Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Samba receive_smb_raw SMB Packets Parsing Buffer Overflow Vulnerability

Check Point Reference: CPAI-2008-091
Date Published:
Severity:
Source: Secunia Advisory: SA30228
Industry Reference(s): CVE-2008-1105
Protection Provided by: IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Samba Team Samba 3.0.29 and prior
Vulnerability Description
A buffer overflow vulnerability has been reported in Samba. Samba is an open-source implementation of the network services suite SMB/CIFS (Server Message Block/Common Internet File System). An attacker may exploit this vulnerability to execute arbitrary code on a target system.
Update/Patch Available
Update to version 3.0.30 or apply patch:
Samba
Vulnerability Details
The vulnerability is due to a boundary error in the "receive_smb_raw()" function when Samba parses SMB packets. A remote attacker can exploit this issue by specially crafting a malicious SMB packet and sending it to an affected system. Successful exploitation may allow execution of arbitrary code on a target system.

Protection Overview
By enabling this protection, SmartDefense will detect and block malformed SMB packets sent to the vulnerable service.

In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Security > SMB, and select the Samba protection group.
3. Click Samba smbclient raw SMB Alert (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entry will be logged:

Alert Name: smb_samba
Description: smbclient_raw_alert