Samba vulnerability (CVE-2015-0240)

Updated -

Red Hat Product Security has been made aware of a vulnerability in the smbd file server daemon, which is a part of the Samba suite of programs. The vulnerability has been assigned CVE-2015-0240. All versions of Samba 3.5.0 or higher shipped with Red Hat Enterprise Linux versions 5 to 7 are affected. Samba shipped with Red Hat Storage Server 2.1 and 3 is also affected.

This vulnerability has been rated by Red Hat Product Security as having a Critical impact on all affected products, with the exception of Red Hat Enterprise Linux 7, on which the impact has been rated as Important.

Background Information

An uninitialized pointer use flaw was found in the Samba daemon (smbd). A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd (by default, the root user).

Impact

Samba is the standard Windows interoperability suite of programs for Linux and Unix, which is used for sharing files, printers, and other information. All Red Hat Enterprise Linux systems (versions 5 to 7) that host a Samba server are potentially vulnerable. Note that even an unauthenticated connection can be used to trigger this remote exploit.

Red Hat Enterprise Linux 4 Versions of Samba

On Red Hat Enterprise Linux 4.x, the version of Samba available: samba (3.0.x) is not vulnerable.

Red Hat Enterprise Linux 5 Versions of Samba

On Red Hat Enterprise Linux 5.x, there are two versions of Samba packages available: samba (3.0.x) and samba3x (3.5.x and 3.6.x). Only the samba3x (3.5.x and 3.6.x) version is vulnerable.

Red Hat Enterprise Linux 6 Versions of Samba

On Red Hat Enterprise Linux 6, there are two versions of Samba packages available: samba (3.5.x and 3.6.x) and samba4 (4.x). Both of these sets of packages are vulnerable.

Red Hat Enterprise Linux 7.x Versions of Samba

On Red Hat Enterprise Linux 7 the version of Samba available: samba (4.x) is vulnerable.

Determining Vulnerability

As a Red Hat customer, the easiest way for you to check for the vulnerability and confirm remediation is the Red Hat Access Lab: Samba CVE-2015-0240 Detector.

Resolution

To eliminate the possibility of exploitation:

Install an updated Samba package on your system as listed in the following advisories:

Product Product version Samba package Advisory
Red Hat Enterprise Linux 5.6 LL samba3x RHSA-2015:0253
Red Hat Enterprise Linux 5.9 EUS samba3x RHSA-2015:0253
Red Hat Enterprise Linux 5.11 samba3x RHSA-2015:0249
Red Hat Enterprise Linux 6.2 AUS samba RHSA-2015:0254
Red Hat Enterprise Linux 6.4 EUS samba RHSA-2015:0254
Red Hat Enterprise Linux 6.4 EUS samba4 RHSA-2015:0255
Red Hat Enterprise Linux 6.5 EUS samba RHSA-2015:0254
Red Hat Enterprise Linux 6.5 EUS samba4 RHSA-2015:0255
Red Hat Enterprise Linux 6.6 samba RHSA-2015:0251
Red Hat Enterprise Linux 6.6 samba4 RHSA-2015:0250
Red Hat Enterprise Linux 7.0 samba RHSA-2015:0252
Red Hat Storage Server 2.1 samba RHSA-2015:0257
Red Hat Storage Server 3 samba RHSA-2015:0256

 
To install the updates, use the yum package manager as follows:

yum update

To only update the Samba package and its dependencies, use (depending on the variant of the Samba packages you have installed):

yum update samba

or (if you use RHEL 5 and the samba3x package):

yum update samba3x

or (if you use RHEL 6 and the samba4 package):

yum update samba4
Restarting the smbd daemon

Please note that the smbd daemon needs to be restarted for any changes to take effect. This happens automatically during the installation process (i.e. when you install the updated packages). If, for whatever reason, you need to restart the smbd daemon manually, you can follow the instructions below.

To restart the smbd daemon on RHEL 5 or 6, execute the following command:

service smb restart

or the following on RHEL 7:

systemctl restart smb.service

Mitigation for Samba 4.0.0 and higher

To mitigate the possibility of exploitation on Samba 4.0.0 or higher before you can perform a full update of the Samba suite, add the following line to the [global] section of the /etc/samba/smb.conf configuration file:

rpc_server:netlogon=disabled

For the configuration change to take effect, the smbd daemon must be restarted. To do that, follow the instructions outlined above. Note that this mitigation does not work with Samba versions 3.6.x and earlier.

Additional Information

Red Hat Security Blog on CVE-2015-0240

6 Comments

There are no Samba servers in our environment but only CIFS shares from file servers and Windows shares are mounted to Linux machines
Will this have an effect.

Hi Dakshina,

This is a flaw in the Samba server (smbd), and it doesn't affect any other implementations of the SMB protocol. CIFS shares (do you really still use CIFS?) or other Windows shares are note affected.

I don't see any mention of the client either here or in the blog post. Am I correct in believing there is no vulnerability to a system which has just the client packages installed?

Yes that right. Described vulnerability is only for the server

Do I need to Patch Samba if I am not running the service?

No, this flaw only affects the Samba server (the smbd daemon). If the service is not running on your system, the flaw cannot be exploited.