Samba 3.0.0 <= 4.0.7 DoS Vulnerability (CVE-2013-4124)

# Copyright (C) 2021 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

CPE = "cpe:/a:samba:samba";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.150732");
  script_version("2021-09-29T04:35:02+0000");
  script_tag(name:"last_modification", value:"2021-09-29 04:35:02 +0000 (Wed, 29 Sep 2021)");
  script_tag(name:"creation_date", value:"2021-09-24 10:59:30 +0000 (Fri, 24 Sep 2021)");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");

  script_cve_id("CVE-2013-4124");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Samba 3.0.0 <= 4.0.7 DoS Vulnerability (CVE-2013-4124)");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2021 Greenbone Networks GmbH");
  script_family("Denial of Service");
  script_dependencies("smb_nativelanman.nasl", "gb_samba_detect.nasl");
  script_mandatory_keys("samba/smb_or_ssh/detected");

  script_tag(name:"summary", value:"Samba 3.0.x to 4.0.7 are affected by a denial of service attack
  on authenticated or guest connections.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"All current released versions of Samba are vulnerable to a denial of
  service on an authenticated or guest connection. A malformed packet
  can cause the smbd server to loop the CPU performing memory
  allocations and preventing any further service.

  A connection to a file share, or a local account is needed to exploit
  this problem, either authenticated or unauthenticated if guest
  connections are allowed.

  This flaw is not exploitable beyond causing the code to loop
  allocating memory, which may cause the machine to exceed memory
  limits.");

  script_tag(name:"affected", value:"Samba versions 3.0.0 through 3.5.21, 3.6.0 through 3.6.16 and
  4.0.0 through 4.0.7.");

  script_tag(name:"solution", value:"Update to version 3.5.22, 3.6.17, 4.0.8 or later.");

  script_xref(name:"URL", value:"https://www.samba.org/samba/security/CVE-2013-4124.html");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_in_range(version: version, test_version: "3.0.0", test_version2: "3.5.21")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "3.5.22", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range(version: version, test_version: "3.6.0", test_version2: "3.6.16")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "3.6.17", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range(version: version, test_version: "4.0.0", test_version2: "4.0.7")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "4.0.8", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);