Security update for Samba 3.3
A critical security hole has forced the Samba developers to release an update for the 3.3 branch, which is due to be discontinued soon. According to an advisory, the code for chaining SMB1 packets (in chain_reply in smbd/process.c) contains a flaw which allows certain memory areas to be overwritten via specially crafted packets.
This is, in most cases, only said to trigger a server crash. However, the developers note that potentially the hole can also be exploited to remotely inject and execute code. Reportedly attackers wouldn't even require prior authentication.
All versions from 3.0.x, up to and including 3.3.12, are affected. Updating to 3.3.13 (direct download) closes the hole. The developers recommend that affected administrators install the new version as soon as possible. A patch is also available. Versions 3.4.x and 3.5.x are not vulnerable because the code that causes the problem was rewritten from scratch for these versions.
The 3.3 branch has been in "security fixes only" mode since February of this year, and its development and maintenance is to be discontinued. Users are advised to consider upgrading to the latest current version.
- Memory Corruption Vulnerability, security advisory from Samba.
- Samba 3.3.12 Memory Corruption Vulnerability, security advisory from iDefense Labs.