X
Tech

Five-year-old flaw could affect Linux, Macs

Patches have been released for file-networking protocol software, Samba, revealing that the software, which is used extensively in Macs and Linux, has been subject to a critical vulnerability for five years.
Written by Michael Lee, Contributor
Although Samba originally stated that the vulnerability affected versions from 3.0.x, it only affects versions from 3.0.25 onwards.

update Patches have been released for file-networking protocol software, Samba, revealing that the software, which is used extensively in Macs and Linux, has been subject to a critical vulnerability for five years.

folders1.jpg

(I'm Organized image by stopnlook, CC BY 2.0)

The security advisory released by the Samba team reveals that the vulnerability makes it possible for a remote, unauthenticated user to send a specially crafted remote procedure call that will create multiple buffer overflows in the Samba server. This would allow a malicious user to crash the service, or possibly execute arbitrary code with root user privileges.

The most recent stable release of Samba prior to the patch, version 3.6.3, is susceptible to the vulnerability, despite only being released at the end of January this year, and older versions as far back as 3.0.25 are also affected. Although the advisory states that versions back to 3.0.x are vulnerable, Samba contributor Jelmer Vernooij has clarified that the issue only goes back as far as 3.0.25. Given that 3.0.25 was released in May 2007, this would mean that the vulnerability has been present for five years.

The software itself allows file and print services to be shared among computers using the SMB/CIFS protocol (The "SMB" being from which Samba gets its name), and is typically required if users want to share files between different operating systems such as Linux/Unix and Windows.

Samba is included in virtually all distributions of Linux, meaning that the operating system has been vulnerable to attack, too, if it is running. Red Hat, which provides enterprise support for its version of Linux, has also scrambled to produce an update to address the issue.

Linux is also used in a number of media and file-sharing devices, and it may be that Samba is installed on network-attached storage devices, or even television sets, to facilitate transferring files between them and Windows systems.

Trustwave SpiderLabs warned that these installations might not be able to be patched: "Samba is everywhere that Linux is. Got a NAS device on your network with an embedded Linux server? You probably have Samba, and you probably can't update it, since it's embedded."

Apple's operating system also has its roots in Unix, and, as a result, may also be vulnerable if Samba server is used. Vulnerable versions of the Samba server included Server 10.2/Jaguar Server and Server 10.3/Panther Server.

The Samba team currently provides support for 3.6.x, 3.5.x and 3.4.x versions of Samba, and has released patches for these versions as a matter of course, but, due to how serious the vulnerability is, it has also released patches for all Samba versions from 3.0.37 onwards, even though they are currently out of support. Users should update to 3.6.4, 3.5.14 or 3.4.16 to protect themselves against the vulnerability, but, if they are unable to, intermediary measures exist to only allow white-listed clients to connect. The Samba team admits that this workaround is not a permanent solution, however, stating that client addresses can easily be faked.

The discoverer of the vulnerability, Brian Gorenc, who also works on Hewlett-Packard TippingPoint's Digital Vaccine Laboratories group, alerted the Samba team of the issue, and provided the organisation with working proof of concept code. While he hasn't released his code publicly, he hints on Twitter that users should be able to figure it out to exploit the vulnerability by looking at the patches. In addition, SpiderLabs claims that a "high-quality" proof of concept has been released into the wild, and that it makes exploiting the vulnerability as simple as pointing and clicking.

Updated at 10.41am, 12 April 2012: added clarification by Jelmer Vernooij.

Editorial standards