[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] ALERT: remote root exploit in samba server

To: linux-security
Subject: [linux-security] ALERT: remote root exploit in samba server
From: Martin Siegert <siegert@sfu.ca>
Date: Mon, 17 Mar 2003 18:31:18 -0800
User-Agent: Mutt/1.4i

Topic
=====
remote root exploit in samba server

Problem Description
===================
A flaw has been found in the Samba main smbd code which
could allow an external attacker to remotely and anonymously gain
Super User (root) privileges on a server running a Samba server.

This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a
inclusive: A buffer overrun condition exists in the SMB/CIFS packet
fragment re-assembly code in smbd which would allow an attacker to
cause smbd to overwrite arbitrary areas of memory in its own process
address space. This could allow a skilled attacker to inject binary
specific exploit code into smbd.

Version 2.2.8 of Samba adds explicit overrun and overflow checks on
fragment re-assembly of SMB/CIFS packets to ensure that only valid
re-assembly is performed by smbd.
  
In addition, the same checks have been added to the re-assembly
functions in the client code, making it safe for use in other
services.

Affected Systems
================
versions of Samba from 2.0.x to 2.2.7a inclusive

Workaround
==========
Block access to TCP ports 139 and 445. Note, that at SFU access to
ports 139 and 445 is blocked from off campus.

Solution
========
Upgrade to samba version 2.2.8

Additionally it is strongly recommended to configure a firewall (ipchains
or iptables) on a Samba server so that only trusted hosts can connect to
that service on ports 139 and 445: The SMB/CIFS protocol implemented by
Samba is vulnerable to many attacks, even without specific security holes.
The TCP ports 139 and the new port 445 (used by Win2k and the Samba 3.0
alpha code in particular) should never be exposed to untrusted networks.

Debian 3.0 (woody)
------------------
upgrade to samba_2.2.3a-12.1_i386.deb,
           smbclient_2.2.3a-12.1_i386.deb,
           samba-common_2.2.3a-12.1_i386.deb,
           libsmbclient_2.2.3a-12.1_i386.deb,
           smbfs_2.2.3a-12.1_i386.deb,
           libpam-smbpass_2.2.3a-12.1_i386.deb,
           libsmbclient-dev_2.2.3a-12.1_i386.deb,
           swat_2.2.3a-12.1_i386.deb,
           winbind_2.2.3a-12.1_i386.deb

Mandrake 8.0, 8.1
-----------------
rpm -Fvh samba-common-2.2.7a-8.1mdk.i586.rpm, \
         samba-server-2.2.7a-8.1mdk.i586.rpm \
         samba-client-2.2.7a-8.1mdk.i586.rpm \
         samba-doc-2.2.7a-8.1mdk.i586.rpm \
         samba-swat-2.2.7a-8.1mdk.i586.rpm

Mandrake 8.2, 9.0
-----------------
rpm -Fvh samba-common-2.2.7a-8.1mdk.i586.rpm, \
         samba-server-2.2.7a-8.1mdk.i586.rpm \
         samba-client-2.2.7a-8.1mdk.i586.rpm \
         samba-doc-2.2.7a-8.1mdk.i586.rpm \
         samba-swat-2.2.7a-8.1mdk.i586.rpm \
         samba-winbind-2.2.7a-8.1mdk.i586.rpm \
         nss_wins-2.2.7a-8.1mdk.i586.rpm

Information on other Linux distributions will be published as soon
as it becomes available.

Follow-Ups:
- Re: [linux-security] ALERT: remote root exploit in samba server (SuSE)
  - From: Martin Siegert <siegert@sfu.ca>
- Re: [linux-security] ALERT: remote root exploit in samba server (RedHat)
  - From: Martin Siegert <siegert@sfu.ca>

Prev by Date: Re: [linux-security] ALERT: remote root exploit in sendmail (Debian)
Next by Date: Re: [linux-security] ALERT: remote root exploit in samba server (RedHat)
Prev by thread: [linux-security] end of support for RedHat 6.2, 7.0
Next by thread: Re: [linux-security] ALERT: remote root exploit in samba server (RedHat)
Index(es):
- Date
- Thread