There is a serious remotely exploitable vulnerability in the Samba open-source software that could enable an attacker to gain root privileges without any authentication. The bug is in all versions of Samba from 3.0.x to 3.6.3, but has been fixed in Samba 3.6.4, which is the current stable release.
Samba is designed to help integrate Unix, Linux and other non-Windows clients into Windows environments. Because the vulnerability in the software is considered to be quite serious, the Samba team has released patches for some versions that are out of support, from versions 3.0.37 forward.
“Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the ‘root’ user from an anonymous connection. The code generator for Samba’s remote procedure call (RPC) code contained an error which caused it to generate code containing a security flaw,” the Samba advisory says. “This generated code is used in the parts of Samba that control marshalling and unmarshalling of RPC calls over the network. The flaw caused checks on the variable containing the length of an allocated array to be done independently from the checks on the variable used to allocate the memory for that array. As both these variables are controlled by the connecting client it makes it possible for a specially crafted RPC call to cause the server to execute arbitrary code.”
A remote, pre-authentication vulnerability is essentially the most severe kind of flaw that can crop up in a software package such as Samba. An attacker who found a vulnerable installation of Samba would not need to authenticate in order to launch an exploit. Samba is used widely in networks that include a variety of client and server software, and the Samba developers are warning users that they should patch or upgrade to the newest version as soon as possible to avoid being attacked.
“As this does not require an authenticated connection it is the most serious vulnerability possible in a program, and users and vendors are encouraged to patch their Samba installations immediately,” they said in their advisory.
The patches for the vulnerability can be found on the Samba security site.