[arch-security] [ASA-201502-13] samba: arbitrary code execution

Levente Polyak anthraxx at archlinux.org
Mon Feb 23 16:24:56 UTC 2015 

Arch Linux Security Advisory ASA-201502-13
==========================================

Severity: High
Date    : 2015-02-23
CVE-ID  : CVE-2015-0240
Package : samba
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package samba before version 4.1.17-1 is vulnerable to arbitrary
code execution with root privileges.

Resolution
==========

Upgrade to 4.1.17-1.

# pacman -Syu "samba>=4.1.17-1"

The problem has been fixed upstream in version 4.1.17.

Workaround
==========

To mitigate the possibility of exploitation before you can perform a
full update, add the following line to the [global] section of the
/etc/samba/smb.conf configuration file:

rpc_server:netlogon=disabled

For the configuration change to take effect, the smbd daemon must be
restarted.

Description
===========

A malicious client could send packets that may set up the stack in such
a way that the freeing of memory in a subsequent anonymous netlogon
packet could allow execution of arbitrary code. This code would execute
with root privileges.

This flaw arises because of an uninitialized pointer is passed to the
TALLOC_FREE() function. (Samba uses embedded talloc for memory
management and does not rely on the glibc malloc family to function). It
can be exploited by calling the ServerPasswordSet RPC api on the
NetLogon endpoint, by using a NULL session over IPC.

In Samba 4.1 and above, this crash can only be triggered after setting
“server schannel = yes” in the server configuration. This is due to the
adbe6cba005a2060b0f641e91b500574f4637a36 commit, which introduces NULL
initialization into the most common code path. It is still possible to
trigger an early return with a memory allocation failure, but that is
less likely to occur.

Impact
======

A remote unauthenticated attacker is able to send specially crafted
packets to execute arbitrary code with root privileges.

References
==========

https://www.samba.org/samba/history/samba-4.1.17.html
https://access.redhat.com/security/cve/CVE-2015-0240
https://bugs.archlinux.org/task/43923

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150223/b54cce4d/attachment.asc>

More information about the arch-security mailing list