Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaws In Linux SMBFS

Posted by timothy on from the or-would-you-rather-wait-for-service-pack-n dept.

An anonymous reader points out this SecurityFocus alert, which starts "The Linux kernel is reported susceptible to multiple remote vulnerabilities in the SMBFS network file system. These vulnerabilities may lead to the execution of attacker-supplied machine code, information disclosure of kernel memory, or kernel crashes, denying service to legitimate users. Versions of the kernel in both the 2.4, and the 2.6 series are reported susceptible to various issues."

36 of 347 comments (clear)

  1. It's a FEATURE by kesuki · · Score: 5, Funny

    you haven't emulated SMB unless you allow remote execution of code ;)

    --
    https://www.gnu.org/philosophy/free-sw.html
  2. history of linux exploits by wrinkledshirt · · Score: 3, Interesting

    Does anybody know of some website or source that's been tracking these kinds of linux exploits, including the date and nature of both the exploits and the fixes?

    --

    --------
    Bleah! Heh heh heh... BLEAH BLEAH!!! Ha ha ha ha...

    1. Re:history of linux exploits by Short+Circuit · · Score: 5, Informative

      Secunia...they also have a free service where they'll email you about vulnerabilities and fixes. And I've never received spam from them. (But that may be due to my GMail account.)

      --
      tasks(723) drafts(105) languages(484) examples(29106)
    2. Re:history of linux exploits by MarsLander · · Score: 4, Informative

      The Linux Weekly News security page would be a good place to start. If you then went back and looked through the security pages of the weekly editions, you'd probably have a pretty complete database.

      http://lwn.net/security

    3. Re:history of linux exploits by Anonymous Coward · · Score: 5, Informative

      Linux advisories
      http://www.linuxsecurity.com/advisorie s/index.html

      Open Source Vunerability Database (not just for Open source software, but the database itself is open source)
      http://www.osvdb.org/

      That is probably the best and it offers vendor contact information, detailed analysis and RSS plugins.

      Secunia Security and Virus information
      http://secunia.com/

      Security Focus:
      http://www.securityfocus.com/

      So on and so forth.

  3. this is NOT samba (smbd) by CRC'99 · · Score: 5, Informative

    It should be clarified, that this is NOT to do with the smbd process aka Samba Project - but the kernel module smbfs.o

    --
    Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
  4. yeah ... by nanodude · · Score: 3, Funny

    well ... windows file sharing is just that ... a security flaw

  5. MS Technology by Punboy · · Score: 4, Informative

    I'd like to point out that is a MS originated technology that only got put in Linux for compatibility with MS systems. Most Linux-only users use NFS, which does not have these security holes. Most 'secure' network environments don't even use SMB on windows machines due to security holes in the Windows implementation. My 2 cents, don't use it, its buggy and slow and suchs. On the other hand, many people need to use it in their home networks to share files between windows machines and Linux machines. My suggestion for those users is to set up a firewall which blocks SMB from the outside. And don't make samba shares on your firewall box.

    --
    If you like what I've said here, and want to read more, go to http://www.krillrblog.com
    1. Re:MS Technology by nacks1 · · Score: 5, Insightful

      "Most Linux-only users use NFS, which does not have these security holes."

      Yeah... it NFS just has plenty of holes of its own. I would be the first to say that I think that SMBFS is crap, but NFS isn't the network filesystem that we should be holding up as a good system to emulate.

    2. Re:MS Technology by CAIMLAS · · Score: 3, Interesting

      First off, as someone else said, this doesn't have anything to do with Samba, but smbfs.o, from the kernel. You don't need smbfs.o to use samba, I believe, and I can't recall ever including it in a kernel (or cifsfs), even ones that were to be used as a samba fileserver.

      Second, NFS is just as "full of holes" as SMB/CIFS. I'd even wager that its inherrent security model is worse. From my experience, it's also significantly less stable, and does not scale well at all, let alone dynamically on a large network.

      On a network where everyone is a peer, SMB/CIFS seems like the better option to me.

      --
      ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
    3. Re:MS Technology by geg81 · · Score: 4, Informative

      Most Linux-only users use NFS, which does not have these security holes.

      Are you kidding? From a security point of view, past versions of NFS have been an absolute disaster, far worse than SMB. You can run NFS only if you have complete trust in your network infrastructure and every single machine on it. Sun's engineers must have been on drugs when designing it.

      NFSv4 may fix some of those problems, but it hasn't been widely deployed yet, and it is far more complex than it has a right to be given its limited functionality. All network file systems for Linux currently have major problems of one kind or another (they are one of incompatible, immature, insecure, etc.).

  6. And before this goes off the front page... by Short+Circuit · · Score: 4, Interesting

    Major distributions will have patches available. Possibly even the main kernel tree.

