SAMBA HAS PATCHED two serious security vulnerabilities in its widely used open-source Windows and Linux networking software.
Patches were rushed out after security experts uncovered password and denial-of-service flaws that can be found in all versions of the software released since December 2012.
By tapping into the password vulnerability, anyone with access to a Samba 4.x LDAP server can modify other people's login details. They just have to create an Active Directory Domain Controller.
People logged into the software can also change admin and service account passwords, but Samba explained that it has now fixed this bug for versions 4.7.6, 4.6.14 and 4.5.16.
Alongside the patch, the organisation has released workaround options that can help administrators determine whether someone has meddled with passwords.
"Revoke the change passwords right for 'the world' from all user objects (including computers) in the directory, leaving only the right to change a user's own password," it recommends.
It advised users to upgrade or apply the patch as soon as possible.
"As Samba does not at this time change the machine account passwords of Domain Controllers, any change to these, or to the passwords of administrators should be a concern."
Quick exposure reminder: There are still plenty of internet-facing Samba instances around. Results from last week's Project Sonar study below (correlation with today's Samba CVE not implied). H/t Rapid7's @hrbrmstr and @TomSellers. pic.twitter.com/m661VJaAnx— Rapid7 (@rapid7) March 13, 2018
There is a patch for a new denial-of-service flaw, too. But that flaw should only affect a few particular configurations.
The DDoS flaw was found in Samba 4.7.6, 4.6.14 and 4.5.16, although users of Samba 4.4.16 and 4.3.13 can download the patch as well.
"All versions of Samba from 4.0.0 onwards are vulnerable to a denial-of-service attack when the RPC spoolss service is configured to be run as an external daemon," explained CVE-2018-1050.
"Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash," it added.
Writing on Twitter, cybersecurity firm Rapid7 suggested that these flaws may only be scratching the surface. "There are still plenty of internet-facing Samba instances around," it warned, suggesting that they need to be updated, and fast. µ
Flagship fakes aim that the incoming Samsung Galaxy S10+
Don't expect to be surprised later today
Your phone call may be recorded for leaking purposes
But the company is yet to dish, officially