CVE-2004-0807
CVSS5.0
发布时间 :2004-09-13 00:00:00
修订时间 :2016-10-17 22:49:10
NMCOPS    

[原文]Samba 3.0.6 and earlier allows remote attackers to cause a denial of service (infinite loop and memory exhaustion) via certain malformed requests that cause new processes to be spawned and enter an infinite loop.


[CNNVD]Samba多个ASN.1和MailSlot解析模块远程拒绝服务漏洞(CNNVD-200409-027)

        
        Samba是一套实现SMB(Server Messages Block)协议,跨平台进行文件共享和打印共享服务的程序。
        smbd对多个畸形请求缺少正确处理,远程攻击者可以利用这个漏洞使服务程序消耗大量资源,进行拒绝服务攻击。
        未授权攻击者可以发送畸形请求,每个请求派生一个新进程,每个新进程进入无限循环,可导致服务程序崩溃。此类攻击只需要少量带宽,每个请求只需358字节,超过4000个请求可导致512M RAM、512SWAP的RedHat Fedora Core 1机器崩溃。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:conectiva:linux:10.0Conectiva Linux 10.0
cpe:/a:sgi:samba:3.0::irix
cpe:/o:suse:suse_linux:9.0::x86_64
cpe:/a:samba:samba:3.0.4Samba 3.0.4
cpe:/a:samba:samba:3.0.3Samba 3.0.3
cpe:/a:samba:samba:3.0.2Samba 3.0.2
cpe:/a:samba:samba:3.0.1Samba 3.0.1
cpe:/a:samba:samba:3.0.0Samba 3.0.0
cpe:/a:sgi:samba:3.0.4::irix
cpe:/a:sgi:samba:3.0.3::irix
cpe:/a:sgi:samba:3.0.2::irix
cpe:/a:sgi:samba:3.0.1::irix
cpe:/o:conectiva:linux:9.0Conectiva Linux 9.0
cpe:/o:mandrakesoft:mandrake_linux:10.0::amd64
cpe:/a:samba:samba:3.0.6Samba 3.0.6
cpe:/a:samba:samba:3.0.5Samba 3.0.5
cpe:/a:samba:samba:3.0.4:rc1Samba 3.0.4 release candidate 1
cpe:/o:suse:suse_linux:8.1SuSE SuSE Linux 8.1
cpe:/o:suse:suse_linux:9.0SuSE SuSE Linux 9.0
cpe:/a:samba:samba:3.0.2aSamba 3.0.2a
cpe:/a:sgi:samba:3.0.6::irix
cpe:/a:sgi:samba:3.0.5::irix
cpe:/o:suse:suse_linux:8::enterprise_server
cpe:/o:suse:suse_linux:9.0::enterprise_server
cpe:/o:mandrakesoft:mandrake_linux:10.0MandrakeSoft Mandrake Linux 10.0
cpe:/o:suse:suse_linux:8.2SuSE SuSE Linux 8.2
cpe:/o:suse:suse_linux:9.1SuSE SuSE Linux 9.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11141Samba 3.0.6 and earlier allows remote attackers to cause a denial of service (infinite loop and memory exhaustion) via certain malformed req...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0807
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0807
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200409-027
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000873
(VENDOR_ADVISORY)  CONECTIVA  CLA-2004:873
http://marc.info/?l=bugtraq&m=109509335230495&w=2
(UNKNOWN)  BUGTRAQ  20040913 Samba 3.0 DoS Vulberabilities (CAN-2004-0807 & CAN-2004-0808)
http://marc.info/?l=bugtraq&m=109526231623307&w=2
(UNKNOWN)  BUGTRAQ  20040915 [OpenPKG-SA-2004.040] OpenPKG Security Advisory (samba)
http://www.gentoo.org/security/en/glsa/glsa-200409-16.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200409-16
http://www.idefense.com/application/poi/display?id=139&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20040913 Samba 3.x SMBD Remote Denial of Service Vulnerability
http://www.redhat.com/support/errata/RHSA-2004-467.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:467
http://www.trustix.net/errata/2004/0046/
(VENDOR_ADVISORY)  TRUSTIX  2004-0046

- 漏洞信息

Samba多个ASN.1和MailSlot解析模块远程拒绝服务漏洞
中危 设计错误
2004-09-13 00:00:00 2005-10-20 00:00:00
远程  
        
