Samba critical flaws: Patch now but older open instances have 'far worse issues'

Samba patches a flaw that allows logged-in users to change admin passwords.
Written by Liam Tung, Contributing Writer

Video: Firm finds kill switch after massive memcached DDoS attacks.

Samba has released new versions of its Windows-Linux compatible file- and printer-sharing software to address a password bug and a denial-of-service vulnerability.

The two vulnerabilities affect all versions since Samba 4.0.0's release in December 2012.

The password bug allows any authenticated user on a Samba 4 LDAP server set up as an Active Directory Domain Controller (AC DC) to change other users' passwords, including administrative users and service accounts, such as Domain Controllers.

Samba developers have only provided patches for supported versions of Samba, which includes Samba 4.5 and above. The issue is fixed in Samba 4.7.6, 4.6.14 and 4.5.16. However, it said that patches for earlier versions may also be made available.

Samba has provided workaround and support notes to assist admins monitor for unauthorized password changes before deploying the update.

"As Samba does not at this time change the machine account passwords of Domain Controllers, any change to these, or to the passwords of administrators should be a concern," it warns.

"Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible," it said in the advisory for CVE-2018-1057.

The updated versions of Samba also shut down a denial-of-service vulnerability affecting certain configurations of Samba when it's set up as a print server.

"All versions of Samba from 4.0.0 onwards are vulnerable to a denial-of-service attack when the RPC spoolss service is configured to be run as an external daemon," Samba states in the advisory for CVE-2018-1050.

Now read: How to build a successful career in cybersecurity (free PDF)

"Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash."

The issue is also fixed in Samba 4.7.6, 4.6.14 and 4.5.16, and patches are also available for Samba 4.4.16 and 4.3.13.

While the new bugs are serious enough to warrant applying fixes, Rapid7 yesterday highlighted there are about 500,000 internet-facing instances of Samba 3.2.x and 250,000 more of other versions.

As Rapid7's chief security data scientist Bob Rudis points out, these pre-4.0 Samba instances might not be exposed to the current bugs, but 3.2.x instances are vulnerable to "far worse issues" than the password flaw.

Previous and related coverage

Linux server attack: Patch Samba or risk cryptocurrency mining malware

Criminals hit Linux servers to mine cryptocurrency at someone else's expense.

It's not just Windows anymore: Samba has a major SMB bug

First, it was Microsoft's turn to deal with a terrible SMB security hole, WannaCry. Now, it's the open-source SMB server Samba's turn.

Windows, Linux distros, macOS pay for Kerberos 21-year-old 'cryptographic sin'

Researchers find an authentication protocol bug that affects Windows, Linux and Apple.

How to connect to Linux Samba shares from Windows 10 (TechRepublic)

If you're having trouble figuring out how to connect Windows 10 to your data center Samba shares, Jack Wallen eases your concern with the simple steps to make this work.

Editorial standards