Author: jerry Date: 2007-11-16 14:21:54 +0000 (Fri, 16 Nov 2007) New Revision: 1154
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-web&rev=1154 Log: Swap CVE-2007-{4572,5398} Modified: trunk/security/CVE-2007-4572.html trunk/security/CVE-2007-5398.html Changeset: Modified: trunk/security/CVE-2007-4572.html =================================================================== --- trunk/security/CVE-2007-4572.html 2007-11-15 23:33:50 UTC (rev 1153) +++ trunk/security/CVE-2007-4572.html 2007-11-16 14:21:54 UTC (rev 1154) @@ -8,25 +8,25 @@ <body> - <H2>CVE-2007-5398 - Remote Code Execution in Samba's nmbd</H2> + <H2>CVE-2007-4572 - GETDC mailslot processing buffer overrun in nmbd</H2> + <p> <pre> ========================================================== == -== Subject: Remote code execution in Samba's WINS -== server daemon (nmbd) when processing name -== registration followed name query requests. +== Subject: Stack buffer overflow in nmbd's logon +== request processing. == -== CVE ID#: CVE-2007-5398 +== CVE ID#: CVE-2007-4572 == == Versions: Samba 3.0.0 - 3.0.26a (inclusive) == -== Summary: When nmbd has been configured as a WINS -== server, a client can send a series of name -== registration request followed by a specific -== name query request packet and execute -== arbitrary code. +== Summary: Processing of specially crafted GETDC +== mailslot requests can result in a buffer +== overrun in nmbd. It is not believed that +== that this issues can be exploited to +== result in remote code execution. == ========================================================== @@ -34,10 +34,11 @@ Description =========== -Secunia Research reported a vulnerability that allows for -the execution of arbitrary code in nmbd. This defect may -only be exploited when the "wins support" parameter has -been enabled in smb.conf. +Samba developers have discovered what is believed to be +a non-exploitable buffer over in nmbd during the processing +of GETDC logon server requests. This code is only used +when the Samba server is configured as a Primary or Backup +Domain Controller. ================== @@ -56,24 +57,26 @@ Workaround ========== -Samba administrators may avoid this security issue by -disabling the "wins support" feature in the hosts smb.conf -file. +Samba administrators may avoid this security issue by disabling +both the "domain logons" and the "domain master" options in in +the server's smb.conf file. Note that this will disable all +domain controller features as well. ======= Credits ======= -This vulnerability was reported to Samba developers by -Alin Rad Pop, Secunia Research. +This vulnerability was discovered by Samba developers during +an internal code audit. The time line is as follows: -* Oct 30, 2007: Initial report to [EMAIL PROTECTED] -* Oct 30, 2007: First response from Samba developers confirming - the bug along with a proposed patch. -* Nov 15, 2007: Public security advisory to be made available. +* Sep 13, 2007: Initial report to [EMAIL PROTECTED] including + proposed patch. +* Sep 14, 2007: Patch review by members of the Josh Bressers + (RedHat Security Team) and Simo Sorce (Samba/RedHat developer) +* Nov 15, 2007: Public security advisory made available. ========================================================== Modified: trunk/security/CVE-2007-5398.html =================================================================== --- trunk/security/CVE-2007-5398.html 2007-11-15 23:33:50 UTC (rev 1153) +++ trunk/security/CVE-2007-5398.html 2007-11-16 14:21:54 UTC (rev 1154) @@ -8,25 +8,25 @@ <body> - <H2>CVE-2007-4572 - GETDC mailslot processing buffer overrun in nmbd</H2> + <H2>CVE-2007-5398 - Remote Code Execution in Samba's nmbd</H2> - <p> <pre> ========================================================== == -== Subject: Stack buffer overflow in nmbd's logon -== request processing. +== Subject: Remote code execution in Samba's WINS +== server daemon (nmbd) when processing name +== registration followed name query requests. == -== CVE ID#: CVE-2007-4572 +== CVE ID#: CVE-2007-5398 == == Versions: Samba 3.0.0 - 3.0.26a (inclusive) == -== Summary: Processing of specially crafted GETDC -== mailslot requests can result in a buffer -== overrun in nmbd. It is not believed that -== that this issues can be exploited to -== result in remote code execution. +== Summary: When nmbd has been configured as a WINS +== server, a client can send a series of name +== registration request followed by a specific +== name query request packet and execute +== arbitrary code. == ========================================================== @@ -34,11 +34,10 @@ Description =========== -Samba developers have discovered what is believed to be -a non-exploitable buffer over in nmbd during the processing -of GETDC logon server requests. This code is only used -when the Samba server is configured as a Primary or Backup -Domain Controller. +Secunia Research reported a vulnerability that allows for +the execution of arbitrary code in nmbd. This defect may +only be exploited when the "wins support" parameter has +been enabled in smb.conf. ================== @@ -57,26 +56,24 @@ Workaround ========== -Samba administrators may avoid this security issue by disabling -both the "domain logons" and the "domain master" options in in -the server's smb.conf file. Note that this will disable all -domain controller features as well. +Samba administrators may avoid this security issue by +disabling the "wins support" feature in the hosts smb.conf +file. ======= Credits ======= -This vulnerability was discovered by Samba developers during -an internal code audit. +This vulnerability was reported to Samba developers by +Alin Rad Pop, Secunia Research. The time line is as follows: -* Sep 13, 2007: Initial report to [EMAIL PROTECTED] including - proposed patch. -* Sep 14, 2007: Patch review by members of the Josh Bressers - (RedHat Security Team) and Simo Sorce (Samba/RedHat developer) -* Nov 15, 2007: Public security advisory made available. +* Oct 30, 2007: Initial report to [EMAIL PROTECTED] +* Oct 30, 2007: First response from Samba developers confirming + the bug along with a proposed patch. +* Nov 15, 2007: Public security advisory to be made available. ==========================================================
