low
3.3
CWE
20
Advisory Published
CVE Published
Updated

CVE-2014-0244: Input Validation

First published: Wed May 14 2014(Updated: )

Created <span class=""><a href="attachment.cgi?id=895515" name="attach_895515" title="Strace of nmbd when the problem is triggered">attachment 895515</a> <a href="attachment.cgi?id=895515&amp;action=edit" title="Strace of nmbd when the problem is triggered">[details]</a></span> Strace of nmbd when the problem is triggered Description of problem: I'm running samba3x (samba3x-3.6.6-0.139.el5_10) as an simple NT domain controler on a CentOS 5.10, and found sometime the nmbd process stuck (eating 100% CPU, and not responding anymore to any request, making any domain login impossible). The only solution was to kill -9 this process and restart it. It was occuring randomly, so was quite hard to troubleshoot, but after a few hours, I've finaly identified what's causing it (well at least, I know a simple request from a client is enough to trigger it) I'll attach: - a strace of the process at the time the problem occure. In this file the last lines (recvfrom(12, 0xbfcff9c8, 576, 0, 0xbfcffc08, 0xbfcff988) = -1 EAGAIN (Resource temporarily unavailable)) is repeated indefinitly as long as the process isn't killed, producing several GB per hour in the strace file. I've truncated it to the interesting part - a pcap of the packet crashing nmbd (which you can replay with tcpreplay to reproduce the issue) Version-Release number of selected component (if applicable): How reproducible: 100% with the attached pcap Steps to Reproduce: 1. You need a client with IP 192.168.7.50 and MAC 6c:62:6d:b0:25:42 2. The server running nmbd with IP 192.168.7.1 and MAC 52:54:00:7C:31:C4 (if you have different values you'll have to tweak the pcap with tcprewrite) 3. The netbios name of the samba server should be SAS (it's contained in the pcap and needs to match the netbios name of the server in order to trigger the issue) 4. Run nmbd (I'm running it with daemontools with /usr/sbin/nmbd -F -S but that probably doesn't matter) 5. Replay the attached pcap with tcpreplay -i eth0 nmbd_dos.pcap Actual results: nmbd will go in a loop, taking 100% of a core, and won't respond to any further requests, making impossible to login on the domain Expected results: nmbd should continue working as normal Additional info: Marking this a security issue as it makes it very easy to DOS a domain controler

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
Samba Samba=4.1.0
Samba Samba=4.1.1
Samba Samba=4.1.2
Samba Samba=4.1.3
Samba Samba=4.1.4
Samba Samba=4.1.5
Samba Samba=4.1.6
Samba Samba=4.1.7
Samba Samba=4.1.8
Samba Samba=4.0.0
Samba Samba=4.0.1
Samba Samba=4.0.2
Samba Samba=4.0.3
Samba Samba=4.0.4
Samba Samba=4.0.5
Samba Samba=4.0.6
Samba Samba=4.0.7
Samba Samba=4.0.8
Samba Samba=4.0.9
Samba Samba=4.0.10
Samba Samba=4.0.11
Samba Samba=4.0.12
Samba Samba=4.0.13
Samba Samba=4.0.14
Samba Samba=4.0.15
Samba Samba=4.0.16
Samba Samba=4.0.17
Samba Samba=4.0.18
Samba Samba=3.6.0
Samba Samba=3.6.1
Samba Samba=3.6.2
Samba Samba=3.6.3
Samba Samba=3.6.4
Samba Samba=3.6.5
Samba Samba=3.6.6
Samba Samba=3.6.7
Samba Samba=3.6.8
Samba Samba=3.6.9
Samba Samba=3.6.10
Samba Samba=3.6.11
Samba Samba=3.6.12
Samba Samba=3.6.13
Samba Samba=3.6.14
Samba Samba=3.6.15
Samba Samba=3.6.16
Samba Samba=3.6.17
Samba Samba=3.6.18
Samba Samba=3.6.19
Samba Samba=3.6.20
Samba Samba=3.6.21
Samba Samba=3.6.22
Samba Samba=3.6.23

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203