CVE-2015-0240: A critical remote vulnerability in Samba

Employees MSVR (Microsoft Vulnerability Research) discovered a critical vulnerability the Samba daemon (smbd).

In unplanned releases of Samba 4.1.17, 4.0.25 and 3.6.25 fixed a critical vulnerability (CVE-2015-0240), which can be used to initiate the execution of code on the server side.

Danger problem compounded by the fact that the vulnerability can be exploited without an authentication – to carry out the attack enough send a few specially designed anonymous netlogon-packets on the network port SMB / CIFS of the server. Since by default, smbd daemon runs under root privileges, in the case of a successful attack the attacker can gain root-access to the server.

The problem affects all versions of Samba from 3.5.0 to 4.2.0rc4. Working exploit has not yet been created, but the staff of Red Hat positive about the possibility of its creation and described in detail algorithm of exploitation. For all users of Samba recommended to urgently upgrade up to presented correcting issues. For longer not supported branches Samba prepared patches. Samba 4 users can protect themselves from attacks by disabling netlogon settings (“rpc_server: netlogon = disabled” in the section “[global]” smb.conf).

Instructions for applying the fix this flaw (issued Red Hat) are available on the knowledgebase. Packages with security fixes available for Red Hat Enterprise Linux, CentOS, Debian, Ubuntu, openSUSE, ALT Linux, FreeBSD. Follow for the releases of an updates for other popular distributions on following pages: Gentoo, Slackware, Fedora.

Execute arbitrary code in the Samba daemon

Danger: High (critical vulnerability)

The presence of fixes: Yes

The number of vulnerabilities: 1

CVSSv2 rating: (AV: N / AC: L / Au: N / C: C / I: C / A: C / E: U / RL: OF / RC: C) = Base: 10 / Temporal: 7.4

CVE ID: CVE-2015-0240

Vector exploitation: Remote

Impact: Compromise system, execute arbitrary code

Affected products: Samba 3.x; Samba 4.x

Affected versions: Samba from 3.5.0 up to 4.2.0rc4

Description:

The vulnerability allows a remote user to compromise a system.

CVE-2015-0240 – The vulnerability is caused due to an error in the Samba daemon (smbd). The Netlogon server implementation in smbd in Samba performs a free operation on an uninitialized stack pointer, which allows remote attackers to execute arbitrary code (with root privileges) via crafted Netlogon packets that use the ServerPasswordSet RPC API.

Manufacture’s Web Site: https://www.samba.org/samba/

Main link to news: https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/