CVE-2007-5398
published 2007-11-16CVE-2007-5398: Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS…
PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EPSS
11.25%
95.4th percentile
Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.
Affected
47 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | samba | < samba 3.0.27-1 (bookworm) | samba 3.0.27-1 (bookworm) |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition requires multiple crafted WINS Name Registration requests followed by a WINS Name Query request — monitor for anomalous sequences of WINS registration packets from a single source preceding a Name Query on port 137/UDP. ↗
- →Exploitation only possible when Samba nmbd is configured as a WINS server; alert on nmbd processes running with wins support = yes in smb.conf. ↗
- →Successful exploitation results in arbitrary code execution with root privileges — monitor for unexpected child processes or privilege escalation events spawned from nmbd. ↗
- →Vulnerable Samba versions are 3.0.0 through 3.0.26a; fixed in 3.0.27. Detect unpatched instances by fingerprinting Samba version strings on NetBIOS/SMB services. ↗
- ·The vulnerability is only exploitable when nmbd is configured as a WINS server. Deployments not acting as a WINS server are not affected. ↗
- ·CVE-2007-4572 patches were rolled back in USN-544-2 due to regressions (broken Linux smbfs mounts and NetBIOS failures); CVE-2007-5398 fixes remain in place and are unaffected by this rollback. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3HIGH
vendor_redhat9.3CRITICAL
vendor_ubuntu9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VMware
Updated service console patches.
vendor_vmware·2008-01-07·CVSS 1.2
CVE-2007-3108 [LOW] Updated service console patches.
VMSA-2008-0001: Updated service console patches.
Updated service console patches. VMware Security Advisory VMware Security Advisory Advisory ID: VMware Security Advisory Synopsis: Updated service console patches. VMware Security Advisory Issue date: VMware Security Advisory Updated on:
CVEs: CVE-2007-3108, CVE-2007-4572, CVE-2007-5116, CVE-2007-5135, CVE-2007-5191, CVE-2007-5360, CVE-2007-5398
Ubuntu
Samba vulnerabilities
vendor_ubuntu·2007-11-16·CVSS 9.3
CVE-2007-4572 [CRITICAL] Samba vulnerabilities
Title: Samba vulnerabilities
Summary: Samba vulnerabilities
Samba developers discovered that nmbd could be made to overrun a buffer
during the processing of GETDC logon server requests. When samba is
configured as a Primary or Backup Domain Controller, a remote attacker
could send malicious logon requests and possibly cause a denial of
service. (CVE-2007-4572)
Alin Rad Pop of Secunia Research discovered that nmbd did not properly
check the length of netbios packets. When samba is configured as a WINS
server, a remote attacker could send multiple crafted requests resulting
in the execution of arbitrary code with root privileges. (CVE-2007-5398)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Ubuntu
Samba regression
vendor_ubuntu·2007-11-16·CVSS 9.3
CVE-2007-4572 [CRITICAL] Samba regression
Title: Samba regression
Summary: Samba regression
USN-544-1 fixed two vulnerabilities in Samba. Fixes for CVE-2007-5398
are unchanged, but the upstream changes for CVE-2007-4572 introduced a
regression in all releases which caused Linux smbfs mounts to fail.
Additionally, Dapper and Edgy included an incomplete patch which caused
configurations using NetBIOS to fail. A proper fix for these regressions
does not exist at this time, and so the patch addressing CVE-2007-4572
has been removed. This vulnerability is believed to be an unexploitable
denial of service, but a future update will address this issue. We
apologize for the inconvenience.
Original advisory details:
Samba developers discovered that nmbd could be made to overrun
a buffer during the processing of GETDC logon server reques
Red Hat
Samba "reply_netbios_packet()" Buffer Overflow Vulnerability
vendor_redhat·2007-11-15·CVSS 9.3
CVE-2007-5398 [CRITICAL] Samba "reply_netbios_packet()" Buffer Overflow Vulnerability
Samba "reply_netbios_packet()" Buffer Overflow Vulnerability
Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.
Debian
CVE-2007-5398: samba - Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_pa...
vendor_debian·2007·CVSS 9.3
CVE-2007-5398 [CRITICAL] CVE-2007-5398: samba - Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_pa...
Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.
Scope: local
bookworm: resolved (fixed in 3.0.27-1)
bullseye: resolved (fixed in 3.0.27-1)
forky: resolved (fixed in 3.0.27-1)
sid: resolved (fixed in 3.0.27-1)
trixie: resolved (fixed in 3.0.27-1)
GHSA
GHSA-2488-7mjj-wx6f: Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets
ghsa_unreviewed·2022-05-01
CVE-2007-5398 [HIGH] CWE-119 GHSA-2488-7mjj-wx6f: Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets
Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.