    --
    tasks(723) drafts(105) languages(484) examples(29106)
    1. Re:And before this goes off the front page... by Alan+Hicks · · Score: 5, Informative
      <spamvertisement>
      This is old news. The 2.4.28 kernel was released with fixes for this though a 2.6.10 kernel hasn't yet been put out. I'm not sure who all has patched, but for Slackware users, you can get a 2.4.28 kernel package from SlackSec.
      </spamvertisement>
      --
      Slackware, what else when it must be secure, stable, and easy?
  7. I'm glad this hit slashdot by Anthony+Liguori · · Score: 5, Informative

    I'll say this once, this is absolutely correct. We've known about this for a long time. SMBFS is deprecated. This is why CifsFS was written. CifsFS is a standard part of 2.6 and is available as patches for 2.4 from samba.org. CifsFS is faster, works with newer versions of Windows better, and is much more secure. More importantly, SMBFS is not being maintained. Critical bug fixes get made but that's only because it's in the kernel. Please don't use it unless you have to. Steve French is the author of CifsFS and has done a fantastic job with it.

    1. Re:I'm glad this hit slashdot by Anonymous Coward · · Score: 4, Funny

      CifsFS

      This message was brought to you by the department of redundancy department.

    2. Re:I'm glad this hit slashdot by waferhead · · Score: 3, Insightful

      This (parent)notice should be added to the headline as a public service.

    3. Re:I'm glad this hit slashdot by Dr.Dubious+DDQ · · Score: 3, Informative

      The only downside that I have seen to using CIFS is that - at least on Slackware - mount.cifs doesn't seem to be included by default.

      It's trivial to obtain, but kind of difficult to mount CIFS filesystems without it...

      Note also that the old SMBFS is subject to the annoying 2GB file size limit, while CIFS is not, if you still need an excuse to switch. As far as I can tell, you can use CIFS for any server where you would previously have been using SMBFS, so you ought to be able to just switch without any hassles.

      --
      Hacker Public Radio is our Friend
    4. Re:I'm glad this hit slashdot by C3ntaur · · Score: 3, Informative

      I don't know about other distros, but when I tried to use CIFS to mount in Fedora Core 2 instead of SMBFS, I got a bunch of kernel errors. AFAIK, it's still an open bug: bugzilla.redhat.com.

      --
      Loading...
  8. The link doesnt actually tell you anything by Laeraun · · Score: 5, Informative

    This page gives a much better overview of what it is.

    More information also here

  9. Don't worry! by Tezkah · · Score: 5, Funny

    SP2 users are unaffected.

  10. Re:But... by flossie · · Score: 4, Informative
    Come on, I really want to know whether this allows someone to take over my machine. Besides, as an M$ hater, I want to be able to tell people 'hey, the linux kernel exploit *doesn't* allow root'. Unless, of course, it does. Does it?

    Probably not. Quote:

    While any of these vulnerabilities can be easily used as remote denial of service exploits against Linux systems, it is unclear if it is possible for a skilled local or remote attacker to use any of the possible bufferoverflows for arbitrary code execution in kernel space.

    SecurityFocus have this down as a "Design Error". Is that in the design of the implementation, or the design of the protocol? Can we start blaming Microsoft for bugs in Linux now?

    --
    flossie

    Write now. Defend liberty

  11. Timeline... by AcornWeb · · Score: 3, Interesting

    Now, I'm definitely not a Microsoft fan (see my sig), but does it strike anyone else as a little scary that it took 2 months to get this fixed properly? I mean isn't that one of the main benefits of open source is that it gets fixed faster?

    --
    Your Windows PC is my other computer.
  12. Does this apply to FreeBSD? by HenryKoren · · Score: 3, Interesting

    Just wondering if the SMBFS kernel option in EreeBSD has the same vulnerability

    $FreeBSD: src/sys/fs/smbfs/smbfs.h,v 1.8 2003/02/08 05:48:04 tjr

    --
    To blog is sublime
  13. Now... by bogaboga · · Score: 3, Insightful
    ...Linux zealots are going to run in defense of the [Linux] kernel. Come on guys, anything created by man will always have defects.

    Cb..

  14. NOT Originally MS Technology by kmb · · Score: 5, Informative

    Microsoft did NOT in fact invent/originate SMB. IBM did.

  15. Re:Wow, A Flaw by cbiltcliffe · · Score: 3, Informative

    It wasn't developed by Microsoft. It was originally an IBM protocol, which was....are you ready?....extended by Microsoft to get what we know today as SMB.

    --
    "City hall" in German is "Rathaus" Kinda explains a few things......
  16. Really a two-part turnaround by Cerlyn · · Score: 3, Informative

    Looking at their schedule, it is unclear what actually happened. Note that on 25 September 2004 they made their initial contact, but on 22 October 2004 they say they sent a second round of vulnerabilities in, followed by a set of patches on 27 October. The developers would then have to take all these patches, compare it to anything they may have come up with in the meantime, and make sure they didn't break anything else.

