Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities.
Every computer which uses the SMB protocol, is assigned a netbios name. This name is used to identify the computer on the network for the purposes of resolving SMB requests.
4/8/03
CAN 2003-0201
There is a buffer overflow condition in the call_trans2open
function which could allow an anonymous remote attacker to
execute arbitrary code with root privileges by
sending data in excess of 1024 bytes. All versions of Samba
up to and including Samba 2.2.8 are affected by this
vulnerability.
3/18/03
CAN 2003-0085
A buffer overflow in the SMB/CIFS packet fragment re-assembly
code could allow a remote attacker to overwrite arbitrary
areas of memory, thus gaining the ability to execute commands
with root privileges. Samba 2.0 through 2.2.7a are
affected by this vulnerability.
11/22/02
CAN 2002-1318
A buffer overflow condition in the processing of
encrypted password change requests could potentially
allow a remote attacker to
execute arbitrary commands on the system. In order to
exploit this vulnerability, a client would send an encrypted
password, which, when decrypted with the old hashed
password, could overflow a buffer on the stack.
Samba 2.2.2 through 2.2.6 are affected by this vulnerability.
Although there is no known exploit for this vulnerability,
it is still a serious problem which should be addressed.
7/3/01
CVE 2001-1162
A vulnerability affects older versions of Samba
when configured to log error messages in a file
whose name is determined by the netbios name of the client.
If this is the case, insufficient checking of the client's netbios name
by Samba could allow an attacker to change the path of the
log file. In the worst-case scenario, this could lead to remote
write access to arbitrary files, which could result in remote
root access. In other scenarios, this could lead to privilege
elevation by a local attacker, or the opportunity for a remote
attacker to perform brute-force password guessing attacks without
being logged.
Samba versions prior to 2.0.10 are affected by this vulnerability if the log file name includes the netbios name (represented by %m) in the configuration file. The Samba configuration file is usually located in /etc/smb.conf or /etc/samba/smb.conf. For example, if a Samba server prior to version 2.0.10 is installed, and the /etc/smb.conf file includes the following line:
log file = /var/log/samba/%m.logthen the server is vulnerable.
For more information on the SMB/CIFS packet re-assembly buffer overflow, see the Samba 2.2.8 Release Notes and CIAC Bulletin N-055.
For more information on the encrypted password buffer overflow, see the Samba 2.2.7 Release Notes and CIAC Bulletin N-019.
For more information on the logging vulnerability, see the announcement from Samba and the posting to Bugtraq.