Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samba Exploit Discovered, Fixed

Posted by timothy on from the lickety-split-sortof dept.

An anonymous reader submits: "Digital Defense reported a remote root vulnerability in Samba that has existed in Samba source code for over 8 years. If it hadn't been caught from a wild packet capture, who knows how many more years it might have gone on. Fixes for this, and at least three other vulnerabilities have been fixed today. This is a serious threat to many thousands of people.. Did you plan to spend your Monday upgrading to Samba 2.2.8a?" elijahao supplies some more information: "All stable versions are affected (2.x), but the 3.0 series is not. Here is a link to the News page. Check out a mirror near you to get the Source or Security patches from 2.2.7a, 2.2.8, or 2.0.10."

11 of 221 comments (clear)

  1. Already fixed in FreeBSD ports by dnaumov · · Score: 4, Informative

    A FreeBSD Security Advisory has been issued and the samba port has been updated to the fixed version:

    samba 2.2.8a
    Update 2.2.8 -> 2.2.8a.
    Submitted by: dwcjr (MAINTAINER)
    I already updated my installation 4 hours ago, the FreeBSD folk are fast :)

    This is what is fixed by the update:

    (1) Sebastian Krahmer of the SuSE Security Team identified
    vulnerabilities that could lead to arbitrary code execution as root,
    as well as a race condition that could allow overwriting of system
    files. (This vulnerability was previously fixed in Samba 2.2.8.)

    (2) Digital Defense, Inc. reports: ``This vulnerability, if exploited
    correctly, leads to an anonymous user gaining root access on a Samba
    serving system. All versions of Samba up to and including Samba 2.2.8
    are vulnerable. Alpha versions of Samba 3.0 and above are *NOT*
    vulnerable.''

    1. Re:Already fixed in FreeBSD ports by CoJoNEs · · Score: 2, Informative

      since this is distro/OS whoring time
      Debian also has this fixed. I just checked right now, but according to the timestamps on the servers it looks like it took place around 11:00 today.

    2. Re:Already fixed in FreeBSD ports by Anonymous Coward · · Score: 1, Informative

      Slackware-9.0 ChangeLog Notice.

      The following additions have been made to The ChangeLog.txt

      New Entry: Mon Apr 7 14:26:53 PDT 2003
      New Entry: patches/packages/samba-2.2.8a-i386-1.tgz Upgraded to samba-2.2.8a.
      New Entry: From the samba-2.2.8a WHATSNEW.txt
      New Entry:
      New Entry:
      New Entry: *IMPORTANT: Security bugfix for Samba*
      New Entry:
      New Entry:
      New Entry: Digital Defense, Inc. has alerted the Samba Team to a serious
      New Entry: vulnerability in all stable versions of Samba currently shipping.
      New Entry: The Common Vulnerabilities and Exposures (CVE) project has assigned
      New Entry: the ID CAN-2003-0201 to this defect.
      New Entry:
      New Entry: This vulnerability, if exploited correctly, leads to an anonymous
      New Entry: user gaining root access on a Samba serving system. All versions
      New Entry: of Samba up to and including Samba 2.2.8 are vulnerable. An active
      New Entry: exploit of the bug has been reported in the wild. Alpha versions of
      New Entry: Samba 3.0 and above are *NOT* vulnerable.
      New Entry:
      New Entry: (* Security fix *)

      If for some reason you no longer wish to be notified of Entries to the ChangeLog Please send an email To: mrgoblin@userlocal.com
      Subject: "unsubscribe slacklog"
      and the subscribed email address in the body of the message.

      Thank you

      mRgOBLIN

  2. Re:8 Years?? by Jeremy+Allison+-+Sam · · Score: 4, Informative

    Well security problems like this tend to come in pairs
    (I'm just hoping not in threes :-).

    Once one gets discovered then people look for others in
    the same project.

    The first one was found by a SuSE audit, and we went through
    and fixed all related code. This one was found 'in the wild'
    so to speak. I'm not sure how long the cracker community
    has known about this one.

    I'm to blame as both were in code I wrote a long time ago :-(.

    Jeremy Allison,
    Samba Team.

  3. Re:Raining Open Source bugs? by questionlp · · Score: 3, Informative

    I think it's better that these bugs are found, publicized and patched in a professional manner (like Samba, Sendmail, etc.) then see a company sit on an exploit for a while and state that their products are unbreakable (Oracle) or secure (Microsoft)... even if it's a bug a day. So long as it's fixed, people are notified about it.

    As far as people patching them, that's another topic altogether.

    Almost every software has bugs... be it disclosed or not disclosed.

  4. Re:Don't worry guys! by Jeremy+Allison+-+Sam · · Score: 4, Informative

    Actually I have been thinking about this very fact w.r.t.
    these recent vulnerabilities.

    The problem was that the written code *worked*, as in if
    it was given well-formed SMB packets it behaved correctly,
    even though it was in a little used part of the code.

    Because it worked 'out of the box' as it were, with
    Windows clients there was little reason to examine it.

    It's code that has a problem that gets looked at first.

    I'm not trying to absolve myself of blame, after all, I
    wrote the buggy code, but there was a reason that no one
    needed to look at it for 8 years or so.

    Jeremy Allison,
    Samba Team.

  5. You guys make me sick by Anonymous Coward · · Score: 1, Informative

    If this had been a bug for a MS product, you'd be slamming MS hard. But now all I see is a mountain of whiny, hypocritical comments when it is in the non-MS camp.

  6. Re:Mac OS X? by Jeremy+Allison+-+Sam · · Score: 3, Informative

    Yes, Apple are working on this. I ported the fix to
    their codebase this morning and mailed it to them.

    Jeremy Allison,
    Samba Team.

  7. Re:Feature? by Jeremy+Allison+-+Sam · · Score: 2, Informative

    No, we're not keeping them secret. Microsoft know, we
    told them. The flaws are in their code. If you had access
    to Microsoft source code and could fix them, I'd tell you.

    But you don't, that's the problem. All you could do is
    create mischief with the knowledge. I don't see why I have
    any professional obligations to help you with that.

    Jeremy Allison,
    Samba Team.

  8. Not being connected to the Internet isn't security by LightStruk · · Score: 2, Informative
    would anyone connect a Samba server directly to the internet anyway? This is only an exploit of stupidity, of which there are many.
    You're really missing the point. Many universities (like the one I attend) use Samba to provide network file serving to the campus, and those servers definitely aren't connected directly to the internet. The NetBios ports are blocked at the firewall anyway, to protect students on campus with blank Administrator passwords.
    The problem is that there are 20,000 different people with access to these servers, both administrative and student, and you really can't trust all of them not to try to r00t your b0>.
  9. Re:Feature? by Jeremy+Allison+-+Sam · · Score: 2, Informative

    There is *never* a good reason to release exploit code (IMHO).

    It only allows those with no talent (the script kiddies)
    to cause trouble for people trying to maintain systems.

    Inform the vendor, if the vendor does nothing, tell the
    world it is broken, demo your exploit to some journalists
    if you like.

    But releasing exploit code is the programming equivalent
    to leaving a pile of fully loaded weapons outside a school.

    Jeremy Allison,
    Samba Team.