Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samba Exploit Discovered, Fixed

Posted by timothy on from the lickety-split-sortof dept.

An anonymous reader submits: "Digital Defense reported a remote root vulnerability in Samba that has existed in Samba source code for over 8 years. If it hadn't been caught from a wild packet capture, who knows how many more years it might have gone on. Fixes for this, and at least three other vulnerabilities have been fixed today. This is a serious threat to many thousands of people.. Did you plan to spend your Monday upgrading to Samba 2.2.8a?" elijahao supplies some more information: "All stable versions are affected (2.x), but the 3.0 series is not. Here is a link to the News page. Check out a mirror near you to get the Source or Security patches from 2.2.7a, 2.2.8, or 2.0.10."

9 of 221 comments (clear)

  1. Re:Feature? by Jeremy+Allison+-+Sam · · Score: 4, Interesting

    I could show you MS bugs that we've known about for
    more than 8 years.

    Yes, they crash your MS SMB server. Yes, we've told
    Microsoft about them.

    Microsoft don't always fix bugs if there are no active
    exploits against them and knowledge of them is limited.

    I guess they just trust that we don't release exploits :-).

    Jeremy Allison,
    Samba Team.

  2. Re:Feature? by Jeremy+Allison+-+Sam · · Score: 4, Interesting

    If you put one of your Windows servers on a network
    I had access to I would be able to show you. I will
    not release the code publicly (for obvious reasons).
    Knowledge of these bugs would allow worms/viruses to
    utterly cripple Microsoft based corporate networks.

    If you choose not to believe me without exploit code
    then that's up to you, but I will not act in an
    unprofessional way to prove a point.

    Jeremy Allison,
    Samba Team.

  3. Re:8 Years?? by Anonymous Coward · · Score: 2, Interesting

    This is why /. rocks.

    You see a story about a bug, and the author quickly replies "Ya, I coded this part. I missed this bug."

    Jeremy, congrats to you for having guts to stand up and admit fault. This kind of integrity is why open source is such a great movement.

  4. Features are also important by buchanmilne · · Score: 2, Interesting

    I can only speak for myself, but I'd much prefer the Samba team to pore over the code looking for more bugs like this, than adding catch-up-with-the-gateses features like NT Domain Controller support which are largely irrelevant.

    Some of the recent features (BDC support via LDAP, good domain membership via winbind) are the only things that allow people to run a more secure SMB server than Windows. Without those features, we would have to cave in and run something that has them. If samba did not have domain controlling support, we would likely not be running any linux boxen now, whereas most of our servers do at present.

    The Unix philosophy is to do one thing, and do it well, and Samba already does this. If we want central authentication, we have a host of packages we can already choose from.

    Anything that can *really* compete with AD and NDS? I think not (and yes, we run LDAP, including samba backended on LDAP, and are implementing kerberos).

  5. Re:Feature? by xchino · · Score: 3, Interesting

    So if I stuck an box on the net for you and opened up the necessary ports you'll crash it? I'm all for this, I'd like to make a snort rule for this attack.

    --
    Everyone is entitled to their own opinion. It's just that yours is stupid.
  6. Re:Feature? by Jeremy+Allison+-+Sam · · Score: 2, Interesting

    Not irresponsible, I am just responding to an AC claim
    that Microsoft has no bugs that are this severe that have
    not been fixed for this long. I know this to be false. I
    don't really care if you believe me or not.

    Jeremy Allison,
    Samba Team.

  7. Re:No kidding by MeanMF · · Score: 2, Interesting

    We had a fix within 1 hour of the problem being reported, and that was mainly due to mail propagation delays from Australia ! We had to co-ordinate the release with all the Samba vendors, that's what took the time.

    I'm not sure it really matters why the delay occurred - maybe that's something to work on for next time. Even if the fix could not be released immediately, it may have been a good idea to alert people that a problem existed so they could take additional precautions while the coordination efforts were taking place.

    No company pays the sort of money needed to do the amount of code auditing a major OSS project gets *for free* by the vendor community

    Releasing the source does not guarantee that anybody will actually perform a code audit. Neither does writing proprietary code. I don't claim like you do to know if they do so or not, but companies like Microsoft certainly have the resources to hire people to do audits and security reviews if they want to. This is more than most OSS projects can say.

    Maybe you could set up a system so that the people in the community who you say are doing these reviews for free could document what parts of the code they have reviewed. That way we would know what parts have been looked at the most or least, and look at the track record of the people doing the reviews.

  8. Wow by Zorton · · Score: 4, Interesting

    I think the thing that intrests me the most about this bug is how it was found. Does anyone have more information on what brought this bug to light?

    In a related subject people here need to lay off the samba developers. They are doing a great job at admiting the problem and taking responbility for it. Heck just today I discovered a bug with LinkSys Wireless Router/Switches relating to multicast. I called their tech support folks only to get promissed a call back after we had covered the basic configuration toubles. It is now almost 6:00pm my time, no call back. No accountability with these people. I wasn't even given the persons contact information nor was I given any time they might call me back.

    Compare that with OSS....I can remeber countless occasions being frustrated with a piece of software only to discover I had accually uncovered a bug. One simple e-mail to the author and I had a patch along with the stern instructions to e-mail him back if there where any more problems.

    No I am not microsoft/novell/apple bashing, I just feel that OSS comes out with more accountibility for their products. Perhaps I would hear back more often from commerical companies if I bought 500 copies of their product a month. But the same goes for about anything that isn't grassroots. Perhaps I just need more money :)

    Zorton
    btw: if anyone with a linksys BEFW11S4 switch can broadcast on any multicast IP and not have it lock up let me know :) I would be curious if it's a configuration problem (although tech support dosen't seem to think so) or a real bug.

  9. Re:Feature? by Jeremy+Allison+-+Sam · · Score: 2, Interesting

    Crackers in the wild may be the primary motivation
    for fixing bugs by proprietary companies, but don't
    ascribe the same motivations to Open Source/Free
    Software developers.

    Imagine you were designing a bridge, but got it
    wrong. The bridge gets built, but you know a certain
    pattern of cars going accross in a certain order could
    cause it to collapse.

    Would you tell the local authority and accept the
    blame ? If you didn't, how could you sleep at night ?

    Jeremy Allison,
    Samba Team.