        Samba是一套实现SMB(Server Messages Block)协议,跨平台进行文件共享和打印共享服务的程序。
        smbd对多个畸形请求缺少正确处理,远程攻击者可以利用这个漏洞使服务程序消耗大量资源,进行拒绝服务攻击。
        未授权攻击者可以发送畸形请求,每个请求派生一个新进程,每个新进程进入无限循环,可导致服务程序崩溃。此类攻击只需要少量带宽,每个请求只需358字节,超过4000个请求可导致512M RAM、512SWAP的RedHat Fedora Core 1机器崩溃。
        

- 公告与补丁

        厂商补丁:
        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2004:092)以及相应补丁:
        MDKSA-2004:092:Updated samba packages fix multiple vulnerabilities
        链接:
        http://www.linux-mandrake.com/en/security/2004/2004-092.php

        补丁下载:
        Updated Packages:
        Mandrakelinux 10.0:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libsmbclient0-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libsmbclient0-devel-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libsmbclient0-static-devel-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/nss_wins-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-client-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-common-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-doc-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-passdb-mysql-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-passdb-pgsql-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-passdb-xml-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-server-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-swat-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/samba-winbind-3.0.6-4.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/SRPMS/samba-3.0.6-4.1.100mdk.src.rpm
        Mandrakelinux 10.0/AMD64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/lib64smbclient0-3.0.6-4.1.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/lib64smbclient0-devel-3.0.6-4.1.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/lib64smbclient0-static-devel-3.0.6-4.1.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/nss_wins-3.0.6-4.1.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/samba-client-3.0.6-4.1.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/samba-common-3.0.6-4.1.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/samba-doc-3.0.6-4.1.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/samba-passdb-mysql-3.0.6-4.1.100mdk.amd64.rpm
        上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
        
        http://www.mandrakesecure.net/en/ftp.php

        Samba
        -----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Samba Patch patch-3.0.5-3.0.6.diffs.gz
        
        http://us4.samba.org/samba/ftp/patches/security/patch-3.0.5-3.0.6.diffs.gz

- 漏洞信息 (F34334)

samba30x.txt (PacketStormID:F34334)
2004-09-13 00:00:00
 
advisory,denial of service
CVE-2004-0807,CVE-2004-0808
[点击下载]

Samba 3.0.x is susceptible to multiple denial of services bugs that can remotely crash the daemons nmbd and smbd.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Subject:	Samba 3.0.x Denial of Service Flaw

Summary:	(i) A DoS bug in smbd may allow an
		unauthenticated user to cause smbd to
		spawn new processes each one entering
		an infinite loop.  After sending a sufficient
		amount of packets it is possible to exhaust
		the memory resources on the server.

		(ii) A DoS bug in nmbd may allow an attacker
		to remotely crash the nmbd daemon.

Affected
Versions:	Defect (i) affects Samba 3.0.x prior to and
		including v3.0.6.

		Defect (ii) affects Samba 3.0.x prior to
		and including v3.0.6.

Patch
Availability:	The patch file for Samba 3.0.5 addressing both
		bugs (samba-3.0.5-DoS.patch) can be downloaded
		from
		http://download.samba.org/samba/ftp/patches/security/


Description
- -----------

CAN-2004-0807: A defect in smbd's ASN.1 parsing allows an
attacker to send a specially crafted packet during the
authentication request which will send the newly spawned
smbd process into an infinite loop.  Given enough of these
packets, it is possible to exhaust the available memory
on the server.

CAN-2004-0808: A defect in nmbd's process of mailslot packets
can allow an attacker to anonymously crash nmbd.


Protecting Unpatched Servers
- ----------------------------

The Samba Team always encourages users to run the latest stable
release as a defense of against attacks.  However, under certain
circumstances it may not be possible to immediately upgrade
important installations.  In such cases, administrators should
read the "Server Security" documentation found at
http://www.samba.org/samba/docs/server_security.html.


Credits
- --------

Both security issues were reported to Samba developers by
iDEFENSE (http://www.idefense.com/).  The defect discovery
was anonymously reported to iDEFENSE via their Vulnerability
Contributor Program (http://www.idefense.com/poi/teams/vcp.jsp).


- --
Our Code, Our Bugs, Our Responsibility.


