Bug 10926

Summary: samba - Denial of service - CPU loop and memory allocation (CVE-2013-4124)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, luigiwalser, mageia, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/562281/
Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-32-ok mga2-64-ok
Source RPM: samba CVE:
Status comment:

Description Oden Eriksson 2013-08-05 16:26:36 CEST 
https://www.samba.org/samba/security/CVE-2013-4124

"
CVE-2013-4124.html:

===========================================================
== Subject:     Denial of service - CPU loop and memory allocation.
==
== CVE ID#:     CVE-2013-4124
==
== Versions:    Samba 3.0.x - 4.0.7 (inclusive)
==
== Summary:     Samba 3.0.x to 4.0.7 are affected by a
==              denial of service attack on authenticated
==		or guest connections.
==
===========================================================

===========
Description
===========

All current released versions of Samba are vulnerable to a denial of
service on an authenticated or guest connection. A malformed packet
can cause the smbd server to loop the CPU performing memory
allocations and preventing any further service.

A connection to a file share, or a local account is needed to exploit
this problem, either authenticated or unauthenticated if guest
connections are allowed.

This flaw is not exploitable beyond causing the code to loop
allocating memory, which may cause the machine to exceed memory
limits.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.5.22, 3.6.17 and 4.0.8 have been issued as
security releases to correct the defect.  Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

None.

=======
Credits
=======

This problem was found by an internal audit of the Samba code by
Jeremy Allison of Google.

"
Comment 1 Oden Eriksson 2013-08-05 16:27:27 CEST 
packages for mga2/mga3 has been patched and submitted. 3.6.17 was submitted to cauldron.
Comment 2 Oden Eriksson 2013-08-05 17:16:58 CEST 
======================================================
Name: CVE-2013-4124
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4124
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: CONFIRM:http://ftp.samba.org/pub/samba/patches/security/samba-4.0.7-CVE-2013-4124.patch
Reference: CONFIRM:http://www.samba.org/samba/history/samba-3.5.22.html
Reference: CONFIRM:http://www.samba.org/samba/history/samba-3.6.17.html
Reference: CONFIRM:http://www.samba.org/samba/history/samba-4.0.8.html
Reference: CONFIRM:http://www.samba.org/samba/security/CVE-2013-4124
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=984401

Integer overflow in the read_nttrans_ea_list function in nttrans.c in
smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before
4.0.8 allows remote attackers to cause a denial of service (memory
consumption) via a malformed packet.
Sander Lepik 2013-08-05 17:35:12 CEST

CC: (none) => mageia
Hardware: i586 => All
Version: 2 => 3
Whiteboard: (none) => MGA2TOO

Comment 3 David Walser 2013-08-05 19:25:32 CEST 
Advisory:
========================

Updated samba packages fix security vulnerability:

Integer overflow in the read_nttrans_ea_list function in nttrans.c in
smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before
4.0.8 allows remote attackers to cause a denial of service (memory
consumption) via a malformed packet (CVE-2013-4124).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4124
http://www.samba.org/samba/security/CVE-2013-4124
========================

Updated packages in core/updates_testing:
========================
samba-server-3.6.5-2.3.mga2
samba-client-3.6.5-2.3.mga2
samba-common-3.6.5-2.3.mga2
samba-doc-3.6.5-2.3.mga2
samba-swat-3.6.5-2.3.mga2
samba-winbind-3.6.5-2.3.mga2
nss_wins-3.6.5-2.3.mga2
libsmbclient0-3.6.5-2.3.mga2
libsmbclient0-devel-3.6.5-2.3.mga2
libsmbclient0-static-devel-3.6.5-2.3.mga2
libnetapi0-3.6.5-2.3.mga2
libnetapi-devel-3.6.5-2.3.mga2
libsmbsharemodes0-3.6.5-2.3.mga2
libsmbsharemodes-devel-3.6.5-2.3.mga2
libwbclient0-3.6.5-2.3.mga2
libwbclient-devel-3.6.5-2.3.mga2
samba-virusfilter-clamav-3.6.5-2.3.mga2
samba-virusfilter-fsecure-3.6.5-2.3.mga2
samba-virusfilter-sophos-3.6.5-2.3.mga2
samba-domainjoin-gui-3.6.5-2.3.mga2
samba-server-3.6.15-1.1.mga3
samba-client-3.6.15-1.1.mga3
samba-common-3.6.15-1.1.mga3
samba-doc-3.6.15-1.1.mga3
samba-swat-3.6.15-1.1.mga3
samba-winbind-3.6.15-1.1.mga3
nss_wins-3.6.15-1.1.mga3
libsmbclient0-3.6.15-1.1.mga3
libsmbclient0-devel-3.6.15-1.1.mga3
libsmbclient0-static-devel-3.6.15-1.1.mga3
libnetapi0-3.6.15-1.1.mga3
libnetapi-devel-3.6.15-1.1.mga3
libsmbsharemodes0-3.6.15-1.1.mga3
libsmbsharemodes-devel-3.6.15-1.1.mga3
libwbclient0-3.6.15-1.1.mga3
libwbclient-devel-3.6.15-1.1.mga3
samba-virusfilter-clamav-3.6.15-1.1.mga3
samba-virusfilter-fsecure-3.6.15-1.1.mga3
samba-virusfilter-sophos-3.6.15-1.1.mga3
samba-domainjoin-gui-3.6.15-1.1.mga3

from SRPMS:
samba-3.6.5-2.3.mga2.src.rpm
samba-3.6.15-1.1.mga3.src.rpm

CC: (none) => luigiwalser
Assignee: bugsquad => qa-bugs

David Walser 2013-08-05 19:25:46 CEST

Summary: CVE-2013-4124: samba - Denial of service - CPU loop and memory allocation. => samba - Denial of service - CPU loop and memory allocation (CVE-2013-4124)

Comment 4 Dave Hodgins 2013-08-06 03:47:49 CEST 
Advisory 10926.adv uploaded to svn.

CC: (none) => davidwhodgins

Comment 5 David Walser 2013-08-06 20:11:57 CEST 
Mandriva has issued an advisory for this today (August 6):
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:207/

URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4124 => http://lwn.net/Vulnerabilities/562281/

David Walser 2013-08-08 19:18:23 CEST

Severity: normal => major

Comment 6 claire robinson 2013-08-08 21:23:39 CEST 
PoC is still private: https://bugzilla.samba.org/show_bug.cgi?id=10010
claire robinson 2013-08-09 10:59:29 CEST

Source RPM: (none) => samba

Comment 7 claire robinson 2013-08-09 11:15:24 CEST 
Testing mga3 32 & 64

Procedure: https://bugs.mageia.org/show_bug.cgi?id=8907#c2

Whiteboard: MGA2TOO => MGA2TOO has_procedure

Comment 8 claire robinson 2013-08-09 17:38:31 CEST 
Testing complete mga3 32 & 64

Samba is always a pain to test for some reason. It's necessary to reboot between connecting one way and connecting the other or it gives an error and MCC isn't much use to connected to shares.

Samba and swat OK though, tested as far as mounting a share in each direction and reconfiguring each through swat.

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga3-32-ok mga3-64-ok

Comment 9 Dave Hodgins 2013-08-11 02:37:30 CEST 
Testing complete mga2 32 & 64. Used mcc, which created an fstab entry like
//x2v/homes /mnt/homes cifs credentials=/etc/samba/auth.x2v.dave,noauto 0 0

I'm surprised the password is kept in clear text, in the file, but at least
it's only readable by root.

Could someone from the sysadmin team push 10926.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-32-ok mga2-64-ok
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2013-08-11 14:48:15 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0246.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED