Samba是在Linux和UNIX系统上实现SMB协议的一个免费软件,由服务器及客户端程序构成。
Samba 3.5.0到4.2.0rc4版本的smbd文件服务程序存在一个远程代码执行漏洞,攻击者可以无需登录执行任意代码。
攻击者可以匿名与samba服务器建立空会话连接,然后调用ServerPasswordSet RPC接口,导致一个未初始化的栈指针被传给TALLOC_FREE()函数,通过发送特别构造的数据,可以控制该指针的内容,当该指针被释放时,攻击者可以以root身份执行任意代码。
Samba 4.1以及更高版本需要在服务器配置文件中设置“server schannel = yes”才能触发此漏洞。
<*来源:Richard van Eeden
链接:http://www.securityfocus.com/archive/1/534735
https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/
https://www.samba.org/samba/security/CVE-2015-0240
*>
解决方法
以下是各Linux/Unix发行版系统针对此漏洞发布的安全公告,可以参考对应系统的安全公告修复该漏洞:
Ubuntu
----------------
USN-2508-1: [USN-2508-1] Samba vulnerability
链接: https://www.ubuntu.com/usn/usn-2508-1
Red Hat Enterprise Linux
----------------
链接: https://access.redhat.com/security/cve/CVE-2015-0240
CentOS
----------------
CESA-2015:0249: CESA-2015:0249 Critical CentOS 5 samba3x Security Update
链接: https://lists.centos.org/pipermail/centos-announce/2015-February/020942.html
CESA-2015:0251: CESA-2015:0251 Critical CentOS 6 samba Security Update
链接: https://lists.centos.org/pipermail/centos-announce/2015-February/020943.html
CESA-2015:0250: CESA-2015:0250 Critical CentOS 6 samba4 Security Update
链接: https://lists.centos.org/pipermail/centos-announce/2015-February/020944.html
CESA-2015:0252: CESA-2015:0252 Important CentOS 7 samba Security Update
链接: https://lists.centos.org/pipermail/centos-announce/2015-February/020945.html
Gentoo
----------------
GLSA-201502-15: Samba: Multiple vulnerabilities
链接: https://security.gentoo.org/glsa/201502-15
FreeBSD
----------------
996c219c-bbb1-11e4-88ae-d050992ecde8: samba -- Unexpected code execution in smbd
链接: http://vuxml.freebsd.org/freebsd/996c219c-bbb1-11e4-88ae-d050992ecde8.html
Slackware
----------------
SSA:2015-064-01: [slackware-security] samba (SSA:2015-064-01)
链接: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.360345
openSUSE
----------------
openSUSE-SU-2016:1107-1: openSUSE Security Update: Security update for samba
链接: https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00048.html
openSUSE-SU-2016:1106-1: openSUSE Security Update: Security update for samba
链接: https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html
openSUSE-SU-2016:1064-1: openSUSE Security Update: Security update for samba
链接: https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00042.html
openSUSE-SU-2015:0375-1: openSUSE Security Update: Security update for samba
链接: https://lists.opensuse.org/opensuse-security-announce/2015-02/msg00031.html
SUSE
----------------
链接: https://www.suse.com/security/cve/CVE-2015-0240/
Arch Linux
----------------
ASA-201502-13: [arch-security] [ASA-201502-13] samba: arbitrary code execution
链接: https://lists.archlinux.org/pipermail/arch-security/2015-February/000236.html
Oracle Linux
----------------
链接: https://linux.oracle.com/cve/CVE-2015-0240.html
Debian
----------------
DSA-3171: DSA-3171-1 samba -- security update
链接: https://www.debian.org/security/2015/dsa-3171