				-- The Samba Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBRYrsIR7qMdg1EfYRAs0vAKDWgtClvlXUp0K8vcXCpBX4Rxs8/QCeLn42
a36LLoki3iL2l5veoMUAXso=
=LT1R
-----END PGP SIGNATURE-----
    

- 漏洞信息

9916
Samba ASN.1 Parsing Function Malformed Request DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Unknown

- 漏洞描述

Samba contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends specially crafted packets to the smbd daemon during the ASN.1 parsing routine causing many processes to spawn resulting in a loss of availability for the platform.

- 时间线

2004-09-13 2004-09-02
Unknow Unknow

- 解决方案

Upgrade to version 3.0.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Samba Multiple ASN.1 and MailSlot Parsing Remote Denial Of Service Vulnerabilities
Design Error 11156
Yes No
2004-09-13 12:00:00 2009-07-12 07:06:00
The discovery of these issues is credited to an anonymous source.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SGI samba_irix 3.0.7
SGI samba_irix 3.0.6
SGI samba_irix 3.0.5
SGI samba_irix 3.0.4
SGI samba_irix 3.0.3
SGI samba_irix 3.0.2
SGI samba_irix 3.0.1
SGI samba_irix 3.0
Samba Samba 3.0.6
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ Mandriva Linux Mandrake 10.0
+ Turbolinux Appliance Server 1.0 Workgroup Edition
+ Turbolinux Appliance Server 1.0 Workgroup Edition
+ Turbolinux Appliance Server 1.0 Hosting Edition
+ Turbolinux Appliance Server 1.0 Hosting Edition
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Home
+ Turbolinux Home
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Workstation 8.0
Samba Samba 3.0.5
Samba Samba 3.0.4 -r1
Samba Samba 3.0.4
+ OpenPKG OpenPKG 2.1
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.1
+ Slackware Linux 10.0
Samba Samba 3.0.3
Samba Samba 3.0.2 a
Samba Samba 3.0.2
Samba Samba 3.0.1
Samba Samba 3.0
+ Apple Mac OS X 10.3.2
+ Apple Mac OS X 10.3.2
+ Apple Mac OS X 10.3.1
+ Apple Mac OS X 10.3.1
+ Apple Mac OS X 10.3
+ Apple Mac OS X 10.3
+ Apple Mac OS X Server 10.3.2
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3
+ Apple Mac OS X Server 10.3
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux 8.1
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
Conectiva Linux 10.0
Conectiva Linux 9.0

- 漏洞讨论

Samba is reportedly affected by multiple remote denial of service vulnerabilities. These issues are due to a failure to properly parse ASN.1 and MailSlot packets.

An attacker may leverage these issues to cause the affected Samba server to become inaccessible, and to crash the NetBIOS name server, effectively denying service to legitimate users.

- 漏洞利用

Although an exploit is known to exist, it is not currently in public circulation.

- 解决方案

SuSE has released advisory SUSE-SA:2004:034 mainly to address the vulnerability described in BID 11196. However, in the addendum of this advisory, it is reported that fixes for the issues described in this BID are now available on the SuSE update FTP server for download. Customers are advised to see the referenced advisory for further information regarding obtaining and applying appropriate updates.

Gentoo Linux has released advisory GLSA 200409-16 dealing with these issues. They have advised that all Samba 3.x users should upgrade to the latest version:
emerge sync
emerge -pv ">=net-fs/samba-3.0.7"
emerge ">=net-fs/samba-3.0.7"
For more information, please see the referenced Gentoo advisory.

Mandrakelinux has released advisory MDKSA-2004:092 along with fixes to address these issues. Please see the referenced advisory for further information.

Trustix Linux has released advisory TSL-2004-0046 along with fixes dealing with this issue. Please see the referenced advisory for more information.

OpenPKG has released an advisory (OpenPKG-SA-2004.040) dealing with this issue. Please see the referenced advisory for more information.

The vendor has released a patch that resolves these issues.

RedHat has released an advisory (RHSA-2004:467-04) to address these issues in Red Hat Enterprise Linux. Please see the advisory in Web references for more information.

Conectiva Linux has released advisory CLA-2004:873 along with fixes to address this issue. Please see the referenced advisory for further information.

SGI has released security advisory 20041201-01-P along with a patch dealing with this issue. It should be noted that the released patch only fixes samba_irix version 3.0.7. All users running the affected application, which is not installed by default, are advised to apply the patch.


Samba Samba 3.0.2 a

Samba Samba 3.0.4

Samba Samba 3.0.5

Samba Samba 3.0.6

SGI samba_irix 3.0.7

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站