=========================================================== == Subject: "root" credential remote code execution. == == CVE ID#: CVE-2012-1182 == == Versions: Samba 3.0.x - 3.6.3 (inclusive) == == Summary: Samba 3.0.x to 3.6.3 are affected by a == vulnerability that allows remote code == execution as the "root" user. == =========================================================== =========== Description =========== Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the "root" user from an anonymous connection. The code generator for Samba's remote procedure call (RPC) code contained an error which caused it to generate code containing a security flaw. This generated code is used in the parts of Samba that control marshalling and unmarshalling of RPC's over the network. The flaw caused checks on the variable containing the length of an allocated array to be done independently from the checks on the variable used to allocate the memory for that array. As both these variables are controlled by the connecting client it makes it possible for a specially crafted RPC call to cause the server to execute arbitrary code. As this does not require an authenticated connection it is the most serious vulnerability possible in a program, and users and vendors are encouraged to patch their Samba installations immediately. ================== Patch Availability ================== Patches addressing this issue have been posted to: http://www.samba.org/samba/security/ Additionally, Samba 3.6.4, Samba 3.5.14 and 3.4.16 have been issued as security releases to correct the defect. Patches against older Samba versions are available at: http://samba.org/samba/patches/ Samba administrators running affected versions are advised to upgrade to 3.6.4, 3.5.14, or 3.4.16 or apply these patches as soon as possible. Due to the seriousness of this vulnerability, patches have been released for all Samba versions currently out of support and maintanence from 3.0.37 onwards. ========== Workaround ========== Samba contains a "hosts allow" parameter that can be used inside smb.conf to restrict the clients allowed to connect to the server to a trusted list. This can be used to help mitigate the problem caused by this bug but it is by no means a real fix, as client addresses can be easily faked. ======= Credits ======= This vulnerability and proof of concept code was provided by an anonymous researcher working with HP's Zero Day Initiative program. The Samba Team would like to thank them for reporting the problem and their cooperation in this matter. Patches were provided by Stefan Metzmacher of the Samba team, based on initial work by Volker Lendecke.