Samba fixes critical remote code execution vulnerability
The Samba developers have patched a critical security vulnerability that effects all versions of the open source, cross-platform file sharing solution from Samba 3.0.x up to version 3.6.3 which was released in January. The hole allows an attacker to gain complete access to a Samba server from an unauthenticated connection. The GPLv3 licensed Samba is used by many Unix and Linux systems with the ability to share files with Windows systems by implementing the SMB, SMB2 and CIFS protocols.
The vulnerability was discovered by security researcher Brian Gorenc and an unnamed colleague, working for the Zero Day Initiative. The flaw, which is located in the code generator for Samba's remote procedure call (RPC) interface, makes it possible for clients on the network to force the Samba server to execute arbitrary code. This attack can be performed over an unauthenticated connection, granting the attacker root user privileges and thus complete access to the Samba server. The fact that the problem was located is the Perl-based DCE/RPC compiler Samba uses to generate code for handling remote requests has, presumably, made it very hard to detect with automated code auditing methods and caused it to stay hidden for such a long time.
Due to the seriousness of the exploit, all users of Samba are advised to update their installations as soon as possible. As a temporary workaround, the developers suggest using the
hosts allow parameter in the smb.conf file to restrict access to the server to trusted users only. They do point out, however, that "this can be used to help mitigate the problem caused by this bug but it is by no means a real fix, as client addresses can be easily faked."
The Samba project has issued the source code updates to fix the vulnerability: Samba 3.6.4 (release notes), 3.5.14 (notes) and 3.4.16 (notes). The team has also posted patches for Samba 3.6.3/.4, 3.5.13/.14 and 3.4.15/.16. Red Hat has already released patches for RHEL5 and RHEL6.