Rule Category

SERVER-SAMBA -- Snort has detected traffic exploiting vulnerabilities in Samba servers.

Alert Message

SERVER-SAMBA Samba write andx command memory leak attempt

Rule Explanation

This vulnerability relies in the way how the Samba server is not able to check the correct range of data length that a SMB client states is going to send, hence the client can send more data and make the Samba server to leak some sections of it's memory into the content of the file the client wants to write. The client is not able to choose what memory section leak, though. Even though this vulnerability is present in deprecated SMB protocol commands, the vulnerable functions are still present in the code, hence if an authenticated SMB client uses the vulnerable commands, will be able to exploit this vulnerability

What To Look For

This event is generated when a specially crafted SMB packet designed to exploit a memory in Samba server is detected. This memory leak occurs via a file write operation on a Samba share.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

No rule groups

CVE

None

Additional Links

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None

MITRE ATT&CK Framework

Tactic: Collection

Technique: Data from Network Shared Drive

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org