Samba Remote Code Execution

Vulnerability Description

All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an unexpected code execution vulnerability in the smbd file server daemon.

Exposure & Impact

A malicious client could send packets that may set up the stack in such a way that the freeing of memory in a subsequent anonymous netlogon packet could allow execution of arbitrary code. This code would execute with root privileges.
CVE-2015-0240
CVSS – 7.9

Remediation & Mitigation

VERT suggests that users install patches that are being released by the various distributions today.

Detection

The February 25th ASPL package will include coverage for CVE-2015-0240 on RHEL, CentOS, Ubuntu, Debian, and OEL.

Tripwire Enterprise customers can identify systems running vulnerable Samba versions by creating rules and policies using Command Output Capture Rules (COCR). This zip file contains policy and rule files needed to run a basic COCR. These rules can be imported and run on Linux groups to identify systems running Samba.

References

https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/

https://www.samba.org/samba/security/CVE-2015-0240

https://access.redhat.com/security/cve/CVE-2015-0240

http://www.tripwire.com/state-of-security/vulnerability-management/samba-vulnerability-cve-2015-0240-detection-remediation/