Samba: Execution of Arbitrary Code — GLSA 200711-29 Key Vulnerability Information Affected Package: net-fs/samba on all architectures Affected Versions: = 3.0.27a Release Date: November 20, 2007 Latest Revision: December 05, 2007: 03 Severity: High Exploitability: Remote Description The Samba package contains two buffer overflow vulnerabilities: 1. A boundary checking error in the function in (CVE-2007-5398). 2. A boundary error when processing logon requests (CVE-2007-4572). Impact First vulnerability: A remote unauthenticated attacker could send specially crafted WINS "Name Registration" requests followed by a WINS "Name Query" request, leading to the execution of arbitrary code with elevated privileges. This is exploitable only if WINS server support is enabled in Samba. Second vulnerability: A specially crafted "GETDC" mailslot request could exploit the vulnerability, but it requires Samba to be configured as a Primary or Backup Domain Controller and is believed not exploitable to execute arbitrary code. Workaround To prevent the first vulnerability: Disable WINS support in Samba by setting in the "global" section of and restart Samba. Resolution All Samba users should upgrade to the latest version: The first vulnerability (CVE-2007-5398) was already fixed in Samba 3.0.26a-r2. References CVE-2007-4572 CVE-2007-5398