Bug 59883 (CVE-2004-0808)

Summary: VUL-0: CVE-2004-0808: Denial of Service Vulnerabilities in Samba 3.0.x
Product: [Novell Products] SUSE Security Incidents Reporter: Lars Müller <lmuelle>
Component: IncidentsAssignee: Lars Müller <lmuelle>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Blocker    
Priority: P3 - Medium CC: aj, patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0808: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 58773    
Attachments: patch for the asn1 issue
patch for nmbd

Description Lars Müller 2004-09-09 18:22:48 UTC 
From: "Gerald (Jerry) Carter" <jerry@samba.org>
Subject: [Samba-pkg-sec] Denial of Service Vulnerabilities in Samba Samba
        3.0.x
To: samba-pkg-sec@samba.org
Cc:
Date: Wed, 08 Sep 2004 18:24:34 -0500
X-Spam-Status: No, hits=-1.0 tagged_above=-20.0 required=5.0 tests=BAYES_44,
 MY_LINUX
X-Spam-Level:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040617
Content-Type: text/plain; charset=us-ascii; format=flowed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(we just sent this out to vendor-sec.  Still not public
information)

- ----------------------------------------------------------

Subject:        Samba 3.0.x Denial of Service Flaw

Summary:        (i) A DoS bug in smbd may allow an
                unauthenticated user to cause smbd to
                spawn new processes each one entering
                an infinite loop.  After sending a sufficient
                amount of packets it is possible to exhaust
                the memory resources on the server.

                (ii) A DoS bug in nmbd may allow an attacker
                to remotely crash the nmbd daemon.

Affected
Versions:       Defect (i) affects Samba 3.0.x prior to and
                including v3.0.6.

                Defect (ii) affects Samba 3.0.x prior to
                and including v3.0.6.


Description
- -----------

A defect in smbd's ASN.1 parsing allows an attacker to send
a specially crafted packet during the authentication request
which will send the newly spawned smbd process into an infinite
loop.  Given enough of these packets, it is possible to exhaust
the available memory on the server.

A defect in nmbd's process of mailslot packets can allow
an attacker to anonymously crash nmbd.


Release Plans
- -------------

Separate patches for v3.0.5 and v3.0.6 to address both
bugs will be made available shortly.  Plans are to release
Samba 3.0.7 at 6am (GMT-6) on Monday, September 13 along
with a separate security announcement.

Due to some other fairly visible bugs in Samba 3.0.6, we have
decided that releasing 3.0.6 + security fixes as 3.0.7
would not be very useful to Samba administrators.  Therefore,
Samba 3.0.7 will include the security fixes plus any essential
fixes for Samba 3.0.6.  The security announcement will include
a link to security patches for Samba 3.0.5 for those sites
that have not yet upgraded to the latest release.


Credits
- --------

Both security issues were reported to Samba developers by
iDEFENSE (http://www.idefense.com/).  The defect discovery
was anonymously reported to iDEFENSE via their Vulnerability
Contributor Program (http://www.idefense.com/poi/teams/vcp.jsp).


- --
Our Code, Our Bugs, Our Responsibility.


                                -- The Samba Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBP5SyIR7qMdg1EfYRArjhAJ4yyO247Hcbvd/PEum+B+1L+1yJ8gCg39b3
tE4SKN4UZ4U1MW0uOx83h7E=
=0wI4
-----END PGP SIGNATURE-----
_______________________________________________
samba-pkg-sec mailing list
samba-pkg-sec@lists.samba.org
http://lists.samba.org/mailman/listinfo/samba-pkg-sec
Comment 1 Lars Müller 2004-09-09 18:27:21 UTC 
This bug blocks the current Samba fixes.

I'll have patches till the end of the week and prepare patches and new patchinfo
files.

