Executive Summary

Summary
Title Sun Alert 267628 Security Vulnerability in Samba (SAMBA(7)) May Allow Unauthorized Changes to Access Control Lists (ACL)
Informations
Name SUN-267628 First vendor Publication 2009-09-24
Vendor Sun Last vendor Modification 2009-09-29
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Cvss Base Score 5.8 Attack Range Network
Cvss Impact Score 4.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Product: Solaris 9 Operating System Solaris 10 Operating System OpenSolaris

An access control security vulnerability in the Samba (samba(7)) smbd(8) server daemon may allow a remote unprivileged user with write access to a file on a Samba server to make unauthorized changes to the file's Access Control List (ACL).

Additional information on this issue can be found in the following document:


State: Resolved
First released: 24-Sep-2009

Original Source

Url : http://blogs.sun.com/security/entry/sun_alert_267628_security_vulnerability

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10790
 
Oval ID: oval:org.mitre.oval:def:10790
Title: The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory.
Description: The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory.
Family: unix Class: vulnerability
Reference(s): CVE-2009-1888
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13438
 
Oval ID: oval:org.mitre.oval:def:13438
Title: DSA-1823-1 samba -- several
Description: Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1886 The smbclient utility contains a format string vulnerability where commands dealing with file names treat user input as format strings to asprintf. CVE-2009-1888 In the smbd daemon, if a user is trying to modify an access control list and is denied permission, this deny may be overridden if the parameter "dos filemode" is set to "yes" in the smb.conf and the user already has write access to the file. The old stable distribution is not affected by these problems. For the stable distribution, these problems have been fixed in version 2:3.2.5-4lenny6. The unstable distribution, which is only affected by CVE-2009-1888, will be fixed soon. We recommend that you upgrade your samba package.
Family: unix Class: patch
Reference(s): DSA-1823-1
CVE-2009-1886
CVE-2009-1888
Version: 7
Platform(s): Debian GNU/Linux 5.0
Product(s): samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13838
 
Oval ID: oval:org.mitre.oval:def:13838
Title: USN-839-1 -- samba vulnerabilities
Description: J. David Hester discovered that Samba incorrectly handled users that lack home directories when the automated [homes] share is enabled. An authenticated user could connect to that share name and gain access to the whole filesystem. Tim Prouty discovered that the smbd daemon in Samba incorrectly handled certain unexpected network replies. A remote attacker could send malicious replies to the server and cause smbd to use all available CPU, leading to a denial of service. Ronald Volgers discovered that the mount.cifs utility, when installed as a setuid program, would not verify user permissions before opening a credentials file. A local user could exploit this to use or read the contents of unauthorized credential files. Reinhard Nißl discovered that the smbclient utility contained format string vulnerabilities in its file name handling. Because of security features in Ubuntu, exploitation of this vulnerability is limited. If a user or automated system were tricked into processing a specially crafted file name, smbclient could be made to crash, possibly leading to a denial of service. This only affected Ubuntu 8.10. Jeremy Allison discovered that the smbd daemon in Samba incorrectly handled permissions to modify access control lists when dos filemode is enabled. A remote attacker could exploit this to modify access control lists. This only affected Ubuntu 8.10 and Ubuntu 9.04
Family: unix Class: patch
Reference(s): USN-839-1
CVE-2009-2813
CVE-2009-2906
CVE-2009-2948
CVE-2009-1886
CVE-2009-1888
Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 9.04
Ubuntu 6.06
Ubuntu 8.10
Product(s): samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7292
 
Oval ID: oval:org.mitre.oval:def:7292
Title: smbd access control list remote modification vulnerability
Description: The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory.
Family: unix Class: vulnerability
Reference(s): CVE-2009-1888
Version: 5
Platform(s): VMWare ESX Server 4.0
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8114
 
Oval ID: oval:org.mitre.oval:def:8114
Title: DSA-1823 samba -- several vulnerabilities
Description: Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server. The Common Vulnerabilities and Exposures project identifies the following problems: The smbclient utility contains a formatstring vulnerability where commands dealing with file names treat user input as format strings to asprintf. In the smbd daemon, if a user is trying to modify an access control list (ACL) and is denied permission, this deny may be overridden if the parameter "dos filemode" is set to "yes" in the smb.conf and the user already has write access to the file. The old stable distribution (etch) is not affected by these problems.
Family: unix Class: patch
Reference(s): DSA-1823
CVE-2009-1886
CVE-2009-1888
Version: 5
Platform(s): Debian GNU/Linux 5.0
Product(s): samba
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 161
Os 4
Os 2

OpenVAS Exploits

Date Description
2011-08-09 Name : CentOS Update for samba CESA-2009:1529 centos4 i386
File : nvt/gb_CESA-2009_1529_samba_centos4_i386.nasl
2011-08-09 Name : CentOS Update for samba CESA-2009:1529 centos5 i386
File : nvt/gb_CESA-2009_1529_samba_centos5_i386.nasl
2009-12-10 Name : Mandriva Security Advisory MDVSA-2009:320 (samba)
File : nvt/mdksa_2009_320.nasl
2009-11-17 Name : RedHat Security Advisory RHSA-2009:1585
File : nvt/RHSA_2009_1585.nasl
2009-11-11 Name : RedHat Security Advisory RHSA-2009:1529
File : nvt/RHSA_2009_1529.nasl
2009-11-11 Name : CentOS Security Advisory CESA-2009:1529 (samba)
File : nvt/ovcesa2009_1529.nasl
2009-10-13 Name : SLES10: Security update for Samba
File : nvt/sles10_cifs-mount1.nasl
2009-10-11 Name : SLES11: Security update for Samba
File : nvt/sles11_cifs-mount.nasl
2009-10-06 Name : Ubuntu USN-839-1 (samba)
File : nvt/ubuntu_839_1.nasl
2009-08-17 Name : Mandrake Security Advisory MDVSA-2009:196 (samba)
File : nvt/mdksa_2009_196.nasl
2009-07-29 Name : SuSE Security Advisory SUSE-SA:2009:037 (dhcp-client)
File : nvt/suse_sa_2009_037.nasl
2009-06-30 Name : Debian Security Advisory DSA 1823-1 (samba)
File : nvt/deb_1823_1.nasl
2009-06-30 Name : Samba Format String Vulnerability
File : nvt/secpod_samba_sec_bypass_vuln.nasl
2009-06-30 Name : Ubuntu USN-792-1 (openssl)
File : nvt/ubuntu_792_1.nasl
0000-00-00 Name : Slackware Advisory SSA:2009-177-01 samba
File : nvt/esoft_slk_ssa_2009_177_01.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
55411 Samba smbd/posix_acls.c acl_group_override Function Remote Access Control Lis...

Nessus® Vulnerability Scanner

Date Description
2016-03-08 Name : The remote VMware ESX host is missing a security-related patch.
File : vmware_VMSA-2010-0006_remote.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2009-1529.nasl - Type : ACT_GATHER_INFO
2013-01-24 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-1585.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20091027_samba_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2010-04-02 Name : The remote VMware ESX host is missing one or more security-related patches.
File : vmware_VMSA-2010-0006.nasl - Type : ACT_GATHER_INFO
2009-12-07 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-320.nasl - Type : ACT_GATHER_INFO
2009-10-28 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2009-1529.nasl - Type : ACT_GATHER_INFO
2009-10-28 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-1529.nasl - Type : ACT_GATHER_INFO
2009-10-02 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-839-1.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_cifs-mount-090629.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_cifs-mount-6343.nasl - Type : ACT_GATHER_INFO
2009-08-10 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-196.nasl - Type : ACT_GATHER_INFO
2009-07-21 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_cifs-mount-090624.nasl - Type : ACT_GATHER_INFO
2009-07-21 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_cifs-mount-090624.nasl - Type : ACT_GATHER_INFO
2009-06-30 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1823.nasl - Type : ACT_GATHER_INFO
2009-06-28 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2009-177-01.nasl - Type : ACT_GATHER_INFO
2009-06-24 Name : The remote Samba server may be affected by a security bypass vulnerability.
File : samba_acl_security_bypass.nasl - Type : ACT_GATHER_INFO
2005-07-14 Name : The remote host is missing Sun Security Patch number 119757-43
File : solaris10_119757.nasl - Type : ACT_GATHER_INFO
2005-07-14 Name : The remote host is missing Sun Security Patch number 119758-43
File : solaris10_x86_119758.nasl - Type : ACT_GATHER_INFO
2004-07-12 Name : The remote host is missing Sun Security Patch number 114684-17
File : solaris9_114684.nasl - Type : ACT_GATHER_INFO
2004-07-12 Name : The remote host is missing Sun Security Patch number 114685-17
File : solaris9_x86_114685.nasl - Type : ACT_GATHER_INFO