SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware ESXi Vendors:   VMware
(VMware Issues Fix for ESX Server) Samba Buffer Overflow in receive_smb_raw() Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1020574
SecurityTracker URL:  http://securitytracker.com/id/1020574
CVE Reference:   CVE-2008-1105   (Links to External Site)
Date:  Jul 29 2008
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.5.4, 2.5.5, 3.0.1, 3.0.2, 3.5
Description:   A vulnerability was reported in Samba. A remote user can execute arbitrary code on the target system. VMware ESX Server is affected.

A remote server can send a specially crafted SMB packet to a connected client to trigger a heap overflow in receive_smb_raw() and execute arbitrary code on the target client system.

A remote user can also send a specially crafted print request to a target nmbd server to execute arbitrary code on the target server. The code will run with the privileges of the target service.

The vulnerability resides in 'lib/util_sock.c'.

The vendor was notified on May 15, 2008.

Alin Rad Pop of Secunia Research reported this vulnerability.

The original advisory is available at:

http://secunia.com/secunia_research/2008-20/advisory/
Impact:   A remote user can execute arbitrary code on the target system.
Solution:   VMware has issued a fix for VMware ESX Server 3.5 (patch ESX350-200806218-UG), which is affected by this vulnerability.

ESX 2.5.4, 2.5.5, 3.0.1, and 3.0.2 are affected and an update is pending.

The VMware advisory will be available at:

http://www.vmware.com/security/advisories/
Cause:   Boundary error

Message History:   This archive entry is a follow-up to the message listed below.
May 28 2008 Samba Buffer Overflow in receive_smb_raw() Lets Remote Users Execute Arbitrary Code


 Source Message Contents
Subject:  [Security-announce] VMSA-2008-00011 Updated ESX service console


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2008-00011
Synopsis:          Updated ESX service console packages for Samba
                   and vmnix
Issue date:        2008-07-28
Updated on:        2008-07-28 (initial release of advisory)
CVE numbers:       CVE-2007-5001 CVE-2007-6151 CVE-2007-6206
                   CVE-2008-0007 CVE-2008-1367 CVE-2008-1375
                   CVE-2008-1669 CVE-2006-4814 CVE-2008-1105
- -------------------------------------------------------------------

1. Summary:

   Updated ESX packages address several security issues.

2. Relevant releases:

   VMware ESX 3.5 without patches ESX350-200806201-UG (vmnix) and
   ESX350-200806218-UG (samba)

3. Problem description:

I   Service Console rpm updates

 a.  Security Update to Service Console Kernel

   This fix upgrades service console kernel version to 2.4.21-57.EL.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2007-5001, CVE-2007-6151, CVE-2007-6206,
   CVE-2008-0007, CVE-2008-1367, CVE-2008-1375, CVE-2006-4814, and
   CVE-2008-1669 to the security issues fixed in kernel-2.4.21-57.EL.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   VirtualCenter  any       Windows  not applicable

   hosted         any       any      not applicable

   ESXi           3.5       ESXi     not applicable

   ESX            3.5       ESX      patch ESX350-200806201-UG
   ESX            3.0.2     ESX      affected, no update planned
   ESX            3.0.1     ESX      affected, no update planned
   ESX            2.5.5     ESX      not applicable
   ESX            2.5.4     ESX      not applicable

 b.  Samba Security Update

   This fix upgrades the service console rpm samba to version
   3.0.9-1.3E.15vmw

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2008-1105 to this issue.

   VMware         Product   Running  Replace with/
   Product        Version   on       Apply Patch
   =============  ========  =======  =================
   VirtualCenter  any       Windows  not applicable

   hosted         any       any      not applicable

   ESXi           3.5       ESXi     not applicable

   ESX            3.5       ESX      patch ESX350-200806218-UG
   ESX            3.0.2     ESX      affected, patch pending
   ESX            3.0.1     ESX      affected, patch pending
   ESX            2.5.5     ESX      affected, patch pending
   ESX            2.5.4     ESX      affected, patch pending

4. Solution:

Please review the Patch notes for your product and version and verify the
md5sum of your downloaded file.

   ESX 3.5 (Samba)
   http://download3.vmware.com/software/esx/ESX350-200806218-UG
   md5sum: dfad21860ba24a6322b36041c0bc2a07
   http://kb.vmware.com/kb/1005931

   ESX 3.5 (vmnix)
   http://download3.vmware.com/software/esx/ESX350-200806201-UG
   md5sum: 2888192905a6763a069914fcd258d329
   http://kb.vmware.com/kb/1005894

5. References:

  CVE numbers
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5001
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6151
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6206
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0007
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1367
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1375
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1669
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4814
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1105

- -------------------------------------------------------------------
6. Change log:

2008-07-28  VMSA-2008-0011    Initial release

- ---------------------------------------------------------------------
7. Contact:

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFIjm47S2KysvBH1xkRCBHHAJsFM/IF/oaAFats+cKnYkGy/zhsLACeNb2u
YZDiKbwIR5cgq7po71RoI9k=
=y2cT
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/mailman/listinfo/security-announce


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC