1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2014-3560.html:</H2>
15 ===========================================================
16 == Subject: Remote code execution in nmbd
18 == CVE ID#: CVE-2014-3560
20 == Versions: Samba 4.0.0 to 4.1.10
22 == Summary: Samba 4.0.0 to 4.1.10 are affected by a
23 == remote code execution attack on
24 == unauthenticated nmbd NetBIOS name services.
26 ===========================================================
32 All current versions of Samba 4.x.x are vulnerable to a remote code
33 execution vulnerability in the nmbd NetBIOS name services daemon.
35 A malicious browser can send packets that may overwrite the heap of
36 the target nmbd NetBIOS name services daemon. It may be possible to
37 use this to generate a remote code execution vulnerability as the
44 A patch addressing this defect has been posted to
46 http://www.samba.org/samba/security/
48 Additionally, Samba 4.1.11 and 4.0.21 have been issued as security
49 releases to correct the defect. Patches against older Samba versions
50 are available at http://samba.org/samba/patches/. Samba vendors and
51 administrators running affected versions are advised to upgrade or
52 apply the patch as soon as possible.
58 Do not run nmbd, the NetBIOS name services daemon.
64 This problem was found and the fix provided by Volker Lendecke, a
65 Samba Team member working for SerNet <vl@sernet.de>
66 https://www.sernet.de.