Update Protection against Samba NetDFS RPC Remote Code Execution Vulnerability
| Check Point Reference: | CPAI-2007-079 | |
| Date Published: | ||
| Severity: | ||
| Source: | FrSIRT/ADV-2007-1805 | |
| Industry Reference(s): | CVE-2007-2446 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Samba Team Samba 3.x, 3.0.25rc3 and prior | ||
| Vulnerability Description A buffer overflow vulnerability has been reported in Samba. Samba is an open-source implementation of the network services suite SMB/CIFS. Samba implements many protocols and services, including the vulnerable NetDFS Service component which can be accessed through a Remote Procedure Call (RPC) interface. An attacker may exploit the vulnerability to execute arbitrary code on a target system via a specially crafted RPC request. |
||
|
Update/Patch Available Apply patches: Samba |
|
|
Vulnerability Details The vulnerability is due to a boundary error in the Samba NetDFS RPC interface that fails to properly handle specially crafted RPC requests. A remote attacker can exploit this issue by specially crafting a malicious RPC request and sending it to an affected system. Successful exploitation may allow execution of arbitrary code on a target system. |
Protection Overview
By enabling this protection, SmartDefense will detect and block malformed RPC requests sent to the NetDFS RPC interface.
In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on July 16, 2007 includes the following protections:
MIT Kerberos Multiple Remote Code Execution Vulnerabilities (CPAI-2007-078)
Samba NetDFS RPC Remote Code Execution Vulnerability (CPAI-2007-079)
Security Best Practice: Blocking Skype (SBP-2007-07)
VPN-1 NGX R65 & R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > MS-RPC > MS-RPC over CIFS, and select Block Samba NETDFS Vulnerability.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: MS-RPC Enforcement Violation
Attack Information: Samba NETDFS vulnerability detected
VPN-1 NGX R61, R60, VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network? Block Samba NETDFS Vulnerability
1. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS.
2. Select the following protection:
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: MS-RPC Enforcement Violation
Attack Information: Samba NETDFS vulnerability detected
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network? Block Samba NETDFS Vulnerability
1. In the SmartDefense tree, click Application Intelligence and select MS-RPC > MS-RPC over CIFS.
2. Select the following protection:
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99894 will appear on the SmartView Tracker.
VPN-1 VSX NGX
How Can I Protect My Network? Block Samba NETDFS Vulnerability
1. In the SmartDefense tree, click Application Intelligence and select MS-RPC > MS-RPC over CIFS.
2. Select the following protection:
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99894 will appear on the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network? Block Samba NETDFS Vulnerability
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS.
3. Select the following protection:
4. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: MS-RPC Enforcement Violation
Attack Information: Samba NETDFS vulnerability detected
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence and select RPC > MS-RPC over CIFS.
2. Select the following protection:
Block Samba NETDFS Vulnerability
3. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: MS-RPC Enforcement Violation
Attack Information: Samba NETDFS vulnerability detected