Samba needs two patches, unless you're happy for SMB servers to dance for evildoers
Big Linux distros have pushed their fixes, but let's not assume everything auto-patches, OK?
It’s time to patch Samba again - or turn off SAMBA 1, which is never as easy as it sounds.
The lid came off the issue a couple of days ago, when the big Linux distributions (Red Hat, Ubuntu, Debian and so on) rolled out fixes for a use-after-free error affecting all versions of SAMBA since 4.0 (published in 2012).
The bug means a malicious SMB1 request can give the attacker control over “the contents of heap memory via a deallocated heap pointer. It is possible this may be used to compromise the SMB server”, the project’s advisory said.
The problem with disabling SMB1, the natural workaround if you can’t run in the patch immediately, is that as readers have told The Register in previous incidents, there are clients that only support SMB1.
For example, it was only in July that Android’s Samba client added SMB2 and SMB3 - and not all users will have installed an update yet.
Sysadmins should also be warned, there’s a separate bug affecting all versions from 3.6.0 onwards: “server allocated heap memory may be returned to the client without being cleared”.
Samba's developers have detected exploits, but warned the uncleared heap memory might contain “password hashes or other high-value data”.
Patched software has been made available here. ?