[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [linux-security] ALERT: remote root exploit in samba server (SuSE)



On Mon, Mar 17, 2003 at 06:31:18PM -0800, Martin Siegert wrote:
> Topic
> =====
> remote root exploit in samba server
> 
> Problem Description
> ===================
> A flaw has been found in the Samba main smbd code which
> could allow an external attacker to remotely and anonymously gain
> Super User (root) privileges on a server running a Samba server.
> 
> This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a
> inclusive: A buffer overrun condition exists in the SMB/CIFS packet
> fragment re-assembly code in smbd which would allow an attacker to
> cause smbd to overwrite arbitrary areas of memory in its own process
> address space. This could allow a skilled attacker to inject binary
> specific exploit code into smbd.
> 
> Version 2.2.8 of Samba adds explicit overrun and overflow checks on
> fragment re-assembly of SMB/CIFS packets to ensure that only valid
> re-assembly is performed by smbd.
>   
> In addition, the same checks have been added to the re-assembly
> functions in the client code, making it safe for use in other
> services.
> 
> Affected Systems
> ================
> versions of Samba from 2.0.x to 2.2.7a inclusive
> 
> Workaround
> ==========
> Block access to TCP ports 139 and 445. Note, that at SFU access to
> ports 139 and 445 is blocked from off campus.
> 
> Solution
> ========
> Upgrade to samba version 2.2.8
> 
> Additionally it is strongly recommended to configure a firewall (ipchains
> or iptables) on a Samba server so that only trusted hosts can connect to
> that service on ports 139 and 445: The SMB/CIFS protocol implemented by
> Samba is vulnerable to many attacks, even without specific security holes.
> The TCP ports 139 and the new port 445 (used by Win2k and the Samba 3.0
> alpha code in particular) should never be exposed to untrusted networks.

SuSE 7.1
--------
rpm -Fvh samba-2.0.10-27.i386.rpm \
         smbclnt-2.0.10-27.i386.rpm

SuSE 7.2
--------
rpm -Fvh samba-2.2.0a-48.i386.rpm \
         smbclnt-2.2.0a-48.i386.rpm

SuSE 7.3
--------
rpm -Fvh samba-2.2.1a-213.i386.rpm \
         samba-client-2.2.1a-213.i386.rpm

SuSE 8.0
--------
rpm -Fvh samba-2.2.3a-169.i386.rpm \
         samba-client-2.2.3a-169.i386.rpm

SuSE 8.1
--------
rpm -Fvh samba-2.2.5-160.i586.rpm \
         samba-client-2.2.5-160.i586.rpm