As this bug will go public on Monday, 2004-09-13, 6am (GMT-6) we should create a
timetable how to process on this bug.
Comment 2 Harald Mueller-Ney 2004-09-09 18:29:16 UTC 
These bugs only hit Samba3? So i would reject only the patches for:

9.1 and SLES9, but we will release all updates together??
Comment 3 Lars Müller 2004-09-09 18:35:05 UTC 
Andreas: This is also important for 9.2 as we have to update Samba to version
3.0.7 as announced already some days before.

As soon as this bug is fixed for SLES I'll move it to SL 9.2.
Comment 4 Lars Müller 2004-09-09 18:40:42 UTC 
At comment #2: This is only Samba 3.  Therefore we could still work on the Samba
2 updates as already available for SLES 8.
Comment 5 Andreas Jaeger 2004-09-09 20:47:52 UTC 
Ok, do an update for 9.2.
Comment 6 Lars Müller 2004-09-11 02:05:28 UTC 
My bug and I'm working on the pathces ...
Comment 7 Lars Müller 2004-09-11 02:06:37 UTC 
More details:

Patches for SLES 9/ 9.1 will be integrated soon.

3.0.7 will be in STABLE Monday, 2004-09-13.
Comment 8 Lars Müller 2004-09-11 23:57:07 UTC 
CAN-2004-0807 for the smbd DoS
CAN-2004-0808 for the nmbd DoS
Comment 9 Lars Müller 2004-09-12 04:36:05 UTC 
Package update done for SLES 9/ 9.1.  Patchinfo files for both products written
and submitted.

Still have to update stable to 3.0.7.
Comment 10 Thomas Biege 2004-09-13 15:23:33 UTC 
Great! :)
Comment 11 Sebastian Krahmer 2004-09-13 17:52:08 UTC 
Unfortunally there came a new issue on vendor-sec last weekend:

Date: Fri, 10 Sep 2004 12:31:08 -0500
From: "Gerald (Jerry) Carter" <jerry@samba.org>
To: vendor-sec@lst.de
Cc: security@samba.org, vendor-disclosure@idefense.com
Subject: [vendor-sec] Update on Samba 3.0.x DoS issues (CAN-2004-0807 &
    CAN-2004-0808)
Parts/Attachments:
   1 Shown     36 lines  Text
   2 Shown    258 lines  Text
   3 Shown      8 lines  Text
   4 Shown     24 lines  Text
   5 Shown      8 lines  Text
----------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Folks,

Sorry for the confusion.  I had two confirmations yesterday that
the smbd patch for CAN-2004-0807 was incorrect.  However, both
cases were actually problems with the test cases and not the fix.

So as it stands right now, the original patches for nmbd and
smbd are *correct*.  I'm reattaching them here to avoid confusion.

We will still do the public release of Samba 3.0.7 and
the security announcement on Monday, Sept 13, but I need to
push the time from 6am to 7am (GMT-6).

Thanks for everyone's help and again, my apologies for the
confusion yesterday.
Comment 12 Sebastian Krahmer 2004-09-13 17:56:08 UTC 
Created attachment 23351 [details]
patch for the asn1 issue

...
Comment 13 Sebastian Krahmer 2004-09-13 17:56:39 UTC 
Created attachment 23352 [details]
patch for nmbd

...
Comment 14 Lars Müller 2004-09-13 18:14:50 UTC 
That are the patches we already have in the SLES 9/ 9.1 tree.  I've checke it. 
No changes as Jerry wrote.  Just some extra confusion.
Comment 15 Sebastian Krahmer 2004-09-13 18:19:11 UTC 
Ah, ok. So we dont need to trigger any action again.
Excellent.
Thanks.
Comment 16 Marcus Meissner 2004-09-13 22:57:36 UTC 
poackages have been approved.
Comment 17 Lars Müller 2004-09-13 23:17:00 UTC 
And 3.0.7 is on the way to stable.
Comment 18 Thomas Biege 2009-10-13 19:49:46 UTC 
CVE-2004-0808: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)