The three vulnerabilities in Samba reported this week should have network administrators scrambling to patch vulnerable servers. Most
distributors have already done their scrambling to pick up and apply the fixes so they could release updated samba packages. Each of the vulnerabilities could lead to root privileges; two of them are remotely exploitable - just the kinds of security holes that give administrators nightmares.
No exploits have yet been reported, but it is probably only a matter of
time; unless they run a completely trusted environment, Samba users need
to patch these holes.
The Samba project provides a free
implementation of the SMB/CIFS protocols that allow file and print sharing
on Windows networks. With Samba, Linux (and other free operating systems)
can participate as either a client or server in a mixed OS environment.
As Microsoft is not known for its ability (or, perhaps more accurately,
willingness) to play well with others, the Samba team has reverse
engineered the protocols and the way they are used by Windows so that
Samba can bridge that gap. Somewhat surprisingly, the project was not
singled out in the latest patent saber rattling by Microsoft; it is probably
just an oversight as Samba is precisely the kind of package that Microsoft
would want to spread patent FUD about.
The vulnerabilities themselves are fairly straightforward bugs, but it is
instructive to look at them; understanding security holes helps avoid
them in future code. The
is the shortest lived of the three, only affecting versions 3.0.23d through
3.0.25pre2, whereas the other two affected all versions from 3.0.0.
to simplify the handling of transitions to and from root privileges in
the smbd server process is the cause. When looking up
System Identifiers (SIDs) in a local list of users and groups,
it may transition to rather than from the root user allowing
a local attacker to perform some operations as root.
reported vulnerability appears to be the most serious as it is remotely
exploitable without requiring authentication with the Samba server. By
sending specifically crafted packets to the server, an attacker could
cause the heap to be overwritten, leading to execution of code provided
by the attacker. The underlying cause, as shown by this
is not checking for NULL as the return value from a memory allocation
report concerns unsanitized user input that is passed to /bin/sh
to be executed. By using shell metacharacters in the data sent, an attacker
could execute code on the server. If the 'username map script'
option has been enabled in smb.conf (it is off by default),
the remote attacker need not be authenticated with the server to execute the
code. In the standard install, a remote user would be required to
authenticate to gain access to the file and print sharing management
features before being able to exploit this vulnerability.
With the exception of the SID lookup botch, these kinds of bugs are not
new and not specific to Samba. Some variant of the user input filtering
problem is the root cause of the majority of web-based security problems
and forgetting to check for NULL in allocations is as old as the C language
itself. It is probably a bit embarrassing to the team, but it is not
surprising that these kinds of problems creep in. Programming securely
is difficult and there are a lot of ways to go wrong. Based on the
timelines, the Samba team responded promptly in getting fixes out and made
sure the word got out. This is the right response in the face of these
to post comments)