Update Protection against Samba receive_smb_raw SMB Packet Parsing Buffer Overflow Vulnerability

Vulnerability
Protection

Check Point Reference:	CPAI-2008-091
Date Published:
Severity:
Last Updated:
Source:	Secunia Advisory: SA30228
Industry Reference(s):	CVE-2008-1105
Protection Provided by:	VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 VSX NGX R65 IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Samba Team Samba 3.0.29 and prior
Vulnerability Description A buffer overflow vulnerability has been reported in Samba. Samba is an open-source implementation of the network services suite SMB/CIFS (Server Message Block/Common Internet File System). An attacker may exploit this vulnerability to execute arbitrary code on a target system.

Update/Patch Available Update to version 3.0.30 or apply patch: Samba
Vulnerability Details The vulnerability is due to a boundary error in the "receive_smb_raw()" function when Samba parses SMB packets. A remote attacker can exploit this issue by specially crafting a malicious SMB packet and sending it to an affected system. Successful exploitation may allow execution of arbitrary code on a target system.

Protection Overview
By enabling this protection, SmartDefense will detect and block malformed SMB packets sent to the vulnerable service.

In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > MS-RPC > MS-RPC over CIFS > Block Samba SMB Packet Parsing Buffer Overflow.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS-RPC Enforcement Violation
Attack Information: Samba SMB packet parsing buffer overflow

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS.
2. Select the following protection:

Block Samba SMB Packet Parsing Buffer Overflow

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS-RPC Enforcement Violation
Attack Information: Samba SMB packet parsing buffer overflow

VPN-1 VSX NGX R65

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS-RPC Enforcement Violation
Attack Information: Samba SMB packet parsing buffer overflow

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > MS-RPC > MS-RPC over CIFS.
3. Select the following protection:

Block Samba SMB Packet Parsing Buffer Overflow

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: MS-RPC Enforcement Violation
Attack Information: Samba SMB packet parsing buffer overflow

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Security > SMB, and select the Samba protection group.
3. Click Samba smbclient raw SMB Alert (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entry will be logged:

Alert Name: smb_samba
Description: smbclient_raw_alert

Legal Notice for Threat Center Advisories