__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Updated Samba Packages [Red Hat Advisory: RHSA-2004:670-10] December 17, 2004 18:00 GMT Number P-070 [REVISED 21 Dec 2004] [REVISED 19 Jan 2005] [REVISED 04 Feb 2005] [REVISED 31 Mar 2005] [REVISED 21 Apr 2005] [REVISED 14 Jun 2005] [REVISED 12 Jan 2006] ______________________________________________________________________________ PROBLEM: There are integer overflow issues in Samba versions prior to 3.0.10. PLATFORM: Red Hat Enterprise Linux AS, ES, and WS (all v.2.1 and v.3) Red Hat Desktop (v.3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI ProPack 3 Service Pack 3 for SGI Altix family of systems HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 Solaris 9, running as Samba(7) server Debian GNU/Linux 3.0 (woody) SPARC Platform Solaris 9 Solaris 10 without patch 119757-01 x86 Platform Solaris 9 Solaris 10 without patch 119758-01 DAMAGE: An authenticated remote user could execute arbitrary code. SOLUTION: Upgrade to Red Hat's latest packages, or to Samba 3.0.10. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote user might be able to gain root ASSESSMENT: access. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-070.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2004-670.html ADDITIONAL LINKS: https://rhn.redhat.com/errata/RHSA-2004-681.html SGI Advanced Linux Environment security update #21 Number: 20050101-01-U ftp://patches.sgi.com/support/free/security/advisories/ 20050101-01-U.asc Visit Hewlett Packard Subscription Service for: HP Security Bulletin HPSBUX01115, SSRT4885 Sun Security Alert ID: 101643 (formerly Sun Alert ID: 57730) http://www.sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57730-1 Debian Security Advisory DSA-701-2 http://www.debian.org/security/2005/dsa-701 HPSBUX01115 SSRT4885 rev.2 http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00590641 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-1154 ______________________________________________________________________________ REVISION HISTORY: 12/21/2004 - added link to Red Hat Updated Samba Packages available through Security Advisory RHSA-2004:681-03. 01/19/2005 - added link to updated packages available in SGI security advisory Number 20050101-01-U, for SGI ProPack 3 Service Pack 3 for SGI Altix family of systems. 02/04/2005 - added reference to Hewlett Packard Security Bulletin HPSBUX01115, SSRT4885 that provides patches for this vulnerability in HP-UX B.11.00, B.11.11, B.11.22, and B.11.23. Also, a link is added to Sun Security Alert 57730 that provides information on updating a Solaris 9 system running as a Samba(7) server. 03/31/2005 - added link to Debian Security Advisory DSA-701-1 that provides updated packages addressing this vulnerability. 04/21/2005 - revised bulletin to note that Debian re-released its Advisory DSA-701 in order to fix a problem with the update. 06/14/2005 - added a link to Sun Alert ID: 101643 which replaces Sun Alert ID: 57730. 01/12/2006 - added a link to HPSBUX01115 SSRT4885 rev.2 - HP-UX CIFS Server [***** Start Red Hat Advisory: RHSA-2004:670-10 *****] Updated samba packages fix security issue Advisory: RHSA-2004:670-10 Last updated on: 2004-12-16 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) CVEs (cve.mitre.org): CAN-2004-1154 Security Advisory Details: Updated samba packages that fix an integer overflow vulnerability are now available for Red Hat Enterprise Linux 3. Samba provides file and printer sharing services to SMB/CIFS clients. Greg MacManus of iDEFENSE Labs