Samba contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends a malformed UDP packet and will result in loss of availability for Samba's nmbd daemon. The process_logon_packet function does not properly validate that the packet is appropriately sized to contain the number of structures it claims, when processing a SAM_UAS_CHANGE request. If the packet claims a large number of structures and a smaller number are contained in the packet, nmbd will reference memory outside of the packet, possibly causing the daemon to crash.

Upgrade to version 3.0.7 or higher, as it has been reported to fix this vulnerability. If an upgrade is not a possibility, apply the samba-3.0.5-DoS.patch. Additionally, removing the line "domain logons = yes" from the smb.conf file for the server will prevent exploitation.

• Security Tracker: 1011222
• Secunia Advisory ID: 12516 12517 12518 12631 12829
• CVE ID: 2004-0808 (see also: NVD)
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0108.html
• Other Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000873
  http://security.gentoo.org/glsa/glsa-200409-16.xml
  http://www.idefense.com/application/poi/display?id=138&type=vulnerabilities&flashstatus=true
• Vendor Specific Solution URL: http://download.samba.org/samba/ftp/patches/security/
  http://us3.samba.org/samba/news/releases/#3.0.7
• Vendor Specific Advisory URL: http://us3.samba.org/samba/history/3.0_DOS_sept04_announce.txt
• RedHat RHSA: RHSA-2004:467
• Keyword: UDP Port 138

• Anonymous - iDefense Labs VCP