OSV
CVE-2007-5398: Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets
osv·2007-11-16·CVSS 9.3
CVE-2007-5398 [CRITICAL] CVE-2007-5398: Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets
Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.
No detection rules found.
No public exploits indexed.
http://docs.info.apple.com/article.html?artnum=307179http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.htmlhttp://lists.vmware.com/pipermail/security-announce/2008/000002.htmlhttp://marc.info/?l=bugtraq&m=120524782005154&w=2http://secunia.com/advisories/27450http://secunia.com/advisories/27679http://secunia.com/advisories/27682http://secunia.com/advisories/27691http://secunia.com/advisories/27701http://secunia.com/advisories/27720http://secunia.com/advisories/27731http://secunia.com/advisories/27742http://secunia.com/advisories/27787http://secunia.com/advisories/27927http://secunia.com/advisories/28136http://secunia.com/advisories/28368http://secunia.com/advisories/29341http://secunia.com/advisories/30484http://secunia.com/advisories/30835http://secunia.com/secunia_research/2007-90/advisory/http://securityreason.com/securityalert/3372http://securitytracker.com/id?1018953http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.447739http://sunsolve.sun.com/search/document.do?assetkey=1-26-237764-1http://us1.samba.org/samba/security/CVE-2007-5398.htmlhttp://www.debian.org/security/2007/dsa-1409http://www.gentoo.org/security/en/glsa/glsa-200711-29.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2007:224http://www.novell.com/linux/security/advisories/2007_65_samba.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1013.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1016.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1017.htmlhttp://www.securityfocus.com/archive/1/483744/100/0/threadedhttp://www.securityfocus.com/archive/1/485936/100/0/threadedhttp://www.securityfocus.com/archive/1/486859/100/0/threadedhttp://www.securityfocus.com/bid/26455http://www.us-cert.gov/cas/techalerts/TA07-352A.htmlhttp://www.vmware.com/security/advisories/VMSA-2008-0001.htmlhttp://www.vupen.com/english/advisories/2007/3869http://www.vupen.com/english/advisories/2007/4238http://www.vupen.com/english/advisories/2008/0064http://www.vupen.com/english/advisories/2008/0859/referenceshttp://www.vupen.com/english/advisories/2008/1712/referenceshttp://www.vupen.com/english/advisories/2008/1908http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01475657https://exchange.xforce.ibmcloud.com/vulnerabilities/38502https://issues.rpath.com/browse/RPL-1894https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10230https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5811https://usn.ubuntu.com/544-1/https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00472.htmlhttp://docs.info.apple.com/article.html?artnum=307179http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.htmlhttp://lists.vmware.com/pipermail/security-announce/2008/000002.htmlhttp://marc.info/?l=bugtraq&m=120524782005154&w=2http://secunia.com/advisories/27450http://secunia.com/advisories/27679http://secunia.com/advisories/27682http://secunia.com/advisories/27691http://secunia.com/advisories/27701http://secunia.com/advisories/27720http://secunia.com/advisories/27731http://secunia.com/advisories/27742http://secunia.com/advisories/27787http://secunia.com/advisories/27927http://secunia.com/advisories/28136http://secunia.com/advisories/28368http://secunia.com/advisories/29341http://secunia.com/advisories/30484http://secunia.com/advisories/30835http://secunia.com/secunia_research/2007-90/advisory/http://securityreason.com/securityalert/3372http://securitytracker.com/id?1018953http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.447739http://sunsolve.sun.com/search/document.do?assetkey=1-26-237764-1http://us1.samba.org/samba/security/CVE-2007-5398.htmlhttp://www.debian.org/security/2007/dsa-1409http://www.gentoo.org/security/en/glsa/glsa-200711-29.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2007:224http://www.novell.com/linux/security/advisories/2007_65_samba.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1013.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1016.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1017.htmlhttp://www.securityfocus.com/archive/1/483744/100/0/threadedhttp://www.securityfocus.com/archive/1/485936/100/0/threadedhttp://www.securityfocus.com/archive/1/486859/100/0/threadedhttp://www.securityfocus.com/bid/26455http://www.us-cert.gov/cas/techalerts/TA07-352A.htmlhttp://www.vmware.com/security/advisories/VMSA-2008-0001.htmlhttp://www.vupen.com/english/advisories/2007/3869http://www.vupen.com/english/advisories/2007/4238http://www.vupen.com/english/advisories/2008/0064http://www.vupen.com/english/advisories/2008/0859/referenceshttp://www.vupen.com/english/advisories/2008/1712/referenceshttp://www.vupen.com/english/advisories/2008/1908http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01475657https://exchange.xforce.ibmcloud.com/vulnerabilities/38502https://issues.rpath.com/browse/RPL-1894https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10230https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5811
+ 2 more references
2007-11-16
Published