A critical remote vulnerability in Samba, which provides root-access to the server

Posted: February 24, 2015 in Vulnerability News
Tags: , , ,

Hole in LinuxCVE-2015-0240: A critical remote vulnerability in Samba

Employees MSVR (Microsoft Vulnerability Research) discovered a critical vulnerability the Samba daemon (smbd).

In unplanned releases of Samba 4.1.17, 4.0.25 and 3.6.25 fixed a critical vulnerability (CVE-2015-0240), which can be used to initiate the execution of code on the server side.

Danger problem compounded by the fact that the vulnerability can be exploited without an authentication – to carry out the attack enough send a few specially designed anonymous netlogon-packets on the network port SMB / CIFS of the server. Since by default, smbd daemon runs under root privileges, in the case of a successful attack the attacker can gain root-access to the server.

The problem affects all versions of Samba from 3.5.0 to 4.2.0rc4. Working exploit has not yet been created, but the staff of Red Hat positive about the possibility of its creation and described in detail algorithm of exploitation. For all users of Samba recommended to urgently upgrade up to presented correcting issues. For longer not supported branches Samba prepared patches. Samba 4 users can protect themselves from attacks by disabling netlogon settings (“rpc_server: netlogon = disabled” in the section “[global]” smb.conf).


Instructions for applying the fix this flaw (issued Red Hat) are available on the knowledgebase.  Packages with security fixes available for Red Hat Enterprise Linux, CentOS, Debian, Ubuntu, openSUSE, ALT Linux, FreeBSD. Follow for the releases of an updates for other popular distributions on following pages: Gentoo, Slackware, Fedora.

Execute arbitrary code in the Samba daemon

Danger: High (critical vulnerability)
The presence of fixes: Yes
The number of vulnerabilities: 1
CVSSv2 rating: (AV: N / AC: L / Au: N / C: C / I: C / A: C / E: U / RL: OF / RC: C) = Base: 10 / Temporal: 7.4
CVE ID: CVE-2015-0240

Vector exploitation: Remote
Impact: Compromise system, execute arbitrary code

Affected products: Samba 3.x; Samba 4.x
Affected versions: Samba from 3.5.0 up to 4.2.0rc4

The vulnerability allows a remote user to compromise a system.

CVE-2015-0240 – The vulnerability is caused due to an error in the Samba daemon (smbd). The Netlogon server implementation in smbd in Samba performs a free operation on an uninitialized stack pointer, which allows remote attackers to execute arbitrary code (with root privileges) via crafted Netlogon packets that use the ServerPasswordSet RPC API.

Samba ServerManufacture’s Web Site: https://www.samba.org/samba/
Main link to news: https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s