Multiple Security Vulnerabilities in samba(7) May Allow Remote Code Execution, Elevation of Privileges, Remote Shell Command Execution, or Denial of Service (DoS)

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
SAMBA

Bug Id
6557101, 6521788

Date of Workaround Release
14-JUN-2007

Date of Resolved Release
24-OCT-2007

Impact

Multiple security vulnerabilities in the Samba (samba(7)) software for Solaris may allow a local or remote user to issue unauthorized Samba operations or to execute arbitrary code or commands with elevated privileges. In addition, it may be possible for a remote authenticated user to cause the Samba service to consume excessive amounts of CPU and memory, resulting in a Denial of Service (DoS) to the system.

These issues are described in the following documents:

CVE-2007-2444 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2444

CVE-2007-2446 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2446

CVE-2007-2447 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2447

CVE-2007-0452 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0452

Contributing Factors

These issues can occur in the following releases:

SPARC Platform

Solaris 9 without patch 114684-08
Solaris 10 without patch 119757-05

x86 Platform

Solaris 9 without patch 114685-08
Solaris 10 without patch 119758-05

with the following versions of Samba software:

Samba 3.0.0 through 3.0.25rc3
Samba 3.0.23d through 3.0.25pre2
3.0.6 through 3.0.23d

Notes:

Solaris 8 does not include the Samba software and is therefore not affected by these issues.
These issues will only impact a system configured as a Samba server.

To determine if a system is configured as a Samba server, the following command can be run to check for processes related to Samba:

    % ps -ef | grep mbd
    root   317     1   0   May 26 ?           0:01 /usr/sfw/sbin/smbd -D
    root   325   317   0   May 26 ?           0:00 /usr/sfw/sbin/smbd -D
    root   314     1   0   May 26 ?           0:27 /usr/sfw/sbin/nmbd -D
    root 28369 17382   0 23:17:46 pts/2       0:00 grep mbd

If the output shows "smbd" or "nmbd" running as a daemon (with the -D parameter), the system is configured as a Samba server.

To determine the version of Samba installed on a system, the following command can be run:

    % /usr/sfw/sbin/smbd -V
    Version  3.0.4

Symptoms

There are no predictable symptoms that would indicate the described vulnerabilities have been exploited to elevate privileges or execute code or shell commands. If these issues have been exploited to cause a denial of service on the host, one or more Samba related processes will be running and will be consuming an unusually large percentage of CPU time or memory. In addition, the host itself may be generally unresponsive.

To determine the CPU usage of the processes running on the system, a command such as the following can be used, which will sort the running process by CPU consumption (in descending order):

    $ prstat -s cpu
    [...]

Memory usage on a system can be monitored with commands such as vmstat(1M).

Workaround

Until patches can be applied, sites which are affected may wish to stop the samba(7) service on affected hosts by running the following command:

    # /etc/init.d/samba stop

followed by checking that smbd(8) or nmbd(8) is not running :

    % ps -ef | grep mbd

Resolution

This issue is addressed in the following releases:

SPARC Platform

Solaris 9 with patch 114684-08 or later
Solaris 10 with patch 119757-05 or later

x86 Platform

Solaris 9 with patch 114685-08 or later
Solaris 10 with patch 119758-05 or later

Modification History
Date: 28-SEP-2007

Updated Synopsis, Impact, Contributing Factors, and Symptoms sections

Date: 11-OCT-2007

Updated Contributing Factors and Resolution sections

Date: 24-OCT-2007

Updated Contributing Factors and Resolution sections
State: Resolved

References

119757-05
119758-05
114684-08
114685-08

Attachments

This solution has no attachment