ZDNet UK / News and Analysis / Application Development

Samba flaw opens up root access attack

By John McCormick, TechRepublic, 7 April, 2003 09:49

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Flaw, Linux, Samba, Security

As the Samba team clearly states, Samba is configured by default to accept connections from any host. This includes the Internet, and there is no good reason to have Samba installed on these systems in its default configuration. The ZDNet story on this vulnerability quotes Allison as saying, "You would have to be crazy to run this over the Internet." The Samba team pointed out that you can protect servers that can be accessed by untrusted hosts by adjusting the "hosts allow" and "hosts deny" options in the smb.conf file to limit access to specific trusted hosts. For example, "Hosts allow = 192.168.9." would limit SMB connections to systems on the internal network segment with an IP address of 192.168.9.x. The Samba.org notice on this vulnerability also details a way to block unwanted network interfaces so that Samba will not accept connections from them. In addition, the notice reports that Samba uses ports UDP/137 (nmbd), UDP/138 (nmbd), TCP/139 (smbd), and TCP/445 (smbd), which can be blocked at a firewall to protect servers against these vulnerabilities. In particular, TCP/445 may be wide open on older setups that have been upgraded because that port was added to the Samba protocols recently. A Red Hat BugTraq notice carries links to patch locations for Red Hat software. The SuSE BugTraq notice lists the vulnerable SuSE products and has links to patches. Final word This vulnerability was apparently patched quickly once it was discovered, which reflects well on Samba and SuSE. However, the closing quote of the ZDNet story indicated that the great thing about open source is that everyone can see the code and a flaw of this magnitude can be found. That may be true, but if you are going to point that out, it's only fair to remind people that this flaw has apparently lain undiscovered since at least Samba release 2.0. When an open source flaw is discovered within days of a program's release, it's a shiny gold star for open source -- but when a problem lies hidden for a long time, that's no better than when the same thing happens to proprietary software, such as Microsoft products. In this case, SuSE's head of security probably shouldn't have used this particular instance to brag about open source security benefits. In that spirit of fairness, the Samba development team's note on the page describing the problem and patch said, "As always, all bugs are our responsibility." I believe that is something that needs to be part of every bug fix, especially including Microsoft's Security Bulletins. Although all bugs are the responsibility of the individual developers, the captains are responsible for everything that happens on their ships, even things that are beyond their direct control. The fact that the Samba team expressed this sentiment is a good indication that they really care about bugs and have a feeling of personal responsibility for any problems encountered by users. Kudos to the Samba team for that.
For a weekly round-up of the enterprise IT news, sign up for the Enterprise newsletter. Tell us what you think in the Enterprise Mailroom.

Related stories

Is Linux as vulnerable as Windows?

Flaw threatens source of open source

Join Linux to Active Directory with Samba 3.0

Mozilla sticks 'reset' button on Firefox 13

Gmail gets closer integration with Google+

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

Chris Wortman

Good I love Yahoo! Their search engine is getting better than Google as of late. I find more of what I want on the first page, and usually within...

17 minutes ago by Chris Wortman via Facebook on Linux Mint 13 ramps up for KDE release
PatrickG

openhgs has made the point for Windows 8 multiple monitors without realising it! With Windows 7 you have to switch the mouse and so your focus...

2 hours ago by PatrickG on Windows 8 could speed multi-monitor uptake
Leslie Satenstein

Mozilla has threatened to stop supporting Linux. I guess that UBUNTU is going with another browser. I indicated that if Mozilla stops supporting...

3 hours ago by Leslie Satenstein via Facebook on Firefox rapid release improves Fedora Linux
Andy Bolstridge

Much as I abhor Microsoft's licensing practices, this is almost certainly down to purchasing IT equipment via 3rd party consultants - you get the...

4 hours ago by Andy Bolstridge via Facebook on 6 million wasted licences and £1,200 PCs: welcome to government IT
Jack Schofield

@openhgs Windows users have had multiple desktops since Linus started writing Linux. They just haven't shipped as standard because not enough...

20 hours ago by Jack Schofield on Windows 8 could speed multi-monitor uptake
Jack Schofield

@Phil at Cloud4 What, Microsoft gets £1,200 per PC and £1,622 per server? Gosh, I'm amazed....

20 hours ago by Jack Schofield on 6 million wasted licences and £1,200 PCs: welcome to government IT
craigsc

You guys have no idea what is going on at Autonomy. Autonomy could have been a much more profitable organization. The sales operations at Autonomy...

