Samba Fixes Critical Vulnerability

Thursday, April 12, 2012 @ 05:04 PM gHale

Samba developers patched a critical security vulnerability that hits all versions of the open source, cross-platform file sharing solution from Samba 3.0.x up to version 3.6.3 which released in January.

The hole allows an attacker to gain complete access to a Samba server from an unauthenticated connection. The GPLv3 licensed Samba works on Unix and Linux systems with the ability to share files with Windows systems by implementing the SMB, SMB2 and CIFS protocols.

Apple Working on Malware Fix
Mac Botnet Growing Rapidly
Apple Fixes Java Holes
Botnet Rises for Third Time

Security Researcher Brian Gorenc and an unnamed colleague, working for the Zero Day Initiative, discovered the vulnerability. The flaw, located in the code generator for Samba’s remote procedure call (RPC) interface, makes it possible for clients on the network to force the Samba server to execute arbitrary code. This attack can work over an unauthenticated connection, granting the attacker root user privileges and thus complete access to the Samba server.

The fact the problem was in the Perl-based DCE/RPC compiler Samba uses to generate code for handling remote requests has, presumably, made it very hard to detect with automated code auditing methods and caused it to stay hidden for such a long time.

Due to the seriousness of the exploit, all users of Samba should update their installations as soon as possible, officials said. As a temporary workaround, the developers suggest using the hosts allow parameter in the smb.conf file to restrict access to the server to trusted users only. They do point out, however, that “this can be used to help mitigate the problem caused by this bug but it is by no means a real fix, as client addresses can be easily faked.”

The Samba project posted patches for Samba 3.6.3/.4, 3.5.13/.14 and 3.4.15/.16. Red Hat has already released patches for RHEL5 and RHEL6.

Leave a Reply

You must be logged in to post a comment.