SuSE 11.2 Security Update : Samba (SAT Patch Number 6145)

2012-04-1700:00:00

www.tenable.com

JSON

The following issues have been fixed in Samba :

PIDL based autogenerated code uses client supplied size values which allows attackers to write beyond the allocated array size. (CVE-2012-1182)
Ensure AndX offsets are increasing strictly monotonically in pre-3.4 versions. (CVE-2012-0870)
Fix memory leak in parent smbd on connection Also the following non-security bugs have been fixed :.
(CVE-2012-0817)
s3-winbindd: Only use SamLogonEx when we can get unencrypted session keys; (bso#8599).
Correctly handle DENY ACEs when privileges apply;
(bso#8797).
s3:smb2_server: fix a logic error, we should sign non guest sessions; (bso8749).
Allow vfs_aio_pthread to build as a static module;
(bso#8723).
s3:dbwrap_ctdb: return the number of records in db_ctdb_traverse() for persistent dbs; (#bso8527).
s3: segfault in dom_sid_compare(bso#8567).
Honor SeTakeOwnershiPrivilege when client asks for SEC_STD_WRITE_OWNER; (bso#8768).
s3-winbindd: Close netlogon connection if the status returned by the NetrSamLogonEx call is timeout in the pam_auth_crap path; (bso#8771).
s3-winbindd: set the can_do_validation6 also for trusted domain; (bso#8599).
Fix problem when calculating the share security mask, take priviliges into account for the connecting user;
(bso#8784).
Fix crash in dcerpc_lsa_lookup_sids_noalloc() with over 1000 groups; (bso#8807);. (bnc#751454)
Add SERVERID_UNIQUE_ID_NOT_TO_VERIFY; (bso#8760);.
(bnc#741854)
s3-printing: fix crash in printer_list_set_printer();
(bso#8762);. (bnc#746825)
s3:winbindd fix a return code check; (bso#8406).
s3: Add rmdir operation to streams_depot; (bso#8733).
s3:smbd:smb2: fix an assignment-instead-of-check bug conn_snum_used(); (bso#8738).
s3:auth: fill the sids array of the info3 in wbcAuthUserInfo_to_netr_SamInfo3(); (bso#8739).
Do not map POSIX execute permission to Windows FILE_READ_ATTRIBUTES; (bso#8631);. (bnc#732572)
Remove all precompiled idl output to ensure any pidl changes take effect;. (bnc#757080)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from SuSE 11 update information. The text itself is
# copyright (C) Novell, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(58767);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2012-0817", "CVE-2012-0870", "CVE-2012-1182");

  script_name(english:"SuSE 11.2 Security Update : Samba (SAT Patch Number 6145)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SuSE 11 host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The following issues have been fixed in Samba :

  - PIDL based autogenerated code uses client supplied size
    values which allows attackers to write beyond the
    allocated array size. (CVE-2012-1182)

  - Ensure AndX offsets are increasing strictly
    monotonically in pre-3.4 versions. (CVE-2012-0870)

  - Fix memory leak in parent smbd on connection Also the
    following non-security bugs have been fixed :.
    (CVE-2012-0817)

  - s3-winbindd: Only use SamLogonEx when we can get
    unencrypted session keys; (bso#8599).

  - Correctly handle DENY ACEs when privileges apply;
    (bso#8797).

  - s3:smb2_server: fix a logic error, we should sign non
    guest sessions; (bso8749).

  - Allow vfs_aio_pthread to build as a static module;
    (bso#8723).

  - s3:dbwrap_ctdb: return the number of records in
    db_ctdb_traverse() for persistent dbs; (#bso8527).

  - s3: segfault in dom_sid_compare(bso#8567).

  - Honor SeTakeOwnershiPrivilege when client asks for
    SEC_STD_WRITE_OWNER; (bso#8768).

  - s3-winbindd: Close netlogon connection if the status
    returned by the NetrSamLogonEx call is timeout in the
    pam_auth_crap path; (bso#8771).

  - s3-winbindd: set the can_do_validation6 also for trusted
    domain; (bso#8599).

  - Fix problem when calculating the share security mask,
    take priviliges into account for the connecting user;
    (bso#8784).

  - Fix crash in dcerpc_lsa_lookup_sids_noalloc() with over
    1000 groups; (bso#8807);. (bnc#751454)

  - Add SERVERID_UNIQUE_ID_NOT_TO_VERIFY; (bso#8760);.
    (bnc#741854)

  - s3-printing: fix crash in printer_list_set_printer();
    (bso#8762);. (bnc#746825)

  - s3:winbindd fix a return code check; (bso#8406).

  - s3: Add rmdir operation to streams_depot; (bso#8733).

  - s3:smbd:smb2: fix an assignment-instead-of-check bug
    conn_snum_used(); (bso#8738).