    The public disclosure occured 17 November 2004, about 20 days later, after about a week's worth of testing time as 2.4.28-rc3. Personally, I would not have liked them to have announced on the first set of vulnerabilities if there was some knowledge between October and November that more issues were being found. Otherwise everyone and their kin would be combing the code looking for any issues missed in smbfs.

  17. Re:Everyone makes mistakes by 13Echo · · Score: 4, Insightful

    The difference is that this is a POTENTIAL exploit. Not something that's been known for a long time but ignored to the point of mass-exploitation.

  18. smbfs -> cifs is easy by xant · · Score: 4, Informative
    I had one Linux server mounting smbfs shares from fstab on my network, running Ubuntu. The default kernel is 2.6.x and mount.cifs is included, so I found it extremely easy to convert.

    1. I was using the credentials option (-o credentials=/some/sekrit/file) and I discovered that cifs does not like spaces in this file, so I took out the spaces.
    2. I was also using the badly-named fmask and dmask options (they are not masks). Cifs has renamed these to dir_mode and file_mode, and deprecated the old usage. I renamed dmask to dir_mode and fmask to file_mode.
    3. file_mode and dir_mode expect to see a leading 0 to be interpeted as octal. I made this change.
    4. Finally I changed smbfs to cifs.

    After these minor changes that took me all of 3 minutes to make, I no longer have smbfs anywhere on this network.
    --
    It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
  19. Re:But... by EvilAlien · · Score: 3, Insightful
    You don't need root, you just need local access so you can exploit all those vulnerabilities that get ignored because they aren't remotely exploitable.

    I don't know how many times I've heard clueless admins tell me that they aren't patching for something because its only exploitable locally...

    --
    perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
  20. Re:Everyone makes mistakes by DogDude · · Score: 3, Informative

    it's the only place that has millions of dollars at it's disposal and highly paid programmers.

    But Linux is supposed to better because it has armies and armies of passionate volunteers.

    --
    I don't respond to AC's.
  21. Re:Confused... by Jimithing+DMB · · Score: 3, Informative
    Pardon my ignorance.... What is the smbfs doing in kernel space? Shouldn't that be the domain of Samba?

    Filesystems by necessity have to be implemented to some extent in the kernel because they have to hook the VFS layer. However, you make a very good point that it does seem to be a big risk to implement the entirety of smbfs in kernel space.

    Recent Linux kernels (I think 2.4 onward) have a mechanism for doing what are called user space filesystems. Basically, the kernel only knows enough to talk to a daemon which implements the filesystem and exposes it to the kernel. In this manner there is a very well defined interface between the kernel and user code which hopefully is bug free.

    In some ways this is sort of a partial microkernel design. With that comes the inherent loss of speed having to do the context switches between kernel and user mode. In the normal filesystem case you have a context switch from user to kernel mode, the file is accessed, and then back to user mode. In the case of a filesystem implemented in user mode you have to switch from user mode to kernel mode, then to user mode in the FS daemon then back to kernel mode then back to user mode in the process trying to access the file. And that is the best case. Throw in a scheduler without the knowledge of which process is waiting for what and messaging between two user space processes through the kernel can be extremely costly!

    In this case, yes, I think I probably would have recoded smbfs to use the user mode filesystem handler. But the code was already written years ago to live entirely in kernel space before there was really any sort of well defined standard for a user space file system. Given that this is as far as I can remember the only major bug in it one might say that it hasn't really been that bad having it in kernel space.

    So the tradeoff becomes do you want to have it in user space (where it would still vulnerable to DoS in this case) and sacrifice some speed or do you want it to run in the kernel at full speed?

  22. Re:Irony isn't something you dewrinkle clothes wit by ClosedSource · · Score: 3, Insightful

    You seem to be reaching here. If implementing the protocol safely is beyond the ability of Linux developers, then they shouldn't do it.

    More likely the truth is that smart developers for Linux and smart developers for MS make mistakes and will continue to do so. My only complaint is that there shouldn't be a double-standard.

  23. Re:But... by Q2Serpent · · Score: 3, Funny

    more than root

    ...God?

  24. Re:But... by Netsnipe · · Score: 3, Funny
    remove from the LAN/WAN, dissect then reinstall. Its the only safe way.
    No. I say we take off and nuke the entire site from orbit. It's the only way to be sure.
    --
    -- "I can't tell the future, I just work there." -- The Doctor
  25. Re:OSS is quick to please by chrish · · Score: 3, Informative

    Jeeze, if you're going to the trouble of posting a link to xscreensaver, you might want to use the right one so you get an up-to-date version (4.18 is current).

    --
    - chrish