[gentoo-announce] [ GLSA 200404-21 ] Multiple Vulnerabilities in Samba - gentoo-announce

From:	"Joshua J. Berry" <condordes@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com, gentoo-core@l.g.o
Subject:	[gentoo-announce] [ GLSA 200404-21 ] Multiple Vulnerabilities in Samba
Date:	Thu, 29 Apr 2004 20:26:50
Message-Id:	`200404291325.03878.condordes@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200404-21

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Multiple Vulnerabilities in Samba

9

      Date: April 29, 2004

10

      Bugs: #41800, #45965

11

        ID: 200404-21

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

There is a bug in smbfs which may allow local users to gain root via a

19

setuid file on a mounted Samba share. Also, there is a tmpfile symlink

20

vulnerability in the smbprint script distributed with Samba.

21

22

Background

23

==========

24

25

Samba is a package which allows UNIX systems to act as file servers for

26

Windows computers. It also allows UNIX systems to mount shares exported

27

by a Samba/CIFS/Windows server. smbmount is a program in the Samba

28

package which allows normal users on a UNIX system to mount remote

29

shares. smbprint is an example script included in the Samba package

30

which can be used to facilitate network printing.

31

32

Affected packages

33

=================

34

35

    -------------------------------------------------------------------

36

     Package       /   Vulnerable   /                       Unaffected

37

    -------------------------------------------------------------------

38

  1  net-fs/samba       <= 3.0.2a                         >= 3.0.2a-r2

39

40

Description

41

===========

42

43

Two vulnerabilities have been discovered in Samba. The first

44

vulnerability allows a local user who has access to the smbmount

45

command to gain root. An attacker could place a setuid-root binary on a

46

Samba share/server he or she controls, and then use the smbmount

47

command to mount the share on the target UNIX box. The remote Samba

48

server must support UNIX extensions for this to work. This has been

49

fixed in version 3.0.2a.

50

51

The second vulnerability is in the smbprint script. By creating a

52

symlink from /tmp/smbprint.log, an attacker could cause the smbprint

53

script to write to an arbitrary file on the system. This has been fixed

54

in version 3.0.2a-r2.

55

56

Impact

57

======

58

59

Local users with access to the smbmount command may gain root access.

60

Also, arbitrary files may be overwritten using the smbprint script.

61

62

Workaround

63

==========

64

65

To workaround the setuid bug, remove the setuid bits from the

66

/usr/bin/smbmnt, /usr/bin/smbumount and /usr/bin/mount.cifs binaries.

67

However, please note that this workaround will prevent ordinary users

68

from mounting remote SMB and CIFS shares.

69

70

To work around the smbprint vulnerability, set "debug=no" in the

71

smbprint configuration.

72

73

Resolution

74

==========

75

76

All users should update to the latest version of the Samba package.

77

78

The following commands will perform the upgrade:

79

80

    # emerge sync

81

82

    # emerge -pv ">=net-fs/samba-3.0.2a-r2"

83

    # emerge ">=net-fs/samba-3.0.2a-r2"

84

85

Those who are using Samba's password database also need to run the

86

following command:

87

88

    # pdbedit --force-initialized-passwords

89

90

Those using LDAP for Samba passwords also need to check the

91

sambaPwdLastSet attribute on each account, and ensure it is not 0.

92

93

References

94

==========

95

96

  [ 1 ] BugTraq Thread: Samba 3.x + kernel 2.6.x local root vulnerability

97

        http://www.securityfocus.com/archive/1/353222/2004-04-09/2004-04-15/1

98

  [ 2 ] BugTraq: smbprint Vulnerability

99

        http://seclists.org/lists/bugtraq/2004/Mar/0189.html

100

101

Availability

102

============

103

104

This GLSA and any updates to it are available for viewing at

105

the Gentoo Security Website:

106

107

     http://security.gentoo.org/glsa/glsa-200404-21.xml

108

109

Concerns?

110

=========

111

112

Security is a primary focus of Gentoo Linux and ensuring the

113

confidentiality and security of our users machines is of utmost

114

importance to us. Any security concerns should be addressed to

115

security@g.o or alternatively, you may file a bug at

116

http://bugs.gentoo.org.

117

118

License

119

=======

120

121

Copyright 2004 Gentoo Technologies, Inc; referenced text

122

belongs to its owner(s).

123

124

The contents of this document are licensed under the

125

Creative Commons - Attribution / Share Alike license.

126

127

http://creativecommons.org/licenses/by-sa/1.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200404-21
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Multiple Vulnerabilities in Samba
9	Date: April 29, 2004
10	Bugs: #41800, #45965
11	ID: 200404-21
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	There is a bug in smbfs which may allow local users to gain root via a
19	setuid file on a mounted Samba share. Also, there is a tmpfile symlink
20	vulnerability in the smbprint script distributed with Samba.
21
22	Background
23	==========
24
25	Samba is a package which allows UNIX systems to act as file servers for
26	Windows computers. It also allows UNIX systems to mount shares exported
27	by a Samba/CIFS/Windows server. smbmount is a program in the Samba
28	package which allows normal users on a UNIX system to mount remote
29	shares. smbprint is an example script included in the Samba package
30	which can be used to facilitate network printing.
31
32	Affected packages
33	=================
34
35	-------------------------------------------------------------------
36	Package / Vulnerable / Unaffected
37	-------------------------------------------------------------------
38	1 net-fs/samba <= 3.0.2a >= 3.0.2a-r2
39
40	Description
41	===========
42
43	Two vulnerabilities have been discovered in Samba. The first
44	vulnerability allows a local user who has access to the smbmount
45	command to gain root. An attacker could place a setuid-root binary on a
46	Samba share/server he or she controls, and then use the smbmount
47	command to mount the share on the target UNIX box. The remote Samba
48	server must support UNIX extensions for this to work. This has been
49	fixed in version 3.0.2a.
50
51	The second vulnerability is in the smbprint script. By creating a
52	symlink from /tmp/smbprint.log, an attacker could cause the smbprint
53	script to write to an arbitrary file on the system. This has been fixed
54	in version 3.0.2a-r2.
55
56	Impact
57	======
58
59	Local users with access to the smbmount command may gain root access.
60	Also, arbitrary files may be overwritten using the smbprint script.
61
62	Workaround
63	==========
64
65	To workaround the setuid bug, remove the setuid bits from the
66	/usr/bin/smbmnt, /usr/bin/smbumount and /usr/bin/mount.cifs binaries.
67	However, please note that this workaround will prevent ordinary users
68	from mounting remote SMB and CIFS shares.
69
70	To work around the smbprint vulnerability, set "debug=no" in the
71	smbprint configuration.
72
73	Resolution
74	==========
75
76	All users should update to the latest version of the Samba package.
77
78	The following commands will perform the upgrade:
79
80	# emerge sync
81
82	# emerge -pv ">=net-fs/samba-3.0.2a-r2"
83	# emerge ">=net-fs/samba-3.0.2a-r2"
84
85	Those who are using Samba's password database also need to run the
86	following command:
87
88	# pdbedit --force-initialized-passwords
89
90	Those using LDAP for Samba passwords also need to check the
91	sambaPwdLastSet attribute on each account, and ensure it is not 0.
92
93	References
94	==========
95
96	[ 1 ] BugTraq Thread: Samba 3.x + kernel 2.6.x local root vulnerability
97	http://www.securityfocus.com/archive/1/353222/2004-04-09/2004-04-15/1
98	[ 2 ] BugTraq: smbprint Vulnerability
99	http://seclists.org/lists/bugtraq/2004/Mar/0189.html
100
101	Availability
102	============
103
104	This GLSA and any updates to it are available for viewing at
105	the Gentoo Security Website:
106
107	http://security.gentoo.org/glsa/glsa-200404-21.xml
108
109	Concerns?
110	=========
111
112	Security is a primary focus of Gentoo Linux and ensuring the
113	confidentiality and security of our users machines is of utmost
114	importance to us. Any security concerns should be addressed to
115	security@g.o or alternatively, you may file a bug at
116	http://bugs.gentoo.org.
117
118	License
119	=======
120
121	Copyright 2004 Gentoo Technologies, Inc; referenced text
122	belongs to its owner(s).
123
124	The contents of this document are licensed under the
125	Creative Commons - Attribution / Share Alike license.
126
127	http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce