Users who rely on older versions are advised to immediately update

Apr 12, 2012 11:25 GMT  ·  By

Mac OS X and Linux users who rely on Samba, the open source file and print service, are urged to update the software to ensure that they are protected against attacks that leverage a remote code execution vulnerability.

Samba 3.6.4, Samba 3.5.14 and 3.4.16, along with patches for older variants, have been released to address the issue.

According to the vulnerability description provided by Samba, the security hole allows an attacker to remotely execute code as root by utilizing an anonymous connection.

“The code generator for Samba's remote procedure call (RPC) code contained an error which caused it to generate code containing a security flaw. This generated code is used in the parts of Samba that control marshalling and unmarshalling of RPC calls over the network,” Samba representatives explain.

“The flaw caused checks on the variable containing the length of an allocated array to be done independently from the checks on the variable used to allocate the memory for that array.

“As both these variables are controlled by the connecting client it makes it possible for a specially crafted RPC call to cause the server to execute arbitrary code.”

These types of vulnerabilities, which can be leveraged by using anonymous connections, are considered to be critical, which is why customers of Samba 3.6.3 and all previous versions are advised to immediately apply the update.

The flaw, identified by Brian Gorec and another security researcher from Zero Day Initiative, can also be fixed with a quick workaround: Samba contains a "hosts allow" parameter that can be used inside smb.conf to restrict the clients allowed to connect to the server to a trusted list. This can be used to help mitigate the problem caused by this bug but it is by no means a real fix, as client addresses can be easily faked. Samba 3.4.16 / 3.5.14 / 3.6.4 / 4.0.0 Alpha is available for download here

Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile or follow me at @EduardKovacs1