has discovered an integer overflow bug in Samba versions prior to 3.0.10. An authenticated remote user could exploit this bug which may lead to arbitrary code execution on the Samba server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1154 to this issue. Users of Samba should upgrade to these updated packages, which contain backported security patches, and are not vulnerable to these issues. Updated packages: Red Hat Desktop (v. 3) ----------------------------------------------------------------------------- SRPMS: samba-3.0.9-1.3E.1.src.rpm ae50e78fa90f404c8d9dad1746946ab9 IA-32: samba-3.0.9-1.3E.1.i386.rpm cd169c44ab8d232dd11bf082a7325d53 samba-client-3.0.9-1.3E.1.i386.rpm 4a0b50c0c4264563258c5723d5194ef5 samba-common-3.0.9-1.3E.1.i386.rpm 312410d480a450c332af18fa66d04caa samba-swat-3.0.9-1.3E.1.i386.rpm 4130a07354c51c6c4875e5fd4a1ca6c2 x86_64: samba-3.0.9-1.3E.1.i386.rpm cd169c44ab8d232dd11bf082a7325d53 samba-3.0.9-1.3E.1.x86_64.rpm c6b9d4e23808e90eeeda7335e6b59752 samba-client-3.0.9-1.3E.1.x86_64.rpm c308f8c72d17d4283e0c7dae9e76ba35 samba-common-3.0.9-1.3E.1.i386.rpm 312410d480a450c332af18fa66d04caa samba-common-3.0.9-1.3E.1.x86_64.rpm 5f4314c703118a2afa161fc2988495eb samba-swat-3.0.9-1.3E.1.x86_64.rpm 8d12d3b1fdac910e25c05a72cbc3b237 Red Hat Enterprise Linux AS (v. 3) ----------------------------------------------------------------------------- SRPMS: samba-3.0.9-1.3E.1.src.rpm ae50e78fa90f404c8d9dad1746946ab9 IA-32: samba-3.0.9-1.3E.1.i386.rpm cd169c44ab8d232dd11bf082a7325d53 samba-client-3.0.9-1.3E.1.i386.rpm 4a0b50c0c4264563258c5723d5194ef5 samba-common-3.0.9-1.3E.1.i386.rpm 312410d480a450c332af18fa66d04caa samba-swat-3.0.9-1.3E.1.i386.rpm 4130a07354c51c6c4875e5fd4a1ca6c2 IA-64: samba-3.0.9-1.3E.1.i386.rpm cd169c44ab8d232dd11bf082a7325d53 samba-3.0.9-1.3E.1.ia64.rpm ba52218771269f05f847b356b680c161 samba-client-3.0.9-1.3E.1.ia64.rpm c4922543608a85a4309317953d4dbcd2 samba-common-3.0.9-1.3E.1.i386.rpm 312410d480a450c332af18fa66d04caa samba-common-3.0.9-1.3E.1.ia64.rpm d5c60527db39738029bbe66cf4cec5e9 samba-swat-3.0.9-1.3E.1.ia64.rpm 2551b11025a2f53a4d508396b2a41bca PPC: samba-3.0.9-1.3E.1.ppc.rpm 9e0dee0285ce2f0c5507077822e4b015 samba-3.0.9-1.3E.1.ppc64.rpm 626a0c8698663dc1fe812402d1874b20 samba-client-3.0.9-1.3E.1.ppc.rpm 1fac768c276051dd5c6ca60ee70e1f83 samba-common-3.0.9-1.3E.1.ppc.rpm 447ee04a97a37e31c643cef0ab180bf4 samba-common-3.0.9-1.3E.1.ppc64.rpm 5513a43f98a2797258ce4fa4f79fcb86 samba-swat-3.0.9-1.3E.1.ppc.rpm 547c2cb1de65b215e33580b4871c7ed1 s390: samba-3.0.9-1.3E.1.s390.rpm 5b373fb4b5da288f03b37fb75870860f samba-client-3.0.9-1.3E.1.s390.rpm 7cae2416579a1efafaf4baa127ae65e6 samba-common-3.0.9-1.3E.1.s390.rpm 53205bbd529cb24297cac89728c38ec0 samba-swat-3.0.9-1.3E.1.s390.rpm ad2b7ea7cacedf8b3a0779ef92dc07d2 s390x: samba-3.0.9-1.3E.1.s390.rpm 5b373fb4b5da288f03b37fb75870860f samba-3.0.9-1.3E.1.s390x.rpm 3436beed69976e53992340a1ecf34398 samba-client-3.0.9-1.3E.1.s390x.rpm 62453debe0428f1e78b61e466d124db5 samba-common-3.0.9-1.3E.1.s390.rpm 53205bbd529cb24297cac89728c38ec0 samba-common-3.0.9-1.3E.1.s390x.rpm f0dbce9da2cd7d41b6366dde862659fa samba-swat-3.0.9-1.3E.1.s390x.rpm ac6874146494829a7ca3349f1e237ee5 x86_64: samba-3.0.9-1.3E.1.i386.rpm cd169c44ab8d232dd11bf082a7325d53 samba-3.0.9-1.3E.1.x86_64.rpm c6b9d4e23808e90eeeda7335e6b59752 samba-client-3.0.9-1.3E.1.x86_64.rpm c308f8c72d17d4283e0c7dae9e76ba35 samba-common-3.0.9-1.3E.1.i386.rpm 312410d480a450c332af18fa66d04caa samba-common-3.0.9-1.3E.1.x86_64.rpm 5f4314c703118a2afa161fc2988495eb samba-swat-3.0.9-1.3E.1.x86_64.rpm 8d12d3b1fdac910e25c05a72cbc3b237 Red Hat Enterprise Linux ES (v. 3) ----------------------------------------------------------------------------- SRPMS: samba-3.0.9-1.3E.1.src.rpm ae50e78fa90f404c8d9dad1746946ab9 IA-32: samba-3.0.9-1.3E.1.i386.rpm cd169c44ab8d232dd11bf082a7325d53 samba-client-3.0.9-1.3E.1.i386.rpm 4a0b50c0c4264563258c5723d5194ef5 samba-common-3.0.9-1.3E.1.i386.rpm 312410d480a450c332af18fa66d04caa samba-swat-3.0.9-1.3E.1.i386.rpm 4130a07354c51c6c4875e5fd4a1ca6c2 IA-64: samba-3.0.9-1.3E.1.i386.rpm cd169c44ab8d232dd11bf082a7325d53 samba-3.0.9-1.3E.1.ia64.rpm ba52218771269f05f847b356b680c161 samba-client-3.0.9-1.3E.1.ia64.rpm c4922543608a85a4309317953d4dbcd2 samba-common-3.0.9-1.3E.1.i386.rpm 312410d480a450c332af18fa66d04caa samba-common-3.0.9-1.3E.1.ia64.rpm d5c60527db39738029bbe66cf4cec5e9 samba-swat-3.0.9-1.3E.1.ia64.rpm 2551b11025a2f53a4d508396b2a41bca x86_64: samba-3.0.9-1.3E.1.i386.rpm cd169c44ab8d232dd11bf082a7325d53 samba-3.0.9-1.3E.1.x86_64.rpm c6b9d4e23808e90eeeda7335e6b59752 samba-client-3.0.9-1.3E.1.x86_64.rpm c308f8c72d17d4283e0c7dae9e76ba35 samba-common-3.0.9-1.3E.1.i386.rpm 312410d480a450c332af18fa66d04caa samba-common-3.0.9-1.3E.1.x86_64.rpm 5f4314c703118a2afa161fc2988495eb samba-swat-3.0.9-1.3E.1.x86_64.rpm 8d12d3b1fdac910e25c05a72cbc3b237 Red Hat Enterprise Linux WS (v. 3) ----------------------------------------------------------------------------- SRPMS: samba-3.0.9-1.3E.1.src.rpm ae50e78fa90f404c8d9dad1746946ab9 IA-32: samba-3.0.9-1.3E.1.i386.rpm cd169c44ab8d232dd11bf082a7325d53 samba-client-3.0.9-1.3E.1.i386.rpm 4a0b50c0c4264563258c5723d5194ef5 samba-common-3.0.9-1.3E.1.i386.rpm 312410d480a450c332af18fa66d04caa samba-swat-3.0.9-1.3E.1.i386.rpm 4130a07354c51c6c4875e5fd4a1ca6c2 IA-64: samba-3.0.9-1.3E.1.i386.rpm cd169c44ab8d232dd11bf082a7325d53 samba-3.0.9-1.3E.1.ia64.rpm ba52218771269f05f847b356b680c161 samba-client-3.0.9-1.3E.1.ia64.rpm c4922543608a85a4309317953d4dbcd2 samba-common-3.0.9-1.3E.1.i386.rpm 312410d480a450c332af18fa66d04caa samba-common-3.0.9-1.3E.1.ia64.rpm d5c60527db39738029bbe66cf4cec5e9 samba-swat-3.0.9-1.3E.1.ia64.rpm 2551b11025a2f53a4d508396b2a41bca x86_64: samba-3.0.9-1.3E.1.i386.rpm cd169c44ab8d232dd11bf082a7325d53 samba-3.0.9-1.3E.1.x86_64.rpm c6b9d4e23808e90eeeda7335e6b59752 samba-client-3.0.9-1.3E.1.x86_64.rpm c308f8c72d17d4283e0c7dae9e76ba35 samba-common-3.0.9-1.3E.1.i386.rpm 312410d480a450c332af18fa66d04caa samba-common-3.0.9-1.3E.1.x86_64.rpm 5f4314c703118a2afa161fc2988495eb samba-swat-3.0.9-1.3E.1.x86_64.rpm 8d12d3b1fdac910e25c05a72cbc3b237 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Bugs fixed: (see bugzilla for more information) 142472 - CAN-2004-1154 Samba authenticated remote root References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1154 ----------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright © 2002 Red Hat, Inc. All rights reserved. [***** End Red Hat Advisory: RHSA-2004:670-10 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-060: Cisco Unity with Exchange Default Passwords Vulnerability P-061: Ethereal Multiple Vulnerabilities P-062: Updated ncompress Package Fix Security Issue and Bug P-063: Adobe Reader Security Vulnerabilities P-064: Adobe Reader 5.0.9 for UNIX "mailListIsPdf" function Vulnerability P-065: Cisco Default Administrative Password in Cisco Guard and Traffic Anomaly Detector P-066: Veritas Backup Exec Buffer Overflow Vulnerability P-067: PHP Multiple Vulnerabilities P-068: Sun Webmail Vulnerability P-069: Sun - Multiple Mozilla Vulnerabilities