  - s3:auth: fill the sids array of the info3 in
    wbcAuthUserInfo_to_netr_SamInfo3(); (bso#8739).

  - Do not map POSIX execute permission to Windows
    FILE_READ_ATTRIBUTES; (bso#8631);. (bnc#732572)

  - Remove all precompiled idl output to ensure any pidl
    changes take effect;. (bnc#757080)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=732395"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=732572"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=741854"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=743986"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=746825"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=747934"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=751454"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=752797"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=757080"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2012-0817.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2012-0870.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2012-1182.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply SAT patch number 6145.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:ldapsmb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libldb1");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libldb1-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libsmbclient0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libsmbclient0-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libtalloc2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libtalloc2-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libtdb1");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libtdb1-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libtevent0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libtevent0-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libwbclient0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libwbclient0-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba-client");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba-client-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba-krb-printing");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba-winbind");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba-winbind-32bit");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");

  script_set_attribute(attribute:"patch_publication_date", value:"2012/04/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/17");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11");
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu);

pl = get_kb_item("Host/SuSE/patchlevel");
if (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, "SuSE 11.2");


flag = 0;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"libldb1-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"libsmbclient0-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"libtalloc2-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"libtdb1-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"libtevent0-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"libwbclient0-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"samba-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"samba-client-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"samba-doc-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"samba-krb-printing-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"samba-winbind-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"libldb1-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"libldb1-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"libsmbclient0-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"libsmbclient0-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"libtalloc2-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"libtalloc2-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"libtdb1-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"libtdb1-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"libtevent0-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"libtevent0-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"libwbclient0-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"libwbclient0-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"samba-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"samba-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"samba-client-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"samba-client-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"samba-doc-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"samba-krb-printing-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"samba-winbind-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"samba-winbind-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, reference:"ldapsmb-1.34b-12.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, reference:"libldb1-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, reference:"libsmbclient0-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, reference:"libtalloc2-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, reference:"libtdb1-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, reference:"libtevent0-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, reference:"libwbclient0-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, reference:"samba-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, reference:"samba-client-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, reference:"samba-doc-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, reference:"samba-krb-printing-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, reference:"samba-winbind-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, cpu:"s390x", reference:"libsmbclient0-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, cpu:"s390x", reference:"libtalloc2-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, cpu:"s390x", reference:"libtdb1-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, cpu:"s390x", reference:"libwbclient0-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, cpu:"s390x", reference:"samba-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, cpu:"s390x", reference:"samba-client-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, cpu:"s390x", reference:"samba-winbind-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"libsmbclient0-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"libtalloc2-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"libtdb1-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"libwbclient0-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"samba-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"samba-client-32bit-3.6.3-0.22.1")) flag++;
if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"samba-winbind-32bit-3.6.3-0.22.1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

VendorProductVersionCPE
novellsuse_linux11p-cpe:/a:novell:suse_linux:11:ldapsmb
novellsuse_linux11p-cpe:/a:novell:suse_linux:11:libldb1
novellsuse_linux11p-cpe:/a:novell:suse_linux:11:libldb1-32bit
novellsuse_linux11p-cpe:/a:novell:suse_linux:11:libsmbclient0
novellsuse_linux11p-cpe:/a:novell:suse_linux:11:libsmbclient0-32bit
novellsuse_linux11p-cpe:/a:novell:suse_linux:11:libtalloc2
novellsuse_linux11p-cpe:/a:novell:suse_linux:11:libtalloc2-32bit
novellsuse_linux11p-cpe:/a:novell:suse_linux:11:libtdb1
novellsuse_linux11p-cpe:/a:novell:suse_linux:11:libtdb1-32bit
novellsuse_linux11p-cpe:/a:novell:suse_linux:11:libtevent0

Vendor	Product	Version	CPE
novell	suse_linux	11	p-cpe:/a:novell:suse_linux:11:ldapsmb
novell	suse_linux	11	p-cpe:/a:novell:suse_linux:11:libldb1
novell	suse_linux	11	p-cpe:/a:novell:suse_linux:11:libldb1-32bit
novell	suse_linux	11	p-cpe:/a:novell:suse_linux:11:libsmbclient0
novell	suse_linux	11	p-cpe:/a:novell:suse_linux:11:libsmbclient0-32bit
novell	suse_linux	11	p-cpe:/a:novell:suse_linux:11:libtalloc2
novell	suse_linux	11	p-cpe:/a:novell:suse_linux:11:libtalloc2-32bit
novell	suse_linux	11	p-cpe:/a:novell:suse_linux:11:libtdb1
novell	suse_linux	11	p-cpe:/a:novell:suse_linux:11:libtdb1-32bit
novell	suse_linux	11	p-cpe:/a:novell:suse_linux:11:libtevent0