Debian DSA-1291-1 : samba - several vulnerabilities

critical Nessus Plugin ID 25228

Synopsis

The remote Debian host is missing a security-related update.

Description

Several issues have been identified in Samba, the SMB/CIFS file- and print-server implementation for GNU/Linux.

- CVE-2007-2444 When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish addition means of gaining root access to the server.

- CVE-2007-2446 Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data.

- CVE-2007-2447 Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution.

Solution

Upgrade the samba package.

For the stable distribution (etch), these problems have been fixed in version 3.0.24-6etch1.

For the testing and unstable distributions (lenny and sid, respectively), these problems have been fixed in version 3.0.25-1.

See Also

https://security-tracker.debian.org/tracker/CVE-2007-2444

https://security-tracker.debian.org/tracker/CVE-2007-2446

https://security-tracker.debian.org/tracker/CVE-2007-2447

https://www.debian.org/security/2007/dsa-1291

Plugin Details

Severity: Critical

ID: 25228

File Name: debian_DSA-1291.nasl

Version: 1.19

Type: local

Agent: unix

Published: 5/16/2007

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:samba, cpe:/o:debian:debian_linux:4.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/15/2007

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Samba "username map script" Command Execution)

Reference Information

CVE: CVE-2007-2444, CVE-2007-2446, CVE-2007-2447

BID: 23972, 23973, 23974

DSA: 1291