Samba vulnerability (CVE-2015-0240)

Red Hat Product Security has been made aware of a vulnerability in the smbd file server daemon, which is a part of the Samba suite of programs. The vulnerability has been assigned CVE-2015-0240. All versions of Samba 3.5.0 or higher shipped with Red Hat Enterprise Linux versions 5 to 7 are affected. Samba shipped with Red Hat Storage Server 2.1 and 3 is also affected.

This vulnerability has been rated by Red Hat Product Security as having a Critical impact on all affected products, with the exception of Red Hat Enterprise Linux 7, on which the impact has been rated as Important.

Background Information

An uninitialized pointer use flaw was found in the Samba daemon (smbd). A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd (by default, the root user).

Impact

Samba is the standard Windows interoperability suite of programs for Linux and Unix, which is used for sharing files, printers, and other information. All Red Hat Enterprise Linux systems (versions 5 to 7) that host a Samba server are potentially vulnerable. Note that even an unauthenticated connection can be used to trigger this remote exploit.

Red Hat Enterprise Linux 4 Versions of Samba

On Red Hat Enterprise Linux 4.x, the version of Samba available: samba (3.0.x) is not vulnerable.

Red Hat Enterprise Linux 5 Versions of Samba

On Red Hat Enterprise Linux 5.x, there are two versions of Samba packages available: samba (3.0.x) and samba3x (3.5.x and 3.6.x). Only the samba3x (3.5.x and 3.6.x) version is vulnerable.

Red Hat Enterprise Linux 6 Versions of Samba

On Red Hat Enterprise Linux 6, there are two versions of Samba packages available: samba (3.5.x and 3.6.x) and samba4 (4.x). Both of these sets of packages are vulnerable.

Red Hat Enterprise Linux 7.x Versions of Samba

On Red Hat Enterprise Linux 7 the version of Samba available: samba (4.x) is vulnerable.

Determining Vulnerability

As a Red Hat customer, the easiest way for you to check for the vulnerability and confirm remediation is the Red Hat Access Lab: Samba CVE-2015-0240 Detector.

Resolution

To eliminate the possibility of exploitation:

Install an updated Samba package on your system as listed in the following advisories:

 
To install the updates, use the yum package manager as follows:

yum update

To only update the Samba package and its dependencies, use (depending on the variant of the Samba packages you have installed):

yum update samba

or (if you use RHEL 5 and the samba3x package):

yum update samba3x

or (if you use RHEL 6 and the samba4 package):

yum update samba4

Restarting the smbd daemon

Please note that the smbd daemon needs to be restarted for any changes to take effect. This happens automatically during the installation process (i.e. when you install the updated packages). If, for whatever reason, you need to restart the smbd daemon manually, you can follow the instructions below.

To restart the smbd daemon on RHEL 5 or 6, execute the following command:

service smb restart

or the following on RHEL 7:

systemctl restart smb.service

Mitigation for Samba 4.0.0 and higher

To mitigate the possibility of exploitation on Samba 4.0.0 or higher before you can perform a full update of the Samba suite, add the following line to the [global] section of the /etc/samba/smb.conf configuration file:

rpc_server:netlogon=disabled

For the configuration change to take effect, the smbd daemon must be restarted. To do that, follow the instructions outlined above. Note that this mitigation does not work with Samba versions 3.6.x and earlier.

Additional Information

Red Hat Security Blog on CVE-2015-0240