Vulnerabilities in Samba file and printer server plugged
The development team behind open source file and print server Samba have released versions 3.0.37, 3.2.15, 3.3.8 and 3.4.2. They fix three vulnerabilities which attackers could exploit to access data or disable the server. In addition to the new versions, source code patches are also available.
According to a report, merely sending an unexpected 'Oplock break notification' was sufficient for a client to send the smbd service into an endless loop, disabling the server. This case should not arise under normal circumstances and, according to the developers, the server accepts the relevant packets only where the attacker has already been authenticated.
Where a user's home directory in the /etc/passwd file is blank, it may also be possible to break out of the defined root directory. Attackers could exploit this to access arbitrary files on the server.
A bug when checking access rights in the mount.cifs client application results in parts of the content of credential files being disclosed to other users. Credential files allow login details for automatic mounts to be swapped out, thus avoiding having them in the publicly viewable /etc/fstab file.
See also
- Remote DoS against smbd on authenticated connections, Report from Samba.org
- Misconfigured /etc/passwd file may share folders unexpectedly, Report from Samba.org
- Information disclosure by setuid mount.cifs, Report from Samba.org
(djwm)