Re: Samba Security Exposure

Wed, 19 Mar 2003 09:04:15 -0800 

Obviously you are going to be much more vulnerable if you are directly
connected to the internet and not behind a corporate firewall.

The Realease Notes under "Protecting an unpatched Samba server" suggest that
for anyone that cannot make the upgrade immediately that they can try either
plugging the Samba active ports with a firewall, using host based
protection, using interface protection by limiting to eth*, or if one of
those options is not feasable to do as suggested below. For most
installations it looks a combination of the above options may work for most.


**********
Protecting an unpatched Samba server
**********
  Using a IPC$ share deny
  -----------------------

  If the above methods are not suitable, then you could also
  place a more specific deny on the IPC$ share that is used in
  the recently discovered security hole. This allows you to
  offer access to other shares while denying access to IPC$
  from potentially untrustworthy hosts.

  To do that you could use:

    [ipc$]
        hosts allow = 192.168.115.0/24 127.0.0.1
        hosts deny = 0.0.0.0/0

*********

-----Original Message-----
From: Lionel Dyck [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 19, 2003 10:10 AM
To: [EMAIL PROTECTED]
Subject: Samba Security Exposure


I just ran into this:


(14th Mar, 2003) Security Release - Samba 2.2.8
A flaw has been detected in the Samba main smbd code which could allow an
external attacker to remotely and anonymously gain Super User (root)
privileges on a server running a Samba server. This flaw exists in
previous versions of Samba from 2.0.x to 2.2.7a inclusive. This is a
serious problem and all sites should either upgrade to Samba 2.2.8
immediately or prohibit access to TCP ports 139 and 445. The Release Notes
are available on-line.
In addition to addressing this security issue, Samba 2.2.8 includes many
unrelated improvements. These improvements result from our process of
continuous quality assurance and code review, and are part of the Samba
team's committment to excellence.

Guess that they learned more from Microsoft than just the SMB interface
;->

--------------------------------------------------------------------
Lionel B. Dyck, Systems Software Lead
Kaiser Permanente Information Technology
25 N. Via Monte Ave
Walnut Creek, Ca 94598

Phone:   (925) 926-5332 (tie line 8/473-5332)
E-Mail:    [EMAIL PROTECTED]
Sametime: (use Lotus Notes address)
AIM:        lbdyck

Reply via email to