Red Hat has issued security advisories to fix this flaw and instructions for applying the fix are available on the knowledgebase. The same is true for the version of Samba 3.0 shipped with Red Hat Enterprise Linux 4 and 5. Lastly the version of Samba 4.0 shipped with Red Hat Enterprise Linux 6.2 EUS is based on an alpha release of Samba 4, which lacked the password change functionality and thus the vulnerability. Red Hat Product Security has rated this flaw as having critical impact on all other versions of samba package shipped by Red Hat. An attacker could call _netr_ServerPasswordSet() function with a NULLED buffer, which could trigger this flaw. samba-4.0 as shipped with Red Hat Enterprise Linux 6) the above mentioned commit does not exist. In older versions of Samba (samba-3.6 as shipped with Red Hat Enterprise Linux 5 and 6. Red Hat Product Security team has rated this flaw as having important impact on Red Hat Enterprise Linux 7. Therefore this issue is more difficult to exploit. It is still possible to trigger an early return with a memory allocation failure, but that is less likely to occur. This is due to theĪdbe6cba005a2060b0f641e91b500574f4637a36 commit, which introduces NULL initialization into the most common code path. In Samba 4.1 and above, this crash can only be triggered after setting “server schannel = yes” in the server configuration. This is dependent on the version of Samba used. Later we can use the destructor pointer called by TALLOC_FREE() to execute arbitrary code.Īs mentioned above, this flaw can only be triggered if netr_creds_server_step_check() fails. It may be possible to control the value of creds, by sending a number of specially-crafted packets. Later in the _netr_ServerPasswordSet() function, cred is freed using the TALLOC_FREE() function which results in an uninitialized pointer free flaw. ![]() If netr_creds_server_step_check function fails, it returns and cred is still not initialized. Later netr_creds_server_step_check() function is called with cred at: 1213 status = netr_creds_server_step_check(p, p->mem_ctx, 1203 NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,ġ208 struct netlogon_creds_CredentialState *creds In the _netr_ServerPasswordSet() function, cred is defined as a pointer to a structure. (All versions of samba >= 3.5 are affected by this flaw) Note: The code snippets shown below are from samba-3.6 shipped with Red Hat Enterprise Linux 6. It can be exploited by calling the ServerPasswordSet RPC api on the NetLogon endpoint, by using a NULL session over IPC. This flaw arises because of an uninitialized pointer is passed to the TALLOC_FREE() funtion. We believe code execution is possible but we've not yet seen any working reproducers that would allow this. It can result in remotely controlled execution of arbitrary code as root. ![]() No authentication is required to exploit this flaw. It can be exploited by a malicious Samba client, by sending specially-crafted packets to the Samba server. It can also seamlessly integrate with Active Directory environments and can function as a domain controller as well as a domain member (legacy NT4-style domain controller is supported, but the Active Directory domain controller feature of Samba 4 is not supported yet).ĬVE-2015-0240 is a security flaw in the smbd file server daemon. It uses the SMB/CIFS protocol to provide a secure, stable, and fast file and print services. Samba is the most commonly used Windows interoperability suite of programs, used by Linux and Unix systems. The information may no longer be current. This article was originally published on the Red Hat Customer Portal.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |