March 17, 2003 4:17 PM PST
Linux firms look to plug Samba hole
Known as Samba, the popular software can be found on many workstations and servers running any one of the variety of flavors of Linux and Unix, including systems running Apple OS X. Members of the Samba team planned to announce the vulnerability on Tuesday, but they released information over the weekend because some believed a Web site break-in in Germany may have been attributed to the software.
"We know of one site that may have been compromised by this," said Jeremy Allison, co-author of Samba. "That's what precipitated the release."
Several Linux editions--including Debian, Gentoo, and SuSE--released patches for the problem. Apple Computer noted in an advisory that Samba is not enabled by default with Mac OS X and Mac OS X Server, but the company plans to issue a patch for version 10.2.4. Red Hat hasn't yet released a patch but will do so soon, the company said in a statement.
The popular software also is used by many file-server and print-server network appliances that are based on the Linux operating system. The danger for these is somewhat lessened, however, because people have been regularly warned that running the software on a computer connected to the Internet is dangerous.
"You would have to be crazy to run this over the Internet," Allison said. The Windows file-sharing protocol, known as the Server Message Block, has been a key weakness in PCs connected to the Internet in the past, because people haven't always known to turn the feature off or use a firewall to protect against intrusions. In general, Linux users tend to be more savvy and know to be careful on computers that have the feature turned on, Allison said.
The flaw occurs in the code that reassembles data that the software receives from the Internet, according to the advisory. By sending the server a specially crafted data packet, an attacker could overload the memory used by the Samba software and cause the application to run code of the intruder's choice.
The problem was spotted by a security team at Linux software company SuSE last week. While the German company had hoped to release a fix later this week, the process was rushed because someone accessed the source code under development and reverse-engineered a patch that had been proposed for the problem. Still, Roman Drahtmueller, head of security for SuSE, stressed that finding the problem during a code review gave companies time to respond.
"If you are going to have a flaw of this magnitude that is the best way to catch it," he said. "That's a great advantage of open source...People are able to look at the code and check its security."