Uninitialized memory exposure.

Description

In preparing a response to an authenticated FSCTL_GET_SHADOW_COPY_DATA
or FSCTL_SRV_ENUMERATE_SNAPSHOTS client request, affected versions of
Samba do not initialize 8 bytes of the 16 byte SRV_SNAPSHOT_ARRAY
response field. The uninitialized buffer is sent back to the client.

A non-default VFS module providing the get_shadow_copy_data_fn() hook
must be explicitly enabled for Samba to process the aforementioned
client requests. Therefore, only configurations with “shadow_copy” or
“shadow_copy2” specified for the “vfs objects” parameter are vulnerable.

Patch Availability

Patches addressing this issue have been posted to:

http://www.samba.org/samba/security/

Samba versions 4.0.18 and 4.1.8 will be released with fixes for
this issue. Immediate security releases will not be issued, due to the
low severity of the vulnerability.

Workaround

To avoid the vulnerability, affected versions can be configured without
“shadow_copy” or “shadow_copy2” specified for the “vfs objects”
parameter. This is the default configuration.

Credits

This vulnerability was found and fixed by Christof Schmitt of the Samba
team.