Samba servers vulnerable to denial-of-service attacks

The Samba Team released on Tuesday a patch to fix two flaws that could result in disruptions for networks using the widely installed Unix and Linux software.

The two relatively minor flaws could crash or make unresponsive systems running version 3 of Samba, an open-source software package that allows Windows files and printers to be shared by Unix and Linux systems.

The flaws, known as denial-of-service vulnerabilities, basically could be used to disconnect Samba servers from the network by either overrunning the computer's memory to such an extent that it cannot function or by sending a specially crafted network request that would crash the NetBIOS function.

"We have not had any reports in the wild of these" flaws being used by attackers, said Gerald Carter, a member of the Samba Team.

The Samba open-source software project has had its share of flaws since version 3.0 was published a year ago, including two vulnerabilities announced in July and another vulnerability reported in February. The current release, 3.0.7, fixes the two denial-of-service issues. The flaws do not affect versions of the software prior to 3.0.

Security information provider Secunia rated the flaws "less critical," that company's second-lowest grading of threats.

[dburry]

big deal

big deal, I don't know anyone who set up samba and made it *publicly* *accessible* with no firewalling around it whatsoever like a large number of home desktop windoze people do.

I guess this could affect intranets where you don't trust all your internal people not to do bad things or where they might catch viruses that specifically target flaws like this.