-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0053 Title: Remote code execution in Samba [1] Version history: 11.04.2012 Initial publication Summary ======= Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the "root" user from an anonymous connection. This vulnerability may lead to unauthorised access to the targeted system or cause a denial of service. CVE-2012-1182 CVSS v2 Base Score: 8.3 (CRITICAL) (AV:AN/AC:L/Au:N/C:C/I:C/A:C)[5] Vulnerable systems ================== Samba 3.0.x - 3.6.3 (inclusive) Original Details ================ The code generator for Samba's remote procedure call (RPC) code contained an error which caused it to generate code containing a security flaw. This generated code is used in the parts of Samba that control marshalling and unmarshalling of RPC calls over the network. The flaw caused checks on the variable containing the length of an allocated array to be done independently from the checks on the variable used to allocate the memory for that array. As both these variables are controlled by the connecting client it makes it possible for a specially crafted RPC call to cause the server to execute arbitrary code. As this does not require an authenticated connection it is the most serious vulnerability possible in a program, and users and vendors are encouraged to patch their Samba installations immediately. What can you do? ================ Fix is available [2]. Additionally, Samba 3.6.4, Samba 3.5.14 and 3.4.16 have been issued as security releases to correct the defect. Patches against older Samba versions are available [3]. Samba administrators running affected versions are advised to upgrade to 3.6.4, 3.5.14, or 3.4.16 or apply these patches as soon as possible. Due to the seriousness of this vulnerability, patches have been released for all Samba versions currently out of support and maintenance from 3.0.37 onwards. Workaround ========== Samba contains a "hosts allow" parameter that can be used inside smb.conf to restrict the clients allowed to connect to the server to a trusted list. This can be used to help mitigate the problem caused by this bug but it is by no means a real fix, as client addresses can be easily faked. What to tell your users? ======================== N/A More information ================ [1] https://www.samba.org/samba/security/CVE-2012-1182 [2] http://www.samba.org/samba/security/ [3] http://samba.org/samba/patches/ [4] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1182 [5] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJPhaOUAAoJEPpzpNLI8SVoYKEP/3d4S0FzAtnV700rLaGUTZcQ DTog+18g7drPPLSEgNEakV+udooO56Qqh4o/B245p0y5vhC6oiPke6NcbQYG/XCr 3OD83ONOlLIpR6OG5W2nMbO4ZZTAnzSaghGqA74Zo7JjfKSwL6p5SYqGRtDYuig3 ugyjJ6RzmCovUS0UjUaONR+KnG2czAskqKeycZ6A8jKmSbkzcXuxf7wpp3yA/Csm uqBufp9mOl9i3Z8fos3RQwLy1Bjs97mwk3rgEbGNQwqG+Q2OY+nppwFJ8odB2/jF OEHOVnIvzQrsx99l7eBOPuLd1DUiR4odAlLGt7N/ZmITzyUPfb+k+8ThmaocVgT5 u6iBfx+slSF8yAudU29jU3dkHZnbvpu0GVqwryjU71ReLCNgXdsn4tEN0OKMyph4 XsCodpfqCq8/NOVglp3L+blbtX6OVlqF75Q+e6l3qxXpsoAAX8Lb07tDZN9PbKts TfWo4GcODgUJx6HOnBrBTNS61lpJyexk84OZiNjlSDVxGw3mdSdfOEz6zHBPqEkE 7DUHBWK5yLAcgPt1cIV0aRLTi9eKcE0H6L876qjQyYdbT5L1YFz8hxIcszBDjm/G 5iB7HykknuuCs06V7e+HNaCWjtUvtmaOt5qwVyEEUOH+oZ4X3eJiIKYjGd7hJIC2 R39LX+WKAez/Sg3QswdP =rJdd -----END PGP SIGNATURE-----