Samba has released security updates addressing a possible avenue for DoS attacks and attackers changing administrator passwords. Samba 4 users should update now.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Samba versions 4.0.0 and up have two critical vulnerabilities that have just been solved by security patches. Samba users should update their instances immediately.
- The first vulnerability could allow an outside user to launch a DoS attack that takes printing capabilities offline, and the second could allow a remote user to reset user and administrator passwords.
Open source server platform Samba has issued patches for two critical vulnerabilities that could be used to launch denial-of-service attacks or allow anyone to change user and administrator passwords.
Samba is a free, open source interoperability suite that extends Windows file and print services to Unix and Linux machines. Businesses that run Unix/Linux and Windows side by side frequently use Samba to link the two operating systems together, making any risk to the security and stability of Samba a serious risk.
The vulnerabilities in question, CVE-2018-1050 and CVE-2018-1057, are both serious risks for anyone using Samba. If your business has a Samba implementation it's highly recommended that you install the applicable security updates.
What the Samba vulnerabilities can do
The first vulnerability, 1050, affects all Samba instances version 4.0.0 and up. More specifically, it only affects version 4.0.0 and up Samba installations that are also running their Remote Procedure Call (RPC) Spool Subsystem Service (spoolss) as an external daemon (RPC spoolss is configured to internal by default).
If the RPC spoolss misses an input sanitization check it can cause the print spooler to crash, effectively killing the ability for anyone using Samba to send files to a printer. Samba says there is no known vulnerability associated with the error, only the denial of service resulting from the crash of the spooler. Samba added that leaving the RPC spoolss set to internal prevents the problem from occurring.
SEE: Securing Linux policy (Tech Pro Research)
The second vulnerability, 1057, is a far greater risk to Samba security. Like 1050, it affects all Samba installations version 4.0.0 and up and allows users to change the passwords of other users, including those with admin rights.
1057's problem stems from a problem with how Samba Active Directory domain controllers handle permission validations using the lightweight directory access protocol (LDAP). "The LDAP server incorrectly validates certain LDAP password modifications against the 'Change Password' privilege, but then performs a password reset operation," Samba said.
This vulnerability only affects Samba installations being used as Active Directory domain controllers, so those using Samba in non-domain control roles don't need to be concerned.
If you are using Samba as an AD DC and can't install the security patch yet, there is a workaround Samba says you can put in place as a temporary protection measure: revoking password change permissions for "the world" group.
Note: Putting this workaround in place will prevent users from changing expired passwords using another account. Samba recommends changing the password age for all non-Windows clients to an expiration point outside of the timeframe the workaround will be in place.
You can find instructions for implementing the 1057 workaround here.
- IT pro's guide to effective patch management (free PDF) (TechRepublic)
- Samba critical flaws: Patch now but older open instances have 'far worse issues' (ZDNet)
- How to connect to Linux Samba shares from Windows 10 (TechRepublic)
- It's not just Windows anymore: Samba has a major SMB bug (ZDNet)
- How to protect Samba from the SambaCry exploit (TechRepublic)