Five-year-old remote code execution hole patched in Macs, Linux

The developers of Samba yesterday released new versions and security patches to address a critical vulnerability that can be exploited by remote attackers to execute code as the "root" user from an anonymous connection. All Samba versions between 3.0.x and 3.6.3 (inclusive) are affected. Given that 3.0.25 was released in 2007, the vulnerability has been present in Samba for some five years, as pointed out by ZDNet reader Jeremy Allison.

The company has issued patches addressing the security flaw for currently supported versions of Samba (3.4.x, 3.5.x, and 3.6.x), and Samba administrators are being urged to update. In fact, due to how serious the vulnerability is, patches have been released for all Samba versions from 3.0.37 onwards, even though most of them are currently out of support.

Three new security releases (Samba 3.4.16, Samba 3.5.14, Samba 3.6.4) for currently supported versions have been issued over at samba.org/samba/security. Patches against older Samba versions are available at samba.org/samba/patches.

Here's how Samba described the flaw in its security bulletin CVE-2012-1182):

The code generator for Samba's remote procedure call (RPC) code contained an error which caused it to generate code containing a security flaw. This generated code is used in the parts of Samba that control marshalling and unmarshalling of RPC calls over the network.

The flaw caused checks on the variable containing the length of an allocated array to be done independently from the checks on the variable used to allocate the memory for that array. As both these variables are controlled by the connecting client it makes it possible for a specially crafted RPC call to cause the server to execute arbitrary code.

As this does not require an authenticated connection it is the most serious vulnerability possible in a program, and users and vendors are encouraged to patch their Samba installations immediately.

Samba is the open source software that enables file and print sharing between Windows, Mac OS X, and Linux computers. It comes pre-installed on most Linux distributions, as well as on Apple's Mac OS X Server.

Samba is also included on many UNIX-based devices like network printers, network storage, as well as other media and file-sharing devices, to facilitate transferring files between them and Windows systems. These installations are more difficult to patch, since Samba is embedded and probably can't be updated.

See also:

• Over 600,000 Macs infected with Flashback Trojan
• Apple developing tool to detect and remove Flashback Trojan
• Facebook: Android, iOS security hole only for jailbroken devices
• Security hole exposes Android, iOS to Facebook identity theft
• Over 600,000 Macs infected with Flashback Trojan
• Malware tricks Facebook users into exposing credit cards
• Malicious Chrome extensions hijack Facebook accounts