Debian DSA-1908-1 : samba - several vulnerabilities

2010-02-24T00:00:00
ID DEBIAN_DSA-1908.NASL
Type nessus
Reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-08-02T00:00:00

Description

Several vulnerabilities have been discovered in samba, an implementation of the SMB/CIFS protocol for Unix systems, providing support for cross-platform file and printer sharing with other operating systems and more. The Common Vulnerabilities and Exposures project identifies the following problems :

  • CVE-2009-2948 The mount.cifs utility is missing proper checks for file permissions when used in verbose mode. This allows local users to partly disclose the content of arbitrary files by specifying the file as credentials file and attempting to mount a samba share.

  • CVE-2009-2906 A reply to an oplock break notification which samba doesn

                                        
                                            #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-1908. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(44773);
  script_version("1.14");
  script_cvs_date("Date: 2019/08/02 13:32:22");

  script_cve_id("CVE-2009-2813", "CVE-2009-2906", "CVE-2009-2948");
  script_bugtraq_id(36363, 36572, 36573);
  script_xref(name:"DSA", value:"1908");

  script_name(english:"Debian DSA-1908-1 : samba - several vulnerabilities");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several vulnerabilities have been discovered in samba, an
implementation of the SMB/CIFS protocol for Unix systems, providing
support for cross-platform file and printer sharing with other
operating systems and more. The Common Vulnerabilities and Exposures
project identifies the following problems :

  - CVE-2009-2948
    The mount.cifs utility is missing proper checks for file
    permissions when used in verbose mode. This allows local
    users to partly disclose the content of arbitrary files
    by specifying the file as credentials file and
    attempting to mount a samba share.

  - CVE-2009-2906
    A reply to an oplock break notification which samba
    doesn't expect could lead to the service getting stuck
    in an infinite loop. An attacker can use this to perform
    denial of service attacks via a specially crafted SMB
    request.

  - CVE-2009-2813
    A lack of error handling in case no home directory was
    configured/specified for the user could lead to file
    disclosure. In case the automated [homes] share is
    enabled or an explicit share is created with that
    username, samba fails to enforce sharing restrictions
    which results in an attacker being able to access the
    file system from the root directory."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2009-2948"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2009-2906"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2009-2813"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2009/dsa-1908"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the samba packages.

For the oldstable distribution (etch), this problem will be fixed
soon.

For the stable distribution (lenny), this problem has been fixed in
version 2:3.2.5-4lenny7."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(264);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2009/10/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"5.0", prefix:"libpam-smbpass", reference:"2:3.2.5-4lenny7")) flag++;
if (deb_check(release:"5.0", prefix:"libsmbclient", reference:"2:3.2.5-4lenny7")) flag++;
if (deb_check(release:"5.0", prefix:"libsmbclient-dev", reference:"2:3.2.5-4lenny7")) flag++;
if (deb_check(release:"5.0", prefix:"libwbclient0", reference:"2:3.2.5-4lenny7")) flag++;
if (deb_check(release:"5.0", prefix:"samba", reference:"2:3.2.5-4lenny7")) flag++;
if (deb_check(release:"5.0", prefix:"samba-common", reference:"2:3.2.5-4lenny7")) flag++;
if (deb_check(release:"5.0", prefix:"samba-dbg", reference:"2:3.2.5-4lenny7")) flag++;
if (deb_check(release:"5.0", prefix:"samba-doc", reference:"2:3.2.5-4lenny7")) flag++;
if (deb_check(release:"5.0", prefix:"samba-doc-pdf", reference:"2:3.2.5-4lenny7")) flag++;
if (deb_check(release:"5.0", prefix:"samba-tools", reference:"2:3.2.5-4lenny7")) flag++;
if (deb_check(release:"5.0", prefix:"smbclient", reference:"2:3.2.5-4lenny7")) flag++;
if (deb_check(release:"5.0", prefix:"smbfs", reference:"2:3.2.5-4lenny7")) flag++;
if (deb_check(release:"5.0", prefix:"swat", reference:"2:3.2.5-4lenny7")) flag++;
if (deb_check(release:"5.0", prefix:"winbind", reference:"2:3.2.5-4lenny7")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");