Remote Pre-Authentication Flaw Fixed in Samba

There is a serious remotely exploitable vulnerability in the Samba open-source software that could enable an attacker to gain root privileges without any authentication. The bug is in all versions of Samba from 3.0.x to 3.6.3, but has been fixed in Samba 3.6.4, which is the current stable release.

SambaThere is a serious remotely exploitable vulnerability in the Samba open-source software that could enable an attacker to gain root privileges without any authentication. The bug is in all versions of Samba from 3.0.x to 3.6.3, but has been fixed in Samba 3.6.4, which is the current stable release.

Samba is designed to help integrate Unix, Linux and other non-Windows clients into Windows environments. Because the vulnerability in the software is considered to be quite serious, the Samba team has released patches for some versions that are out of support, from versions 3.0.37 forward.

“Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the ‘root’ user from an anonymous connection. The code generator for Samba’s remote procedure call (RPC) code contained an error which caused it to generate code containing a security flaw,” the Samba advisory says. “This generated code is used in the parts of Samba that control marshalling and unmarshalling of RPC calls over the network. The flaw caused checks on the variable containing the length of an allocated array to be done independently from the checks on the variable used to allocate the memory for that array. As both these variables are controlled by the connecting client it makes it possible for a specially crafted RPC call to cause the server to execute arbitrary code.”

A remote, pre-authentication vulnerability is essentially the most severe kind of flaw that can crop up in a software package such as Samba. An attacker who found a vulnerable installation of Samba would not need to authenticate in order to launch an exploit. Samba is used widely in networks that include a variety of client and server software, and the Samba developers are warning users that they should patch or upgrade to the newest version as soon as possible to avoid being attacked.

“As this does not require an authenticated connection it is the most serious vulnerability possible in a program, and users and vendors are encouraged to patch their Samba installations immediately,” they said in their advisory.

The patches for the vulnerability can be found on the Samba security site.

Suggested articles

Discussion

  • Anonymous on

    Wow! It's as if saying the word fixed makes everything alright....  ah, nope.

    For those concerned, this vulnerability affects literally millions of network and file-sharing devices around the world that can not be updated. Many of these servers, mini servers, routers with USB file-share ports, etc... are now exposed.

    My question, Will the manufacturers of these devices write firmware updates?

    (typically for manual downloaders, who are corcerned about security) 

    I think there is little reason to re-release firmware for sub-one-hundred-dollar devices that are no longer even being sold. There is better reason for manufacturer's to "cry foul" against Samba.org, appologize, and launch buy-back plans on new equipment to keep their customers...

  • Anonymous on

    To "Software has bugs": Much of the Samba in use is not software, it's firmware. The problem is it's not advertized or sold to consumers as Samba - it's under the cover of upscale dlink or linksys (pick a brand) routers. Put a USB drive in, and presto, you have a server. This is the same for any NAS box... and people tend re-use passwords too - so if these get compromised, so does the rest... (Google these two searches for a tip-of-the-ice-berg look)

    whats that usb port doing on my router?

    CES D-Link announces three HD media routers

    Kaspersky will now have to scan apps for these "inside-out root attacks" on routers, gateways, print-servers and NAS boxes, just to keep users safe. (as if they didn't already have enough to do..)

  • Gary Driggs on

    I wouldn't be so quick to panic as Samba services on the type of appliances you're describing are rarely exposed to the Internet. I'm not suggesting they shouldn't be fixed by also wouldn't take this as a sign that the sky is falling -- or that Kasperky should be responsible for assisting in remediation of this problem.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.