22 hours ago by craigsc on HP cuts 27,000 staff as Autonomy chief Lynch leaves
Moley

How does this impact on dual or multi booting? Seems to me to more or less prohibit this, from Windows 8 anyway. Will Grub 2 recognise Windows 8,...

22 hours ago by Moley on Windows 8 start-up speed forces USB boot workaround
apexwm

I don't understand why there cannot be a slight pause during the boot process so the user can press a key. Many operating systems do this, even if...

23 hours ago by apexwm on Windows 8 start-up speed forces USB boot workaround
Gavin Goodman

You can now buy the Xi3 modular computer in the UK at http://www.ocdistribution.com . This can be bought with the Tand3m software, pricing and...

24 hours ago by Gavin Goodman on CES 2012: Xi3 microSERV3R
Phil at Cloud4

I agree: Mike Lynch can clearly build a business and manage strategy. I suspect the exit of Mike is more likely the end of a planned handover...

1 day ago by Phil at Cloud4 on HP cuts 27,000 staff as Autonomy chief Lynch leaves
Phil at Cloud4

This is unbeleivable government wastage with only one winner... Microsoft 1 - Tax payer Nil!

1 day ago by Phil at Cloud4 on 6 million wasted licences and £1,200 PCs: welcome to government IT
Mispam

So what do you do when you can't boot into windows? Why can't I just hold Shift while I power up instead of having to boot into windows and click a...

1 day ago by Mispam on Windows 8 start-up speed forces USB boot workaround
apexwm

I've also seen that Mac OS X for Intel machines is supposed to run in VirtualBox, which would also be a nice solution. I've never tried it though.

1 day ago by apexwm on xTreme Triple Booting: Linux, Mac & Windows
dave heasman

What I wonder is why when companies are caught bang to rights in not providing contracted services, people bend over to smear the customers? Surely...

1 day ago by dave heasman on Virgin throttles broadband for high-speed customers
pjc158

Strange statement from HP regarding Mike Lynch and not capable of scaling a company. Autonomy was a $7bn purchase which started as a small company...

1 day ago by pjc158 on HP cuts 27,000 staff as Autonomy chief Lynch leaves
lojolondon

Or - possibly, they will destroy business by ensuring people do not invest where there is no return. Another socialist idea, well beyond it's...

1 day ago by lojolondon on Open Data Institute will act as biz incubator
J.A. Watson

Good stuff Jake, very interesting. Thanks. jw

1 day ago by J.A. Watson on xTreme Triple Booting: Linux, Mac & Windows
openhgs

"the cost of a second LCD screen is about the same as one day of an office worker's time, so this should soon be recouped in extra productivity."...

1 day ago by openhgs on Windows 8 could speed multi-monitor uptake
Thomas Gellhaus

I also installed the KDE version; I also will probably try out razorqt since I really haven't had a chance to before. I'm looking forward to the...

2 days ago by Thomas Gellhaus via Facebook on Mageia 2 Released

Latest in Application Development

Mozilla sticks 'reset' button on Firefox 13

Gmail gets closer integration with Google+

Google demos SPDY protocol on mobile

Featured white papers

ACTA: A guide to the treaty from ZDNet UK

ZDNet UK

ACTA: A guide to the treaty from ZDNet UK

What is the Anti-Counterfeiting Trade Agreement? This ZDNet UK guide outlines the positions of its supporters and its critics, discusses what's new and how its ratification could affect the great copyright-versus-technology... Read more

Email security: A comparison of the major players

Mimecast

Email security: A comparison of the major players

This guide from Mimecast considers why email security is essential, who the major players are and their strengths and... Read more

CIO survey: The effect of consumer-led IT

Research In Motion

CIO survey: The effect of consumer-led IT

From mobility to cloud computing to social networking, how has the consumer-led IT revolution changed how CIOs approach the IT... Read more

Inside ZDNet UK

Indoor navigation coming to a mobile near you soon

Indoor navigation coming to a mobile near you soon

Software with everything

Software with everything

Asus Transformer Pad TF300T

Asus Transformer Pad TF300T

How IT is ganging up on organised cybercrime

How IT is ganging up on organised cybercrime

HTC One V: First take

HTC One V: First take

SharePoint deployment: The final chapter

SharePoint deployment: The final chapter

Ten IT jobs to save up for those rare lulls

Ten IT jobs to save up for those rare lulls