GNU Samba up to 3.0.7 Wildcard Character ms_fnmatch denial of service
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.3 | $0-$5k | 0.00 |
Summary
A vulnerability described as critical has been identified in GNU Samba up to 3.0.7. Affected is the function ms_fnmatch of the component Wildcard Character Handler. The manipulation results in denial of service.
This vulnerability was named CVE-2004-0930. The attack may be performed from remote. In addition, an exploit is available.
Upgrading the affected component is recommended.
Details
A vulnerability was found in GNU Samba up to 3.0.7 (File Transfer Software). It has been classified as critical. Affected is the function ms_fnmatch of the component Wildcard Character Handler. The manipulation with an unknown input leads to a denial of service vulnerability. CWE is classifying the issue as CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. This is going to have an impact on availability. CVE summarizes:
The ms_fnmatch function in Samba 3.0.4 and 3.0.7 and possibly other versions allows remote authenticated users to cause a denial of service (CPU consumption) via a SAMBA request that contains multiple * (wildcard) characters.
The bug was discovered 11/08/2004. The weakness was presented 11/08/2004 by Karol Wiesek with iDEFENSE (Website). The advisory is available at idefense.com. This vulnerability is traded as CVE-2004-0930 since 10/04/2004. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details and a exploit are known. This vulnerability is assigned to T1499 by the MITRE ATT&CK project.
After 2 days, there has been an exploit disclosed. The exploit is shared for download at heise.de. It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 19204 (Solaris 10 (sparc) : 119757-43 (deprecated)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Solaris Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 70039 (Samba Remote Wild Card Denial of Service Vulnerability).
Upgrading eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at us4.samba.org. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published 4 days after the disclosure of the vulnerability. Attack attempts may be identified with Snort ID 15581. In this case the pattern |FF|SMB2 is used for detection. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 31613.
The vulnerability is also documented in the databases at X-Force (17987), Tenable (19204), SecurityFocus (BID 11624†), OSVDB (11555†) and Secunia (SA13139†). Further details are available at us4.samba.org. If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.gnu.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.9VulDB Meta Temp Score: 5.3
VulDB Base Score: 5.9
VulDB Temp Score: 5.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Denial of serviceCWE: CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 19204
Nessus Name: Solaris 10 (sparc) : 119757-43 (deprecated)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Nessus Port: 🔍
OpenVAS ID: 52304
OpenVAS Name: FreeBSD Ports: samba
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Patch: us4.samba.org
Snort ID: 15581
Snort Message: NETBIOS Samba wildcard filename matching denial of service attempt
Snort Pattern: 🔍
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
PaloAlto IPS: 🔍
Timeline
10/04/2004 🔍11/08/2004 🔍
11/08/2004 🔍
11/08/2004 🔍
11/08/2004 🔍
11/09/2004 🔍
11/09/2004 🔍
11/09/2004 🔍
11/09/2004 🔍
11/12/2004 🔍
11/16/2004 🔍
01/27/2005 🔍
07/14/2005 🔍
07/07/2025 🔍
Sources
Vendor: gnu.orgAdvisory: idefense.com⛔
Researcher: Karol Wiesek
Organization: iDEFENSE
Status: Confirmed
CVE: CVE-2004-0930 (🔍)
GCVE (CVE): GCVE-0-2004-0930
GCVE (VulDB): GCVE-100-978
OVAL: 🔍
X-Force: 17987 - Samba ms_fnmatch denial of service, Medium Risk
SecurityFocus: 11624 - Samba Remote Wild Card Denial Of Service Vulnerability
Secunia: 13139 - Samba Wildcard Filename Matching Denial of Service Vulnerability, Less Critical
OSVDB: 11555 - Samba ms_fnmatch() Function Wildcard Matching Remote DoS
SecuriTeam: securiteam.com
Vulnerability Center: 5791 - DoS in Samba Server 3.0-3.0.7 via Excessive CPU Cycle Consumption, Medium
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
Entry
Created: 11/09/2004 14:42Updated: 07/07/2025 14:15
Changes: 11/09/2004 14:42 (109), 06/30/2019 09:30 (3), 07/07/2025 14:15 (20)
Complete: 🔍
Cache ID: 216:9AF:103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.