
Samba remote execution vulnerability (CVE-2015-0240) - antoncohen
https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/
======
antoncohen
This was discovered by Richard van Eeden of Microsoft Vulnerability Research
([https://lists.debian.org/debian-security-
announce/2015/msg00...](https://lists.debian.org/debian-security-
announce/2015/msg00055.html)).

~~~
lucb1e
Why are people from Microsoft looking into Linux (unix?) servers that try to
emulate their services? One might think to cause reputation damage, but that
sounds almost like a conspiracy theory to me... so then why do they do this
effort?

Edit: and the downvotes are because..?

~~~
jra_samba
They're looking into Linux servers that try to emulate their services because
we do a hell of a lot of interop work together, to make sure all consumer
devices and networks 'just work'.

And I'm very grateful for it !

~~~
yuhong
In fact: [https://technet.microsoft.com/en-
us/library/security/ms03-02...](https://technet.microsoft.com/en-
us/library/security/ms03-024.aspx) (notice the credit)

------
th3iedkid
Long time back when Microsoft released SMB2.0 with vista , they had a
major(after having fixed another!) issue when you could send a packet with a
header containing '&' negotiating an SMB connection, the remote computer would
just crash with a blue screen![1]

A python poC was quite out in the open .

[1]
[https://isc.sans.edu/diary/Vista2008Windows+7+SMB2+BSOD+0Day...](https://isc.sans.edu/diary/Vista2008Windows+7+SMB2+BSOD+0Day/7093)

------
mablae
Is this only related to Redhat or is any smbd version affected? I am using
Ubuntu for example... ?

~~~
__david__
Here's the CVE from Samba, itself:
[https://www.samba.org/samba/security/CVE-2015-0240](https://www.samba.org/samba/security/CVE-2015-0240)

So it's not just Redhat. Debian testing/unstable currently has version 4.1.13.
I assume Ubuntu will be similar.

I don't see a Debian patch yet—but then again they seem to patch stable first
and unstable later.

------
AC__
Does the lack of comments correlate to everyone’s utter lack of surprise on
this one lol?

~~~
gus_massa
[[Just for the record, I didn't downvote you.] This is off topic, but I have
read recently a few similar complains from another users.

Each community has it use and customs. Here most of the people don't comment
unless they have something very interesting to say or to ask. So if the
article doesn't have an obvious flaw and is not polemic, you may see that it
has a lot of upvotes and no comments.

Also, try to avoid oneliners. It's very difficult to write good onliners and
they will probably be downvoted. Explain the same idea with more words. [There
is an "exception" for congratulations in post in acquisitions, marrying
announcement of well known users and similar and similar happy occasions.]]

~~~
cpncrunch
It could also be due to the fact that a lot of HN readers won't be affected by
this issue. If you run a web server, you generally don't have samba running.
You also don't generally have samba publicly accessible on your
home/development network.

Generally the only people with access to samba are employees in your company,
so the risk is much lower than for a service that is open to the public on the
internet.

------
drzaiusapelord
>execution of arbitrary code as root.

How the hell is this still possible in this day and age? Why is this service
running as root? It really is incredible how much bad decision making goes
into your typical linux distro. This should be a non-root service with an ACL
on whatever files samba needs to access. It doesn't "need" to be root. Reminds
me of the Windows days where every service "needed" a System or Ring0 access
and every application local admin rights.

Its just incredible how there's nothing between a buffer overflow (which are
common and will never go away considering the languages used) and root. I
wonder if SELinux could even do anything here or if samba is such a security
nightmare that you just have to give it root and hope for the best.

Samba is the poster child of the ugly, hacky, security questionable code that
we all should be working away from, not making excuses for:

[http://www.cvedetails.com/vulnerability-
list/vendor_id-102/S...](http://www.cvedetails.com/vulnerability-
list/vendor_id-102/Samba.html)

If you want AD, pay for AD. If you want to share files with Windows clients
you have a million options nowadays. This reverse-engineered pig is just a
liability and helps keep real solutions from emerging because you can just
install samba and be done with it. The technical debt and liabilities here are
just kicked down the road. I wonder how bad this is going to get in the world
of the "internet of things" and cheap NAS's with poor firewalling being sold
by the millions.

edit: downvotes dont suddenly make samba a good application

~~~
icebraining
By the way, from just 10 days ago:

 _Microsoft just patched a 15-year-old bug that in some cases allows attackers
to take complete control of PCs running all supported versions of Windows. The
critical vulnerability will remain unpatched in Windows Server 2003, leaving
that version wide open for the remaining five months Microsoft pledged to
continue supporting it._

 _The flaw, which took Microsoft more than 12 months to fix, affects all users
who connect to business, corporate, or government networks using the Active
Directory service._

Bad, bad Samba! Just pay for AD! /s

[http://arstechnica.com/security/2015/02/15-year-old-bug-
allo...](http://arstechnica.com/security/2015/02/15-year-old-bug-allows-
malicious-code-execution-in-all-versions-of-windows/)

~~~
drzaiusapelord
There's a world of difference between a local and remote exploit.

~~~
icebraining
From the link:

 _" The vulnerability is remotely exploitable and may grant the attacker
administrator-level privileges on the target machine/device."_

