cbcvebase.
CVE-2013-4124
published 2013-08-06

CVE-2013-4124: Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote…

PriorityP344medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
69.01%
99.3th percentile
Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote attackers to cause a denial of service (memory consumption) via a malformed packet.

Affected

159 ranges· showing 25
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiansamba< samba 2:3.6.17-1 (bookworm)samba 2:3.6.17-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
opensuseopensuse
opensuseopensuse
redhatenterprise_linux
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba

Detection & IOCsextracted from sources · hover to see the quote

port445/tcp (SMB)
commandSMB_COM_NT_TRANSACT (0xA0) with NT_TRANSACT_CREATE (0x01) and malformed large dataoffset (0xf1000000)
bytes
\xff\x53\x4d\x42 (SMB protocol magic bytes) with command byte 0xA0 (SMB_NTTRANS)
  • Detect SMB NT_TRANSACT (command 0xA0) packets with a malformed/oversized dataoffset field that causes integer wrap (e.g. value near 0xf1000000) targeting the read_nttrans_ea_list code path in smbd.
  • The exploit requires the NT_TRANSACT_CREATE sub-function (0x01) within the SMBNTtrans request; monitor for SMB NT_TRANSACT packets with function code 0x01 carrying anomalously large data offset values.
  • Monitor smbd processes for abnormal memory consumption following receipt of SMB NTTRANS packets; the vulnerability causes the server to loop and re-process the EA list leading to memory exhaustion.
  • The attack vector is the SMBNTtrans reply_nttrans() handler; network sensors should alert on SMB sessions sending NT_TRANSACT requests with EA list data that triggers integer overflow conditions.
  • ·The vulnerability is only exploitable when the 'ea support' option is explicitly enabled on the target Samba share; it is disabled by default, significantly limiting exposure.
  • ·EA support is disabled by default ('ea support = no') in Samba packages shipped with Red Hat Enterprise Linux 5 and 6, making those default configurations unexploitable.
  • ·Affected versions are Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8; patched upstream commits are available against v4.0.7, v3.6.16, and v3.5.21.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.