User: Password:
Subscribe / Log in / New account


Critical Vulnerabilities in Samba

May 16, 2007

This article was contributed by Jake Edge.

The three vulnerabilities in Samba reported this week should have network administrators scrambling to patch vulnerable servers. Most distributors have already done their scrambling to pick up and apply the fixes so they could release updated samba packages. Each of the vulnerabilities could lead to root privileges; two of them are remotely exploitable - just the kinds of security holes that give administrators nightmares. No exploits have yet been reported, but it is probably only a matter of time; unless they run a completely trusted environment, Samba users need to patch these holes.

The Samba project provides a free implementation of the SMB/CIFS protocols that allow file and print sharing on Windows networks. With Samba, Linux (and other free operating systems) can participate as either a client or server in a mixed OS environment. As Microsoft is not known for its ability (or, perhaps more accurately, willingness) to play well with others, the Samba team has reverse engineered the protocols and the way they are used by Windows so that Samba can bridge that gap. Somewhat surprisingly, the project was not singled out in the latest patent saber rattling by Microsoft; it is probably just an oversight as Samba is precisely the kind of package that Microsoft would want to spread patent FUD about.

The vulnerabilities themselves are fairly straightforward bugs, but it is instructive to look at them; understanding security holes helps avoid them in future code. The first is the shortest lived of the three, only affecting versions 3.0.23d through 3.0.25pre2, whereas the other two affected all versions from 3.0.0. An attempt to simplify the handling of transitions to and from root privileges in the smbd server process is the cause. When looking up System Identifiers (SIDs) in a local list of users and groups, it may transition to rather than from the root user allowing a local attacker to perform some operations as root.

The second reported vulnerability appears to be the most serious as it is remotely exploitable without requiring authentication with the Samba server. By sending specifically crafted packets to the server, an attacker could cause the heap to be overwritten, leading to execution of code provided by the attacker. The underlying cause, as shown by this patch, is not checking for NULL as the return value from a memory allocation routine.

The final report concerns unsanitized user input that is passed to /bin/sh to be executed. By using shell metacharacters in the data sent, an attacker could execute code on the server. If the 'username map script' option has been enabled in smb.conf (it is off by default), the remote attacker need not be authenticated with the server to execute the code. In the standard install, a remote user would be required to authenticate to gain access to the file and print sharing management features before being able to exploit this vulnerability.

With the exception of the SID lookup botch, these kinds of bugs are not new and not specific to Samba. Some variant of the user input filtering problem is the root cause of the majority of web-based security problems and forgetting to check for NULL in allocations is as old as the C language itself. It is probably a bit embarrassing to the team, but it is not surprising that these kinds of problems creep in. Programming securely is difficult and there are a lot of ways to go wrong. Based on the timelines, the Samba team responded promptly in getting fixes out and made sure the word got out. This is the right response in the face of these inevitable bugs.

Comments (15 posted)

New vulnerabilities

bind: denial of service

Package(s):bind CVE #(s):CVE-2007-2241
Created:May 10, 2007 Updated:June 8, 2007
Description: ISC BIND 9.4.0 is vulnerable to a denial of service attack. If recursion is enabled a remote attacker can use a special sequence of queries to cause the daemon to exit.
Fedora FEDORA-2007-0300 bind 2007-06-08
OpenPKG OpenPKG-SA-2007.014 bind 2007-05-18
Mandriva MDKSA-2007:100 bind 2007-05-09

Comments (1 posted)

samba: several vulnerabilities

Package(s):samba CVE #(s):CVE-2007-2444 CVE-2007-2446 CVE-2007-2447
Created:May 14, 2007 Updated:June 5, 2007
Description: Three vulnerabilities have been fixed in Samba 3.0.25:
Debian DSA-1291-4 samba 2007-06-04
Debian-Testing DTSA-41-1 samba 2007-05-31
Mandriva MDKSA-2007:104-1 samba 2007-05-23
Ubuntu USN-460-2 samba 2007-05-22
SuSE SUSE-SA:2007:031 samba 2007-05-21
Fedora FEDORA-2007-518 samba 2007-05-21
Debian DSA-1291-3 samba 2007-05-20
OpenPKG OpenPKG-SA-2007.012 samba 2007-05-18
Trustix TSLSA-2007-0017 samba 2007-05-17
Debian DSA-1291-2 samba 2007-05-15
Ubuntu USN-460-1 samba 2007-05-16
Foresight FLEA-2007-0017-1 samba 2007-05-15
Gentoo 200705-15 samba 2007-05-15
Debian DSA-1291-1 samba 2007-05-15
Slackware SSA:2007-134-01 samba 2007-05-15
rPath rPSA-2007-0098-1 samba 2007-05-15
Mandriva MDKSA-2007:104 samba 2007-05-14
Fedora FEDORA-2007-506 samba 2007-05-14
Fedora FEDORA-2007-507 samba 2007-05-14
Red Hat RHSA-2007:0354-01 samba 2007-05-14

Comments (none posted)

squirrelmail: missing input sanitizing

Package(s):squirrelmail CVE #(s):CVE-2007-1262
Created:May 14, 2007 Updated:June 15, 2007
Description: It was discovered that the webmail package Squirrelmail performs insufficient sanitizing inside the HTML filter, which allows the injection of arbitrary web script code during the display of HTML email messages.
rPath rPSA-2007-0123-1 squirrelmail 2007-06-14
Mandriva MDKSA-2007:106 squirrelmail 2007-05-19
Red Hat RHSA-2007:0358-01 squirrelmail 2007-05-17
Fedora FEDORA-2007-505 squirrelmail 2007-05-14
Debian DSA-1290-1 squirrelmail 2007-05-13

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds