Bug 10926 - samba - Denial of service - CPU loop and memory allocation (CVE-2013-4124)
: samba - Denial of service - CPU loop and memory allocation (CVE-2013-4124)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/562281/
: MGA2TOO has_procedure mga3-32-ok mga3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-05 16:26 CEST by Oden Eriksson
Modified: 2013-08-11 14:48 CEST (History)
5 users (show)

See Also:
Source RPM: samba
CVE:


Attachments

Description Oden Eriksson 2013-08-05 16:26:36 CEST
https://www.samba.org/samba/security/CVE-2013-4124

"
CVE-2013-4124.html:

===========================================================
== Subject:     Denial of service - CPU loop and memory allocation.
==
== CVE ID#:     CVE-2013-4124
==
== Versions:    Samba 3.0.x - 4.0.7 (inclusive)
==
== Summary:     Samba 3.0.x to 4.0.7 are affected by a
==              denial of service attack on authenticated
==		or guest connections.
==
===========================================================

===========
Description
===========

All current released versions of Samba are vulnerable to a denial of
service on an authenticated or guest connection. A malformed packet
can cause the smbd server to loop the CPU performing memory
allocations and preventing any further service.

A connection to a file share, or a local account is needed to exploit
this problem, either authenticated or unauthenticated if guest
connections are allowed.

This flaw is not exploitable beyond causing the code to loop
allocating memory, which may cause the machine to exceed memory
limits.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.5.22, 3.6.17 and 4.0.8 have been issued as
security releases to correct the defect.  Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

None.

=======
Credits
=======

This problem was found by an internal audit of the Samba code by
Jeremy Allison of Google.

"
Comment 1 Oden Eriksson 2013-08-05 16:27:27 CEST
packages for mga2/mga3 has been patched and submitted. 3.6.17 was submitted to cauldron.
Comment 2 Oden Eriksson 2013-08-05 17:16:58 CEST
======================================================
Name: CVE-2013-4124
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4124
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: CONFIRM:http://ftp.samba.org/pub/samba/patches/security/samba-4.0.7-CVE-2013-4124.patch
Reference: CONFIRM:http://www.samba.org/samba/history/samba-3.5.22.html
Reference: CONFIRM:http://www.samba.org/samba/history/samba-3.6.17.html
Reference: CONFIRM:http://www.samba.org/samba/history/samba-4.0.8.html
Reference: CONFIRM:http://www.samba.org/samba/security/CVE-2013-4124
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=984401

Integer overflow in the read_nttrans_ea_list function in nttrans.c in
smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before
4.0.8 allows remote attackers to cause a denial of service (memory
consumption) via a malformed packet.
Comment 3 David Walser 2013-08-05 19:25:32 CEST
Advisory:
========================

Updated samba packages fix security vulnerability:

Integer overflow in the read_nttrans_ea_list function in nttrans.c in
smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before
4.0.8 allows remote attackers to cause a denial of service (memory
consumption) via a malformed packet (CVE-2013-4124).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4124
http://www.samba.org/samba/security/CVE-2013-4124
========================

Updated packages in core/updates_testing:
========================
samba-server-3.6.5-2.3.mga2
samba-client-3.6.5-2.3.mga2
samba-common-3.6.5-2.3.mga2
samba-doc-3.6.5-2.3.mga2
samba-swat-3.6.5-2.3.mga2
samba-winbind-3.6.5-2.3.mga2
nss_wins-3.6.5-2.3.mga2
libsmbclient0-3.6.5-2.3.mga2
libsmbclient0-devel-3.6.5-2.3.mga2
libsmbclient0-static-devel-3.6.5-2.3.mga2
libnetapi0-3.6.5-2.3.mga2
libnetapi-devel-3.6.5-2.3.mga2
libsmbsharemodes0-3.6.5-2.3.mga2
libsmbsharemodes-devel-3.6.5-2.3.mga2
libwbclient0-3.6.5-2.3.mga2
libwbclient-devel-3.6.5-2.3.mga2
samba-virusfilter-clamav-3.6.5-2.3.mga2
samba-virusfilter-fsecure-3.6.5-2.3.mga2
samba-virusfilter-sophos-3.6.5-2.3.mga2
samba-domainjoin-gui-3.6.5-2.3.mga2
samba-server-3.6.15-1.1.mga3
samba-client-3.6.15-1.1.mga3
samba-common-3.6.15-1.1.mga3
samba-doc-3.6.15-1.1.mga3
samba-swat-3.6.15-1.1.mga3
samba-winbind-3.6.15-1.1.mga3
nss_wins-3.6.15-1.1.mga3
libsmbclient0-3.6.15-1.1.mga3
libsmbclient0-devel-3.6.15-1.1.mga3
libsmbclient0-static-devel-3.6.15-1.1.mga3
libnetapi0-3.6.15-1.1.mga3
libnetapi-devel-3.6.15-1.1.mga3
libsmbsharemodes0-3.6.15-1.1.mga3
libsmbsharemodes-devel-3.6.15-1.1.mga3
libwbclient0-3.6.15-1.1.mga3
libwbclient-devel-3.6.15-1.1.mga3
samba-virusfilter-clamav-3.6.15-1.1.mga3
samba-virusfilter-fsecure-3.6.15-1.1.mga3
samba-virusfilter-sophos-3.6.15-1.1.mga3
samba-domainjoin-gui-3.6.15-1.1.mga3

from SRPMS:
samba-3.6.5-2.3.mga2.src.rpm
samba-3.6.15-1.1.mga3.src.rpm
Comment 4 Dave Hodgins 2013-08-06 03:47:49 CEST
Advisory 10926.adv uploaded to svn.
Comment 5 David Walser 2013-08-06 20:11:57 CEST
Mandriva has issued an advisory for this today (August 6):
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:207/
Comment 6 claire robinson 2013-08-08 21:23:39 CEST
PoC is still private: https://bugzilla.samba.org/show_bug.cgi?id=10010
Comment 7 claire robinson 2013-08-09 11:15:24 CEST
Testing mga3 32 & 64

Procedure: https://bugs.mageia.org/show_bug.cgi?id=8907#c2
Comment 8 claire robinson 2013-08-09 17:38:31 CEST
Testing complete mga3 32 & 64

Samba is always a pain to test for some reason. It's necessary to reboot between connecting one way and connecting the other or it gives an error and MCC isn't much use to connected to shares.

Samba and swat OK though, tested as far as mounting a share in each direction and reconfiguring each through swat.
Comment 9 Dave Hodgins 2013-08-11 02:37:30 CEST
Testing complete mga2 32 & 64. Used mcc, which created an fstab entry like
//x2v/homes /mnt/homes cifs credentials=/etc/samba/auth.x2v.dave,noauto 0 0

I'm surprised the password is kept in clear text, in the file, but at least
it's only readable by root.

Could someone from the sysadmin team push 10926.adv to updates.
Comment 10 Thomas Backlund 2013-08-11 14:48:15 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0246.html

Note You need to log in before you can comment on or make changes to this bug.