Alerts This Week
Warning Icon 1 659
Alerts This Week
Warning Icon 1 659

Arch Linux ASA-201502-13 High: Samba Arbitrary Code Execution Threat

Calendar Feb 23, 2015 User Avatar LinuxSecurity Advisories
1 - 2 min read
Archlinux Large Esm H500
Topics%20covered

Topics Covered

security advisory high severity arbitrary code execution samba arch linux
The package samba before version 4.1.17-1 is vulnerable to arbitrary code execution with root privileges. 
Arch Linux Security Advisory ASA-201502-13
=========================================
Severity: High
Date    : 2015-02-23
CVE-ID  : CVE-2015-0240
Package : samba
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package samba before version 4.1.17-1 is vulnerable to arbitrary
code execution with root privileges.

Resolution
=========
Upgrade to 4.1.17-1.

# pacman -Syu "samba>=4.1.17-1"

The problem has been fixed upstream in version 4.1.17.

Workaround
=========
To mitigate the possibility of exploitation before you can perform a
full update, add the following line to the [global] section of the
/etc/samba/smb.conf configuration file:

rpc_server:netlogon=disabled

For the configuration change to take effect, the smbd daemon must be
restarted.

Description
==========
A malicious client could send packets that may set up the stack in such
a way that the freeing of memory in a subsequent anonymous netlogon
packet could allow execution of arbitrary code. This code would execute
with root privileges.

This flaw arises because of an uninitialized pointer is passed to the
TALLOC_FREE() function. (Samba uses embedded talloc for memory
management and does not rely on the glibc malloc family to function). It
can be exploited by calling the ServerPasswordSet RPC api on the
NetLogon endpoint, by using a NULL session over IPC.

In Samba 4.1 and above, this crash can only be triggered after setting
“server schannel = yes” in the server configuration. This is due to the
adbe6cba005a2060b0f641e91b500574f4637a36 commit, which introduces NULL
initialization into the most common code path. It is still possible to
trigger an early return with a memory allocation failure, but that is
less likely to occur.

Impact
=====
A remote unauthenticated attacker is able to send specially crafted
packets to execute arbitrary code with root privileges.

References
=========

https://access.redhat.com/security/cve/CVE-2015-0240
https://bugs.archlinux.org/task/43923

Related News

Your message here