Five-year-old flaw could affect Linux, Macs

Five-year-old flaw could affect Linux, Macs

Summary: Patches have been released for file-networking protocol software, Samba, revealing that the software, which is used extensively in Macs and Linux, has been subject to a critical vulnerability for five years.

SHARE:
5
Although Samba originally stated that the vulnerability affected versions from 3.0.x, it only affects versions from 3.0.25 onwards.

update Patches have been released for file-networking protocol software, Samba, revealing that the software, which is used extensively in Macs and Linux, has been subject to a critical vulnerability for five years.

(I'm Organized image by stopnlook, CC BY 2.0)

The security advisory released by the Samba team reveals that the vulnerability makes it possible for a remote, unauthenticated user to send a specially crafted remote procedure call that will create multiple buffer overflows in the Samba server. This would allow a malicious user to crash the service, or possibly execute arbitrary code with root user privileges.

The most recent stable release of Samba prior to the patch, version 3.6.3, is susceptible to the vulnerability, despite only being released at the end of January this year, and older versions as far back as 3.0.25 are also affected. Although the advisory states that versions back to 3.0.x are vulnerable, Samba contributor Jelmer Vernooij has clarified that the issue only goes back as far as 3.0.25. Given that 3.0.25 was released in May 2007, this would mean that the vulnerability has been present for five years.

The software itself allows file and print services to be shared among computers using the SMB/CIFS protocol (The "SMB" being from which Samba gets its name), and is typically required if users want to share files between different operating systems such as Linux/Unix and Windows.

Samba is included in virtually all distributions of Linux, meaning that the operating system has been vulnerable to attack, too, if it is running. Red Hat, which provides enterprise support for its version of Linux, has also scrambled to produce an update to address the issue.

Linux is also used in a number of media and file-sharing devices, and it may be that Samba is installed on network-attached storage devices, or even television sets, to facilitate transferring files between them and Windows systems.

Trustwave SpiderLabs warned that these installations might not be able to be patched: "Samba is everywhere that Linux is. Got a NAS device on your network with an embedded Linux server? You probably have Samba, and you probably can't update it, since it's embedded."

Apple's operating system also has its roots in Unix, and, as a result, may also be vulnerable if Samba server is used. Vulnerable versions of the Samba server included Server 10.2/Jaguar Server and Server 10.3/Panther Server.

The Samba team currently provides support for 3.6.x, 3.5.x and 3.4.x versions of Samba, and has released patches for these versions as a matter of course, but, due to how serious the vulnerability is, it has also released patches for all Samba versions from 3.0.37 onwards, even though they are currently out of support. Users should update to 3.6.4, 3.5.14 or 3.4.16 to protect themselves against the vulnerability, but, if they are unable to, intermediary measures exist to only allow white-listed clients to connect. The Samba team admits that this workaround is not a permanent solution, however, stating that client addresses can easily be faked.

The discoverer of the vulnerability, Brian Gorenc, who also works on Hewlett-Packard TippingPoint's Digital Vaccine Laboratories group, alerted the Samba team of the issue, and provided the organisation with working proof of concept code. While he hasn't released his code publicly, he hints on Twitter that users should be able to figure it out to exploit the vulnerability by looking at the patches. In addition, SpiderLabs claims that a "high-quality" proof of concept has been released into the wild, and that it makes exploiting the vulnerability as simple as pointing and clicking.

Updated at 10.41am, 12 April 2012: added clarification by Jelmer Vernooij.

Topics: Open Source, Linux, Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Lucky Apple no longer uses Samba in 10.7.
    dollart1
  • It probably went by the wayside because most of us don't route those protocols outside of private LAN-space and block it with firewalls. I sure do.
    wa7qzr@...
  • The bug was added in 2007, the reporter is making the mistake of assuming it was in the first version of Samba 3.0.0, wheras it was only introduced in the 3.0.25 release. It's still bad of course, just not 10 years old.

    See here:

    https://lwn.net/Articles/491600/

    for more details from an authoritative source.

    Jeremy.
    JeremyAllison
    • Thanks for the info Jeremy! We've updated the article as such.

      Cheers,

      Michael.
      Michael Lee (Mukimu)
  • OS X 10.5 uses Samba "3.0.25a-apple" and OS X 10.6 uses Samba "3.0.28a-apple" (both normal and Server versions). Any Mac OS X computer (not just servers) older than Lion with SMB file sharing switched on is therefore, I assume, vulnerable, and Samba have not issued any updates that Mac users could use - they will have to rely on an update from Apple. Unfortunately it seems that Apple are no longer supporting OS X 10.5 (see the example of the Java Flashback vulnerability), so this is another nail in the coffin of using PowerPC computers as workhorse file servers.
    mungo2k