in the Samba Web Administration Tool (SWAT) 
               and the code which supports the "mangling method = hash"
               smb.conf option. 
SOFTWARE:      Samba 3.0.0 - 3.0.4 
               Samba 2.2.x - 2.2.9 
               Solaris 9 (SPARC and x86 Platforms)
DAMAGE:        Attackers could possibly execute arbitrary code. 
SOLUTION:      Upgrade to Samba 3.0.5 or 2.2.10. 
______________________________________________________________________________
VULNERABILITY  The risk is LOW. At this time, CIAC has only identified code 
ASSESSMENT:    that could cause a denial-of-service attack. If we receive 
               confirmation of code allowing other vulnerabilities, we may 
               upgrade the risk level. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-186.shtml 
 ORIGINAL BULLETIN:  http://us1.samba.org/samba/samba.html 
 ADDITIONAL LINKS:   Red Hat RHSA-2004:259-23 
                       http://rhn.redhat.com/errata/RHSA-2004-259.html 
                     Red Hat RHSA-2004:404-04
                       http://rhn.redhat.com/errata/RHSA-2004-404.html
                     Visit Hewlett-Packard Subscription Service for:
                       HPSBUX01062 SSRT4782 rev. 1
                     SGI Security Advisories 
                       20040702-01-U for Samba & 20040703-01-U for PHP
                       http://www.sgi.com/support/security/advisories.html
                     Sun Security Alert ID: 57664
                     http://www.sunsolve.sun.com/search/printfriendly.do?
                       assetkey=1-26-57664-1
 CVE/CAN:            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CAN-2004-0600 CAN-2004-0686 
______________________________________________________________________________
REVISION HISTORY:
07/26/2004 - added a link to Red Hat RHSA-2004:404-04 for Red Hat Enterprise 
             Linux AS, ES, WS, Advanced Workstation for the Itanium Processor
             (v. 2.1). 
07/27/2004 - added a link to Hewlett-Packard HSPBUX01062 SSRT4782 for HP-UX 
             B.11.00, B.11.11, B.11.22, B.11.23.
08/05/2004 - add a link to SGI Security Advisories 20040702-01-U for Samba and 
             20040703-01-U for PHP.
08/06/2004 - Hewlett Packard has released a patch for CIFS Server 2.2j 
             version A.01.11.02 for HP-UX B.11.00, B.11.11, and B.11.23.  
             See their advisory HPSBUX01062 / SSRT4782, rev. 1 for more 
             information.
10/26/2004 - added link to Sun Alert ID: 57664,that provides patches for this 
             vulnerability on Solaris 9.
01/07/2005 - Sun Security Alert 57664 is revised to include Solaris 9 patches 
             addressing these vulnerabilities.
			 
			 

[******  Start Samba's Release Information ******]

Samba News
(22nd Jul, 2004) Security Release - Samba 2.2.10 and 3.0.5 Available for 
Download 

Two potential buffer overruns have been discovered in Samba >= 3.0.2 
CAN-2004-0600,CAN-2004-0686). One of these issues, CAN-2004-0686, also 
affects Samba 2.2.x. Samba administrators are encouraged to review the 
3.0.5 and 2.2.10 release notes and upgrade any affected servers. 
Samba 3.0.5 and 2.2.10 are identical to the previous release in each 
respective series with the exception of fixing these issues. 
Samba 3.0.5rc1 has been removed from the download area on Samba.org and 
3.0.6rc2 will be available later this week.


The 3.0.5 and 2.2.10 releases are available for download including the 
gpg signatures of the uncompressed tarballs. Binary packages for various 
platforms will be available following the initial release. 


[******  End Samba's Release Information ******]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Samba and Red Hat, Inc.  for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

O-176: Adobe Acrobat and Adobe Reader Filename Handler Buffer Overflow
O-177: Multiple Vulnerabilities in ISC DHCP 3
O-178: Vulnerability in Task Scheduler Could Allow Code Execution
O-179: Microsoft Update for IIS 4.0 (841373)
O-180: Microsoft Utility Manager Vulnerability
O-181: Microsoft Vulnerability in POSIX Could Allow Code Execution
O-182: Microsoft Vulnerability in HTML Help Could Allow Code Execution
O-183: Microsoft Vulnerability in Windows Shell Could Allow Remote Code Execution
O-184: PHP memory_limit and strip_tags Vulnerabilities
O-185: Sun Java System Web Server Cross-site Scripting Vulnerabilitiy