cbcvebase.
CVE-2007-5398
published 2007-11-16

CVE-2007-5398: Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS…

PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EPSS
11.25%
95.4th percentile
Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.

Affected

47 ranges· showing 25
VendorProductVersion rangeFixed in
debiansamba< samba 3.0.27-1 (bookworm)samba 3.0.27-1 (bookworm)
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba

Detection & IOCsextracted from sources · hover to see the quote

pathnmbd/nmbd_packets.c
processnmbd
  • Trigger condition requires multiple crafted WINS Name Registration requests followed by a WINS Name Query request — monitor for anomalous sequences of WINS registration packets from a single source preceding a Name Query on port 137/UDP.
  • Exploitation only possible when Samba nmbd is configured as a WINS server; alert on nmbd processes running with wins support = yes in smb.conf.
  • Successful exploitation results in arbitrary code execution with root privileges — monitor for unexpected child processes or privilege escalation events spawned from nmbd.
  • Vulnerable Samba versions are 3.0.0 through 3.0.26a; fixed in 3.0.27. Detect unpatched instances by fingerprinting Samba version strings on NetBIOS/SMB services.
  • ·The vulnerability is only exploitable when nmbd is configured as a WINS server. Deployments not acting as a WINS server are not affected.
  • ·CVE-2007-4572 patches were rolled back in USN-544-2 due to regressions (broken Linux smbfs mounts and NetBIOS failures); CVE-2007-5398 fixes remain in place and are unaffected by this rollback.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3HIGH
vendor_redhat9.3CRITICAL
vendor_ubuntu9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.