Samba command injection vulnerability

Overview

Samba fails to properly filter input to /bin/sh. This vulnerability may allow a remote, authenticated attacker to execute arbitrary code on a Samba server.

Description

Samba provides file and print services for Microsoft Windows, Unix, Linux, and OS X clients. Samba can also act as a Primary Domain Controller (PDC) or as a Domain Member. Samba runs on most Unix-like systems.

Samba versions prior to 3.0.24 pass unchecked user input from RPC messages to /bin/sh when calling externals scripts that are listed in the Samba configuration file. An attacker may be able to exploit this vulnerability by sending specially crafted RPC messages to a vulnerable server.

This vulnerability occurred as a result of failing to comply with recommndation STR02-C of the CERT C Programming Language Secure Coding Standard.

---

Impact

A remote, unauthenticated attacker may be able to execute arbitrary commands.

---

Solution

Apply a patch or upgrade
These vulnerabilities are addressed in Samba version 3.0.25. In addition, patches are available to address this vulnerability in Samba version 3.0.24. Refer to the Samba Security Releases website for more information.

---

Do not load external shell scripts

From the CVE-2007-2447 entry on the Samba security page:

This defect may be alleviated by removing all defined external script invocations (username map script, add printer command, etc…) from smb.conf.

Restrict access

Limiting access to the Samba server to trusted hosts may mitigate this vulnerability.

---

Vendor Information

268336

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer, Inc. Affected

Notified: May 14, 2007 Updated: July 30, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian GNU/Linux __ Affected

Notified: May 14, 2007 Updated: July 30, 2007

Status

Affected

Vendor Statement

These problems have been fixed in Debian GNU/Linux 4.0 with version 3.0.24-6etch1 via Debian Security Advisory 1291 as in

<<http://www.debian.org/security/2007/dsa-1291&gt;&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux Affected

Notified: May 14, 2007 Updated: May 16, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc. __ Affected

Notified: May 14, 2007 Updated: May 15, 2007

Status

Affected

Vendor Statement

This issue affected the Samba package as shipped with Red Hat Enterprise Linux 2.1, 4, 4, and 5. Updated packages to correct this issue are available along with our advisories at the URLs below and via Red Hat Network.

<http://rhn.redhat.com/errata/RHSA-2007-0354.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Samba __ Affected

Updated: May 14, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://samba.org/samba/security/CVE-2007-2447.html&gt; for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23268336 Feedback>).

Slackware Linux Inc. Affected

Notified: May 14, 2007 Updated: May 16, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. Affected

Notified: May 14, 2007 Updated: May 15, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu __ Affected

Notified: May 14, 2007 Updated: May 16, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://www.ubuntu.com/usn/usn-460-1&gt; for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23268336 Feedback>).

Novell, Inc. Not Affected

Notified: May 14, 2007 Updated: June 01, 2007

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc. Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC, Inc. (formerly Data General Corporation) Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc. Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc. Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc. Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetBSD Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nokia Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified: May 14, 2007 Updated: May 14, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 42 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://samba.org/samba/history/security.html&gt;
• <http://us4.samba.org/samba/ftp/patches/security/samba-3.0.24-CVE-2007-2447.patch&gt;
• <http://www.samba.org>
• <http://secunia.com/advisories/25232/&gt;
• <http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534&gt;
• <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1&gt;
• <http://docs.info.apple.com/article.html?artnum=306172&gt;

Acknowledgements

Thanks to Joshua J. Drake, iDefense Labs, and the Samba team for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

CVE IDs:	CVE-2007-2447
Severity Metric:	7.44 Date Public: