14 DAY TRIAL // You might have read the news this morning about a wormable code-execution bug discovered in the Samba free software re-implementation of the SMB/CIFS networking protocol, which existed in Samba for more than 7 years.
According to the bug report, it would appear that Samba incorrectly handled shared libraries, thus allowing a remote attacker to upload a shared library to a writable share and then execute code on the affected, unpatched machines. The security flaw affects all Samba releases from version 3.5.0 onwards.
"All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it," reads Samba's latest security advisory published earlier today.
Samba 4.6.4, 4.5.10 and 4.4.14 patched versions are out now
The Samba team managed to quickly patch the critical vulnerability that was discovered to affect over a hundred thousand Linux and UNIX machines running Samba, which is usually used to provide file and printing sharing services, allowing users to connect to Windows shares on a network.
The Samba 4.6.4, 4.5.10 and 4.4.14 patched versions have been released, and are available for download from the official website or via ours if you want to compile it on your GNU/Linux distribution. Canonical already patched Samba in all supported Ubuntu releases, and other GNU/Linux distributions will soon receive the patch.
At the moment of writing, popular distros like Arch Linux are still using unpatched Samba versions, namely 4.6.3 (testing) and 4.5.8 (stable), but the packages are already flagged as out-of-date, so it's just a matter of time before the new, patched Samba versions arrive. No matter what distro you're using, always keep it up to date!
If, for some reason, you can't update to the latest Samba versions patched against the wormable bug, Samba devs provide you with a workaround by adding the "nt pipe support = no" (without quotes) parameter to the [global] section of your smb.conf configuration file and then restart the smbd daemon. This will prevent clients from accessing any named pipe endpoints, but will also disable various functionality for Windows clients.