Application development Toolkit

Samba flaw opens up root access attack

Tags:
Security,
Samba,
Linux,
Flaw

John McCormick Tech Republic

Published: 07 Apr 2003 09:49 BST

As the Samba team clearly states, Samba is configured by default to accept connections from any host. This includes the Internet, and there is no good reason to have Samba installed on these systems in its default configuration.

The ZDNet story on this vulnerability quotes Allison as saying, "You would have to be crazy to run this over the Internet."

The Samba team pointed out that you can protect servers that can be accessed by untrusted hosts by adjusting the "hosts allow" and "hosts deny" options in the smb.conf file to limit access to specific trusted hosts. For example, "Hosts allow = 192.168.9." would limit SMB connections to systems on the internal network segment with an IP address of 192.168.9.x.

The Samba.org notice on this vulnerability also details a way to block unwanted network interfaces so that Samba will not accept connections from them. In addition, the notice reports that Samba uses ports UDP/137 (nmbd), UDP/138 (nmbd), TCP/139 (smbd), and TCP/445 (smbd), which can be blocked at a firewall to protect servers against these vulnerabilities. In particular, TCP/445 may be wide open on older setups that have been upgraded because that port was added to the Samba protocols recently.

A Red Hat BugTraq notice carries links to patch locations for Red Hat software. The SuSE BugTraq notice lists the vulnerable SuSE products and has links to patches.

Final word

This vulnerability was apparently patched quickly once it was discovered, which reflects well on Samba and SuSE. However, the closing quote of the ZDNet story indicated that the great thing about open source is that everyone can see the code and a flaw of this magnitude can be found. That may be true, but if you are going to point that out, it's only fair to remind people that this flaw has apparently lain undiscovered since at least Samba release 2.0. When an open source flaw is discovered within days of a program's release, it's a shiny gold star for open source -- but when a problem lies hidden for a long time, that's no better than when the same thing happens to proprietary software, such as Microsoft products. In this case, SuSE's head of security probably shouldn't have used this particular instance to brag about open source security benefits.

In that spirit of fairness, the Samba development team's note on the page describing the problem and patch said, "As always, all bugs are our responsibility." I believe that is something that needs to be part of every bug fix, especially including Microsoft's Security Bulletins.

Although all bugs are the responsibility of the individual developers, the captains are responsible for everything that happens on their ships, even things that are beyond their direct control. The fact that the Samba team expressed this sentiment is a good indication that they really care about bugs and have a feeling of personal responsibility for any problems encountered by users. Kudos to the Samba team for that.

For a weekly round-up of the enterprise IT news, sign up for the Enterprise newsletter.

Tell us what you think in the Enterprise Mailroom.

Go to section: