Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Samba Exploit Discovered, Fixed 272

An anonymous reader submits: "Digital Defense reported a remote root vulnerability in Samba that has existed in Samba source code for over 8 years. If it hadn't been caught from a wild packet capture, who knows how many more years it might have gone on. Fixes for this, and at least three other vulnerabilities have been fixed today. This is a serious threat to many thousands of people.. Did you plan to spend your Monday upgrading to Samba 2.2.8a?" elijahao supplies some more information: "All stable versions are affected (2.x), but the 3.0 series is not. Here is a link to the News page. Check out a mirror near you to get the Source or Security patches from 2.2.7a, 2.2.8, or 2.0.10."
This discussion has been archived. No new comments can be posted.

Samba Exploit Discovered, Fixed

Comments Filter:
  • by Anonvmous Coward ( 589068 ) on Monday April 07, 2003 @04:42PM (#5681607)
    ... you know the drill. Pitchforks ready!
    • by NanoGator ( 522640 ) on Monday April 07, 2003 @04:44PM (#5681618) Homepage Journal
      "Okay everybody... ... you know the drill. Pitchforks ready! "

      Whoah, slow down there buddy. We gotta check the list.

      -Microsoft? No.
      -RIAA/MPAA? No.
      -IBM? No.
      -Amazon? No.
      -TurboTax? No.

      Sorry, Samba's not on the list. Turn in your pitchfork for a song of praise.

      • We gotta check the list.

        -Microsoft? No.
        -RIAA/MPAA? No.
        -IBM? No.
        -Amazon? No.
        -TurboTax? No.

        Ummm. You might want to check the date on that list. IBM are "good guys" now. I know. Its wierd. I consider it proof of a Universe with perverse humor - and even business is not sacred.

        Of course - I'm not sure where your list came from. When IBM was 'evil', Microsoft were up-and-coming, scrappy underdogs (kind of good-guy in contrast, I suppose). And Amazon was a geography reference. TurboTax doesn't

        • "Ummm. You might want to check the date on that list. IBM are "good guys" now. "

          I was thinking about IBM's defective hard drives and laptop batteries.

          "TurboTax doesn't seem like it should even show up anywhere."

          Um, have you been reading Slashdot [slashdot.org] lately?
      • Umm, yeah... see, we took IBM off the list, yeah.... Didn't you get the memo? I'll have another copy sent to you. And I'm gonna need you to come in on Saturday... we've been short handed and need to catch up."
    • Digital Defense reported a remote root vulnerability in Samba that has existed in Samba source code for over 8 years.

      Linux: opening up holes in MS Networks since 1995.

  • Mondays? (Score:5, Funny)

    by raydobbs ( 99133 ) on Monday April 07, 2003 @04:47PM (#5681639) Homepage Journal
    I thought Monday was Patch Your Microsoft Server days... SAMBA is allowed Thursday, or was that...Wednesday...? I forget....
    • nono...Thursday is for sendmail. We'll pencil in samba on wednesdays.
    • Re:Mondays? (Score:5, Funny)

      by Lxy ( 80823 ) on Monday April 07, 2003 @04:50PM (#5681673) Journal
      I thought Monday was Patch Your Microsoft Server days

      Samba is just trying to emulate every aspect of a Windows server, including Windows patch Mondays.

      Yet another compatibility feature we can check off the list.
      • Actually, I think Microsoft now posts patches on Wednesday, at least the ones to WindowsUpdate, as Thursdays are usually the days all my clients set to auto-update themselves actually do so.
  • by dnaumov ( 453672 ) on Monday April 07, 2003 @04:47PM (#5681642)
    A FreeBSD Security Advisory has been issued and the samba port has been updated to the fixed version:

    samba 2.2.8a
    Update 2.2.8 -> 2.2.8a.
    Submitted by: dwcjr (MAINTAINER)

    I already updated my installation 4 hours ago, the FreeBSD folk are fast :)

    This is what is fixed by the update:

    (1) Sebastian Krahmer of the SuSE Security Team identified
    vulnerabilities that could lead to arbitrary code execution as root,
    as well as a race condition that could allow overwriting of system
    files. (This vulnerability was previously fixed in Samba 2.2.8.)

    (2) Digital Defense, Inc. reports: ``This vulnerability, if exploited
    correctly, leads to an anonymous user gaining root access on a Samba
    serving system. All versions of Samba up to and including Samba 2.2.8
    are vulnerable. Alpha versions of Samba 3.0 and above are *NOT*
    vulnerable.''
  • Feature? (Score:5, Funny)

    by Jonathan the Nerd ( 98459 ) on Monday April 07, 2003 @04:48PM (#5681657) Homepage
    Well, Samba is supposed to make a Unix computer look and act like a Windows server, right? In that case, it could be argued that a remote root exploit is a feature.
  • It appears to me we're being bombarded with bugs found in open source software lately. I hope this doesn't make some people lose faith in these projects.
    • I think its a good thing. Instead of these bugs being found by the "wrong" people these are found and fixed before anyone can mess up production systems. This, if anything, shows the strength of OSS. It gets fixed quickly.
    • I think it's better that these bugs are found, publicized and patched in a professional manner (like Samba, Sendmail, etc.) then see a company sit on an exploit for a while and state that their products are unbreakable (Oracle) or secure (Microsoft)... even if it's a bug a day. So long as it's fixed, people are notified about it.

      As far as people patching them, that's another topic altogether.

      Almost every software has bugs... be it disclosed or not disclosed.
  • 8 Years?? (Score:5, Funny)

    by MeanMF ( 631837 ) on Monday April 07, 2003 @04:51PM (#5681675) Homepage
    This sort of thing could never have happened if it was Open Source! Thousands of people would have reviewed the source code to make sure that there were no problems like this.

    Oh wait...
    • Re:8 Years?? (Score:5, Informative)

      by Jeremy Allison - Sam ( 8157 ) on Monday April 07, 2003 @05:00PM (#5681736) Homepage
      Well security problems like this tend to come in pairs
      (I'm just hoping not in threes :-).

      Once one gets discovered then people look for others in
      the same project.

      The first one was found by a SuSE audit, and we went through
      and fixed all related code. This one was found 'in the wild'
      so to speak. I'm not sure how long the cracker community
      has known about this one.

      I'm to blame as both were in code I wrote a long time ago :-(.

      Jeremy Allison,
      Samba Team.
      • Re:8 Years?? (Score:2, Interesting)

        by Anonymous Coward
        This is why /. rocks.

        You see a story about a bug, and the author quickly replies "Ya, I coded this part. I missed this bug."

        Jeremy, congrats to you for having guts to stand up and admit fault. This kind of integrity is why open source is such a great movement.
    • cause if it had been a problem with a Microsoft product we'd have to wait until actual exploits were in the wild to get a fix for it...

      At least with open source people can't hide their crappy code behind a black box. Thats the point of open source.

      Oh wait, you're a troll.. ah well you got modded up so thats that.
      • cause if it had been a problem with a Microsoft product we'd have to wait until actual exploits were in the wild to get a fix for it...

        RTFA - exploits for this one have been in the wild for a while The only reason it was found is because somebody looked at a packet trace, not the source code.
        • RMFA: problems get fixed faster in open source. Don't like it? Not my problem.
          It's obvious you don't write software, otherwise you'd know that when it's debugged, you don't just read the code to solve the problem... but having the code to begin with is bloody indispensable.

          Try saying something relevant next time...
          • RMFA: problems get fixed faster in open source.

            This one was discovered last Thursday, and five days to patch a remote root vulnerability with exploits already in the wild is not very good in my book.

            when it's debugged, you don't just read the code to solve the problem

            My point is that releasing code to the public does nothing to improve security. Nothing was stopping anybody from looking at the source code and/or loading Samba into a debugger and finding this problem, and yet this vulnerability has ex
            • Re:No kidding (Score:4, Insightful)

              by Jeremy Allison - Sam ( 8157 ) on Monday April 07, 2003 @06:52PM (#5682417) Homepage
              We had a fix within 1 hour of the problem being
              reported, and that was mainly due to mail propagation
              delays from Australia ! We had to co-ordinate the
              release with all the Samba vendors, that's what took
              the time.

              Your point about code auditing is incorrect. No company
              pays the sort of money needed to do the amount of code
              auditing a major OSS project gets *for free* by the
              vendor community. Yes, they could do this, but proprietary
              software companies simply don't spend the money on engineering
              resources to be used in this way. Not even Microsoft.

              Jeremy Allison,
              Samba Team.
              • Re:No kidding (Score:3, Interesting)

                by MeanMF ( 631837 )
                We had a fix within 1 hour of the problem being reported, and that was mainly due to mail propagation delays from Australia ! We had to co-ordinate the release with all the Samba vendors, that's what took the time.

                I'm not sure it really matters why the delay occurred - maybe that's something to work on for next time. Even if the fix could not be released immediately, it may have been a good idea to alert people that a problem existed so they could take additional precautions while the coordination effort
  • Use Systrace (Score:5, Interesting)

    by evilviper ( 135110 ) on Monday April 07, 2003 @04:51PM (#5681676) Journal
    Please people, learn and use Systrace [umich.edu]. With a properly configured systrace policy, you can run vulnerable software, with a very low likelyhood that it can be exploited. Considering that NO SOFTWARE IS IMPERVIOUS, this release/exploit/patch cycle is going to go on forever if you don't take additional steps to prevent your system from being cracked.
    • Isn't systrace software too? Considering NO SOFTWARE IS IMPEVIOUS, how is it that systrace is perfect? :)
      • Well, first of all, it is smaller and less complex than the software it us used to secure. It does not have an open socket to the network, so it would be VERY difficult to pass it arbitrary data. Additionally, because of it's purpose, it audited, so exploits (which would be very difficult to make use of anyhow) are going to be much more rare.

        You are right, it's not perfect, but nothing is. It's certainly one huge step-up from the current situation.
  • The Samba Team released a patch on Monday for the second major security flaw found in the past few weeks in the open-source group's widely used program for sharing Windows files between Unix and Linux systems.

    The security problem could easily let an attacker compromise any Samba server connected to the Internet. The vulnerability is unrelated to the previous flaw, which Samba released a patch for on March 17.

    "If it was related to the previous flaw, we would have found it when we audited the code," said J

  • by Anonymous Coward on Monday April 07, 2003 @05:07PM (#5681787)
    This is the second /. story in a short while that mentions there's an exploit discovered in some piece of software (the other story was about seti@home).

    Now, I'm not a native english speaker, but I'd think that the software would contain a vulnerability and that the skr1pt k1ddi3z use exploits to, ehh, exploit the vulnerabilities.
    • Now, I'm not a native english speaker, but I'd think that the software would contain a vulnerability and that the skr1pt k1ddi3z use exploits to, ehh, exploit the vulnerabilities.

      This one got discovered because the skr1pt k1ddi3z had an exploit and used it against the system the auditors were watching.

      Sound like reporting an exploit is correct, eh?
    • There is a Samba exploit that has been discovered. In this case, Samba is being used as an adjective to describe the noun exploit. Alternately, you could say that Samba contains a vulnerability which can be exploited. Now Samba is a noun, and exploit is a verb. It's strange, but English is like that. I think it's kinda neat, but I get weird looks whenever I admit that.... To quote Calvin, verbing weirds language.
  • Is this the same as the vuln reported in Red Hat RHSA-2003-095 [redhat.com]? The links in the article to the vuln info are down right now.

    If it is, RH has had this licked since April Fool's. At least someone was being productive that day.
  • by caffeinex36 ( 608768 ) on Monday April 07, 2003 @05:25PM (#5681884)
    "Did you plan to spend your Monday upgrading to Samba 2.2.8a?"


    No, I spent monday yelling at people trying to explain to them "WHY" they need to updgrade. Dumb S.A.'s.

    Low and behold an intern sysadmin tells me "Looks like someone has a case of the mondays!"

    ...It's ok...just wait until he sees me put his pink slip in his /root

    /end monday rant
    Rob
  • Err (Score:3, Funny)

    by bedouin ( 248624 ) on Monday April 07, 2003 @06:02PM (#5682100)
    Rebuilding this for a second time this week on a 25mhz machine almost makes me want to upgrade to a faster CPU.
  • Whoa! (Score:5, Funny)

    by truesaer ( 135079 ) on Monday April 07, 2003 @07:01PM (#5682469) Homepage
    At level 4 and higher messages only, I count 43 mod points for Jeremy Allison.

    Conspiracy theory: He created this bug because he's a karma whore!! :)

  • Wow (Score:4, Interesting)

    by Zorton ( 2520 ) on Monday April 07, 2003 @08:56PM (#5683155)
    I think the thing that intrests me the most about this bug is how it was found. Does anyone have more information on what brought this bug to light?

    In a related subject people here need to lay off the samba developers. They are doing a great job at admiting the problem and taking responbility for it. Heck just today I discovered a bug with LinkSys Wireless Router/Switches relating to multicast. I called their tech support folks only to get promissed a call back after we had covered the basic configuration toubles. It is now almost 6:00pm my time, no call back. No accountability with these people. I wasn't even given the persons contact information nor was I given any time they might call me back.

    Compare that with OSS....I can remeber countless occasions being frustrated with a piece of software only to discover I had accually uncovered a bug. One simple e-mail to the author and I had a patch along with the stern instructions to e-mail him back if there where any more problems.

    No I am not microsoft/novell/apple bashing, I just feel that OSS comes out with more accountibility for their products. Perhaps I would hear back more often from commerical companies if I bought 500 copies of their product a month. But the same goes for about anything that isn't grassroots. Perhaps I just need more money :)

    Zorton
    btw: if anyone with a linksys BEFW11S4 switch can broadcast on any multicast IP and not have it lock up let me know :) I would be curious if it's a configuration problem (although tech support dosen't seem to think so) or a real bug.
  • Mandrake has issued an advisory for this issue here [mandrakesecure.net], although it doesn't appear that the updated RPMs have hit their FTP mirrors yet.
  • ..its a Mini adventure! :)

Any sufficiently advanced technology is indistinguishable from magic. -- Arthur C. Clarke

Working...