Arch Linux Security Advisory ASA-201502-13 ========================================== Severity: High Date : 2015-02-23 CVE-ID : CVE-2015-0240 Package : samba Type : arbitrary code execution Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package samba before version 4.1.17-1 is vulnerable to arbitrary code execution with root privileges. Resolution ========== Upgrade to 4.1.17-1. # pacman -Syu "samba>=4.1.17-1" The problem has been fixed upstream in version 4.1.17. Workaround ========== To mitigate the possibility of exploitation before you can perform a full update, add the following line to the [global] section of the /etc/samba/smb.conf configuration file: rpc_server:netlogon=disabled For the configuration change to take effect, the smbd daemon must be restarted. Description =========== A malicious client could send packets that may set up the stack in such a way that the freeing of memory in a subsequent anonymous netlogon packet could allow execution of arbitrary code. This code would execute with root privileges. This flaw arises because of an uninitialized pointer is passed to the TALLOC_FREE() function. (Samba uses embedded talloc for memory management and does not rely on the glibc malloc family to function). It can be exploited by calling the ServerPasswordSet RPC api on the NetLogon endpoint, by using a NULL session over IPC. In Samba 4.1 and above, this crash can only be triggered after setting “server schannel = yes” in the server configuration. This is due to the adbe6cba005a2060b0f641e91b500574f4637a36 commit, which introduces NULL initialization into the most common code path. It is still possible to trigger an early return with a memory allocation failure, but that is less likely to occur. Impact ====== A remote unauthenticated attacker is able to send specially crafted packets to execute arbitrary code with root privileges. References ========== https://www.samba.org/samba/history/samba-4.1.17.html https://access.redhat.com/security/cve/CVE-2015-0240 https://bugs.archlinux.org/task/43923