Security
Brief items
The Samba Vulnerability
[This article was contributed by Tom Owen]
Samba.org's announcement of 2.2.8 last week had a eerie familiarity. Here's a release prompted by heap overflow in a major open source server component. A fortnight ago it was sendmail -- this time it's Samba, the free SMB/CIFS server. The vulnerability was spotted by the reliably hard-nosed security team at SuSE. Samba team members say there's a risk of remote root compromise; all sites are urged to plan an urgent upgrade. The LWN vulnerability entry has links to distributions' patches, and the new version 2.2.8 which contains the fix.The vulnerability dates back to 2.0.x, which is over four years old. This is the Samba version which introduced domain logon for Windows NT clients. If your server has been updated since 1999, or looks like a domain controller for NT clients then it is vulnerable.
The vulnerability is described as a buffer overflow in smbd's message fragment assembly code. Any exploit would send crafted SMB fragments to TCP port 139. Also fixed in the new release is a locally exploitable race condition.
Even in a tightly-run site, this vulnerability is a serious threat, potentially allowing root access to local users. What gets plain scary is that there are sites which expose SMB to the Internet. This can't ever be the right thing to do whether the server is Samba or Windows. The problem is not the servers but the protocol. The MS network neighbourhood browser can be easy to use but the price is that anyone can connect to a server and list users, servers and shares -- perfect background for social hacking, and an easy route to find any share which, by error or design, has less than perfect security settings. Security is easier to control down with Samba than Windows,but it is best simply not to expose it to the net at all.
The announcement goes into detail on the precautions any Samba site should be taking. They have little to do with the vulnerability -- they don't protect against a local attack -- and every site ought to be doing them anyway.
The first step is to make sure that ports for SMB and WINS are blocked at the Internet gateway. This risk is so well understood that many cheap routers include a standardised filter set (typically called something like NETBIOS) to block ports 137, 138 and 139. This is good as far as it goes, but Microsoft is moving away from these ports. More recent Microsoft servers offer SMB directly on TCP at port 445, so this is one more port to block. Samba 2.2 doesn't use 445 but the upcoming 3.0 will.
Samba's daemons are not normally run under inetd.conf and so can't be protected by TCP wrappers. The announcement shows how to use smb.conf directives to get similar control:
hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
hosts deny = 0.0.0.0/0
The above will only allow SMB connections from 'localhost'
(your own computer)
and from the two private networks 192.168.2 and 192.168.3.
All other connections will be refused connections as soon as the client
sends its first packet.
The refusal will be marked as a 'not listening on called name' error.
It seems rash to put a file server on to your Internet gateway, but a lot of home and small business hosts are setup that way. These sites can control their exposure with 'interfaces=' and 'bind interfaces only = yes' but a cheap basic filtering router is probably a better plan.
Samba servers have one extra risk not shared by Windows servers. The Samba Web Administration Tool (SWAT) runs under inetd, normally via TCP wrappers. Care is needed in inetd.conf and hosts.allow to restrict access to SWAT to the local network, and not on the Internet. Alternatively, there are instructions on how to offer SWAT over SSL.
One way this Samba vulnerability stands out from Sendmail earlier this month is that it's a bit of surprise. Despite Samba's long history and wide use, it has shown few vulnerabilities which are not a consequence of the SMB protocol. The other way is that malicious exploits appear to have been tested or used before the announcement. SuSE saw anomalous crashes in one of their public servers. Analysis of the logs was enough to persuade the Samba team to bring 2.2.8 release forward -- a truly alarming response. Site administrators should act soon, first to make sure that their SMB is not visible on the Internet, and then to upgrade Samba to 2.2.8.
(Thanks to Jeremy Allison for assistance with this article).
March CRYPTO-GRAM newsletter
Bruce Schneier's CRYPTO-GRAM newsletter for March is out. It looks at Practical Cryptography (a new book he co-authored with Niels Ferguson), the defeat of the SSL patent, and the SSL vulnerability. "By now it should be obvious that hackers don't steal credit card numbers one by one across the network; they steal them in bulk -- by the thousands or even millions -- by breaking into poorly protected networks. Many smaller e-commerce sites don't use SSL to protect their credit card transactions, and even there this kind of attack simply doesn't happen."
New vulnerabilities
kernel - ptrace-related vulnerability
| Package(s): | kernel | CVE #(s): | CAN-2003-0127 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2003 | Updated: | June 30, 2003 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in ptrace() which may be exploited by a local user to obtain root access. This announcement contains the details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released which contains the fix. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
lprold - buffer overflow in lprm
| Package(s): | lprold lpd | CVE #(s): | CAN-2003-0144 | ||||||||||||||||||||
| Created: | March 13, 2003 | Updated: | May 28, 2003 | ||||||||||||||||||||
| Description: | The lprm command of the printing package lprold contains a buffer overflow. This buffer overflow can be exploited by a local user, if the printer system is set up correctly, to gain root privileges. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
lxr - input validation error
| Package(s): | lxr | CVE #(s): | |||||
| Created: | March 19, 2003 | Updated: | March 19, 2003 | ||||
| Description: | lxr fails to properly sanitize incoming filenames, with the result that an attacker can read arbitrary files on the system. | ||||||
| Alerts: |
| ||||||
man - code execution vulnerability
| Package(s): | man | CVE #(s): | CAN-2003-0124 | ||||||||||||||||
| Created: | March 19, 2003 | Updated: | May 7, 2003 | ||||||||||||||||
| Description: | Versions of man prior to 1.51 contain a code execution vulnerability which can be exploited by a carefully crafted man file. See this advisory for the details. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
mysql - configuration file vulnerability
| Package(s): | mysql mysqld | CVE #(s): | CAN-2003-0150 | ||||||||||||||||||||||||||||||||
| Created: | March 18, 2003 | Updated: | May 16, 2003 | ||||||||||||||||||||||||||||||||
| Description: | According to a report on BugTraq, a vulnerability exists in version 3.23.55 and earlier versions of the MySQL server. If the MySQL server is launched by root, as it is often done by system startup scripts, any database users with the "FILE" privilege can write a configuration file (usually my.cnf) that causes the MySQL server to run under an arbitrary user id, including the user id of the super-user, on the next restart. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
NetPBM: math overflow errors
| Package(s): | NetPBM | CVE #(s): | CAN-2003-0146 | ||||||||||||||||
| Created: | March 17, 2003 | Updated: | May 27, 2003 | ||||||||||||||||
| Description: | Al Viro and Alan Cox discovered several maths overflow errors in NetPBM, a set of graphics conversion tools. These programs are not installed setuid root but are often installed to prepare data for processing. These vulnerabilities may allow remote attackers to cause a denial of service or execute arbitrary code. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
openssl: local and remote extraction of RSA private key
| Package(s): | openssl, apache, mod_ssl | CVE #(s): | CAN-2003-0147 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 18, 2003 | Updated: | May 22, 2003 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | David Brumley and Dan Boneh of Stanford University have researched and
documented a timing attack on OpenSSL which allows local and remote
attackers to extract the RSA private key of a server. The OpenSSL RSA
implementation is generally vulnerable to these type of attacks unless RSA
blinding has been turned on. See this
paper (pdf format) for additional details.
Typically, RSA blinding is not enabled by OpenSSL based applications, mainly because it is not obvious how to do so when using OpenSSL to provide SSL/TLS. This problem affects mostly all applications using OpenSSL and have to be rebuilded against the fixed OpenSSL version (where RSA blinding is now enabled by default) or have to enable RSA blinding explicitly their own. The performance impact of RSA blinding appears to be small (a few percent only) and the RSA functionality is still fully compatible. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0147 to the problem. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rxvt - vulnerabilities in the handling of escape sequences
| Package(s): | rxvt | CVE #(s): | CAN-2003-0022 CAN-2003-0023 CAN-2003-0066 | ||||||||||||
| Created: | March 17, 2003 | Updated: | March 26, 2003 | ||||||||||||
| Description: | Rxvt is a color VT102 terminal emulator for the X Window System. A number
of issues have been found in the escape sequence handling of Rxvt.
These could be potentially exploited if an attacker can cause carefully
crafted escape sequences to be displayed on a rxvt terminal being used by
their victim.
One of the features which most terminal emulators support is the ability for the shell to set the title of the window using an escape sequence. Certain xterm variants, including rxvt, also provide an escape sequence for reporting the current window title. This essentially takes the current title and places it directly on the command line. Since it is not possible to embed a carriage return into the window title itself, the attacker would have to convince the victim to hit enter for it to process the title as a command, although the attacker can perform a number of actions to increase the likelyhood of this happening. The "screen dump" feature in rxvt 2.7.8 allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence. The menuBar feature in rxvt 2.7.8 allows attackers to modify menu options and execute arbitrary commands via a certain character escape sequence that inserts the commands into the menu. Users of Rxvt are advised to upgrade to these errata packages which contain a patch to disable the title reporting functionality and patches to correct the other issues. | ||||||||||||||
| Alerts: |
| ||||||||||||||
samba - exploitable buffer overruns
| Package(s): | samba | CVE #(s): | CAN-2003-0085 CAN-2003-0086 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2003 | Updated: | April 4, 2003 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The SuSE security audit team, in particular Sebastian Krahmer has found a
flaw in the Samba main smbd code which could allow an external attacker to
remotely and anonymously gain Super User (root) privileges on a server
running a Samba server.
This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a inclusive. This is a serious problem and all sites should either upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139 and 445. Advice created by Andrew Tridgell, the leader of the Samba Team, on how to protect an unpatched Samba server is given at the end of this section. The SMB/CIFS protocol implemented by Samba is vulnerable to many attacks, even without specific security holes. The TCP ports 139 and the new port 445 (used by Win2k and the Samba 3.0 alpha code in particular) should never be exposed to untrusted networks. See this article for more information. Samba-TNG users should update to version 0.3.1. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Resources
LinuxSecurity.com newsletters
The Linux Advisory Watch and Linux Security Week newsletters from LinuxSecurity.com are available.
Events
2003 IEEE Symposium on Security and Privacy
The schedule for the 2003 IEEE Symposium on Security and Privacy (May 11 to 14, Oakland, California) has been posted.
Page editor: Jonathan Corbet
Next page:
Kernel development>>