Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1795: Does Samba security alert CVE-2010-3069 affect Centrify_Enabled_Samba ?

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:02 AM

Applies to: Centrify-Enabled Samba 3.3.9-4.3.1-145 or lower

Question:
Does the Samba security alert - CVE-2010-3069 (below) affect Centrify-Enabled Samba ?

All current released versions of Samba are vulnerable to a buffer overrun vulnerability. The sid_parse() function (and related dom_sid_parse() function in the source4 code)do not correctly check their input lengths when reading a binary representation of a Windows SID (Security ID). This allows a malicious client to send a sid that can overflow the stack variable that is being used to store the SID in the Samba smbd server.

A connection to a file share is needed to exploit this vulnerability, either authenticated or unauthenticated (guest connection).

Answer:
CVE-2010-3069 affects all versions of Samba from 3.0 to 3.5 hence our current Centrify-Enabled Samba 3.3.9-4.3.1-145 is also affected and needs to be patched. We are currently working to deliver a patched samba release as soon as possible. An email notification will be sent to all customer as soon as it is available.

To subscribe to further security notices please click on the below forum links and choose to "Watch" them for updates.

https://www.centrify.com/jiveforums/forum.jspa?forumID=3
https://www.centrify.com/jiveforums/thread.jspa?threadID=474


Centrify Corporation does not take any responsibility for the content or availability of this link and it was provided as a courtesy.  Customers should contact the vendor if there are any further questions

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.