The SuSE Security Audit Team has reported that a vulnerability in the Samba suite—which provides SMB-based file and printer sharing on many Linux and UNIX systems—can open up a system to a remote attack resulting in complete compromise of the system by giving the attacker "root" privileges.
A News.com story on this vulnerability included a note from the coauthor of Samba, Jeremy Allison, saying that they rushed the release of a new version of Samba because, "We know of one site that may have been compromised by this."
The Samba.org notice on this flaw reports that the newest version of Samba fixes this problem by adding “explicit overrun and overflow checks on fragment re-assembly of SMB/CIFS packets,” which addresses this vulnerability.
A Debian GNU/Linux Security notice, DSA-262-1, says that the threats include:
- “A buffer overflow in the SMB/CIFS packet fragment re-assembly code used by smbd. Since smbd runs as root, an attacker can use this to gain root access to a machine running smbd.
- “The code to write reg files was vulnerable for a chown race, which made it possible for a local user to overwrite system files.”
Mitre vulnerability candidate number CAN-2003-0085 describes the flaw as “a buffer overflowin the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8 allows remote attackers to execute arbitrary code.”
Mitre vulnerability candidate CAN-2003-0086 is a reg file vulnerability that “allows local users to overwrite arbitrary files via a race condition involving chown” in older Samba versions.
Samba 2.0.x to 2.2.7a all include this vulnerability. CERT Vulnerability Note VU#298233 lists a number of vendor products that are vulnerable to this Samba flaw and states that Openwall GNU/*/Linux, Fujitsu, and Ingrian products are not vulnerable.
Apple’s advisory on this problem says, “Samba is not enabled by default with Mac OS X and Mac OS X Server.” Apple says that it does have plans to issue a patch for version 10.2.4.
Because this flaw can result in root (administrator) access and can be exploited remotely, it needs to be taken very seriously by administrators who have Samba running on their networks.
The Samba team recommends that users immediately upgrade to version 2.2.8. The source code is located at download.samba.org/samba/ftp/ in samba-2.2.8.tar.gz or samba-2.2.8.tar.bz2. When available, binary packages will be posted at download.samba.org/samba/ftp/Binary_Packages/. Alternatively, managers can simply block access to TCP ports 139 and 445.
As the Samba team clearly states, Samba is configured by default to accept connections from any host. This includes the Internet, and there is no good reason to have Samba installed on these systems in its default configuration.
The News.com story on this vulnerability quotes Allison as saying, "You would have to be crazy to run this over the Internet."
The Samba team pointed out that you can protect servers that can be accessed by untrusted hosts by adjusting the “hosts allow” and “hosts deny” options in the smb.conf file to limit access to specific trusted hosts. For example, “Hosts allow = 192.168.9.” would limit SMB connections to systems on the internal network segment with an IP address of 192.168.9.x.
The Samba.org notice on this vulnerability also details a way to block unwanted network interfaces so that Samba will not accept connections from them. In addition, the notice reports that Samba uses ports UDP/137 (nmbd), UDP/138 (nmbd), TCP/139 (smbd), and TCP/445 (smbd), which can be blocked at a firewall to protect servers against these vulnerabilities. In particular, TCP/445 may be wide open on older setups that have been upgraded because that port was added to the Samba protocols recently.
A Red Hat BugTraq notice carries links to patch locations for Red Hat software. The SuSE BugTraq notice lists the vulnerable SuSE products and has links to patches.
This vulnerability was apparently patched quickly once it was discovered, which reflects well on Samba and SuSE. However, the closing quote of the News.com story indicated that the great thing about open source is that everyone can see the code and a flaw of this magnitude can be found. That may be true, but if you are going to point that out, it’s only fair to remind people that this flaw has apparently lain undiscovered since at least Samba release 2.0. When an open source flaw is discovered within days of a program’s release, it’s a shiny gold star for open source—but when a problem lies hidden for a long time, that’s no better than when the same thing happens to proprietary software, such as Microsoft products. In this case, SuSE’s head of security probably shouldn’t have used this particular instance to brag about open source security benefits.
In that spirit of fairness, the Samba development team’s note on the page describing the problem and patch said, “As always, all bugs are our responsibility.” I believe that is something that needs to be part of every bug fix, especially including Microsoft’s Security Bulletins.
Although all bugs are the responsibility of the individual developers, the captains are responsible for everything that happens on their ships, even things that are beyond their direct control. The fact that the Samba team expressed this sentiment is a good indication that they really care about bugs and have a feeling of personal responsibility for any problems encountered by users. Kudos to the Samba team for that.