14 DAY TRIAL // Version 3.5.5 of the Samba Windows-Unix interoperability software suite was released in order to address a critical vulnerability that could be exploited to execute arbitrary code.
The vulnerability, which is identified as CVE-2010-3069 and affects all previous Samba versions, leads to a buffer overflow condition and was discovered by Samba developer and Cisco employee Andrew Bartlett.
"The sid_parse() function (and related dom_sid_parse() function in the source4 code) do not correctly check their input lengths when reading a binary representation of a Windows SID (Security ID). "This allows a malicious client to send a sid that can overflow the stack variable that is being used to store the SID in the Samba smbd server," the release notes for Samba 3.5.5 read.
Vulnerability research vendor Secunia rates the bug as moderately critical, because it can only be exploited from the local network.
Nevertheless, an attacker who already penetrated the LAN can leverage this vulnerability to execute arbitrary code and completely compromise a Samba server.
Samba is a free re-implementation of several networking protocols and is primarily used to allow file and print sharing between Windows and Unix-like systems, including all Linux, Solaris, AIX and BSD variants, as well Apple's Mac OS X Server.
Even though the vulnerability was patched in source code, in order to upgrade users have to wait until an updated binary package is made available through the regular update channels for their respective operating systems.
"If you are running Samba, turn it off NOW until you can upgrade. This means all Mac OS X users with file sharing, all NAS devices based on Linux, some printers, etc," HD Moore, the founder and lead developer of the Metasploit penetration testing framework, advised via Twitter.
"Samba issue can be triggered via NtTrans command with the FindFileBySID operation and > 15 sub-auths," he warned.