Topic: Samba Vulnerability

[del]

Hi All,
What version of samba is used in sme 5.5/5.6, I came across this article on the net today, do I need to upgrade to the latest version of samba? Comments and advice appreciated.
Cheers,
Del
----------------------------------------------------------------------------------------------
Hole found in Samba code
[PC Pro] 12:44

A security vulnerability in the open source Samba server code could allow an external attacker to remotely and anonymously gain Super User (root) privileges.
Samba.org reports that: 'A flaw has been detected in the Samba main smbd code which could allow an external attacker to remotely and anonymously gain Super User privileges on a server running a Samba server. This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a inclusive. This is a serious problem and all sites should either upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139 and 445.'

Details and links to the Samba 2.2.8 downloads are available from us1.samba.org/samba/whatsnew/samba-2.2.8.html.
Samba allows Unix- and Linux-based systems to provide file and print services to SMB/CIFS clients, such as PCs running Windows.

One Web site break-in in Germany has already been attributed to this vulnerability. Apple has announced that it will be releasing an OS X security update to address this problem.
-----------------------------------------------------------------------------------------------

[Cyrus Bharda]

You do know that you really should not be posting security issues to this phorum?

If you bothered to do a search you would of found heaps of posts like this one:

http://forums.contribs.org/index.php?topic=7146.msg25988#msg25988

and heres a thread that seems to be exactly whay you are after

http://forums.contribs.org/index.php?topic=7146.msg25988#msg25988

Please try searching before blurting out

Cyrus Bharda

[del]

Sorry,
Del

[Kelvin]

Hi Cyrus,

Personally, I prefer to patch any holes, irregardless of whether or not the hole is "low risk" or "should not be a problem" (that is, not a problem until someone else finds a way....there's a lot of people a lot smarter with a lot more time on their hands....).

The issue with bringing up security related material into the open is a very much a double edged sword. I frankly find it very, very informative to read about such issues in forums like these. I don't often have enough time and resources to go through the other more "official" sites related to bugs and security. If you are worried about people finding out ways to break into a system, you can be doubly sure that those same people read all the "official" sites anyway (and probably a whole lot more, besides) !

I know putting an issue out in the open puts developers on the spot. However, this could well be a "good" thing (basically lighting a fire them to fix the problem, quick smart !). This has worked well in the past in forcing M$ to fix some of their problems, much to their discomfort (boo, hoo!). Now, if we could just get someone to fix this darn PPTP problem with 5.6 as quickly ..... .

Kelvin

[Cyrus Bharda]

Kelvin,

I do understand your point of veiw, but dont you think that the Mitel guys need to be informed properly? What if the people involved in the development of Samba for SME dont actually look at these forums? I am not saying wether they do or not, frankly I do not have the foggiest whom from Mitel actually pay attension to this list, my point being that they should be informed through the proper channells, and then if there is a problem, then they know about it and it can then be forwarded onto the right person for the job.

I am just like you, I do not have time to go to official sites and look at security bulitens all day, but when I do come across one, then I send it into Mitel and they can take care of it.

When you post a security problem here, what guarantee's do you have that Mitel will even notice it? When you send it to Mitel, you get a tag number and confirmation that they have recieve it and will be looking into it as soon as they can.

Also you might send into panic all the users who aren't so technically inclined into posts on wether a posted problem has been fixed or not, when sometimes the problem did not affect SME in the first place.

I have no problems with people posting security issues, just as long as they have contacted Mitel first and then if they are either not happy with that responce or need more information, then post here with Mitel's reponce and then we all know where Mitel stands on the certain problem, does that not make more sence then stiring up a hornets nest sometimes for nothing?

But yet again these views and opinions are only what's kicking around in my head I did not mean to sound offensive or cause any bad feelings to del, if I have then I apologise, I was just trying to show him where/how to find the information as it was obvious that he did try, but just did not find what he was looking for.

Cyrus Bharda

[Daniel]

lots of writing but...

What version of samba is used in sme 5.5/5.6 ?

Noone bothered to answer the poor man's question.

Login to a shell (not the admin console).

rpm -qa|grep samba

should give you some idea.

[Kelvin]

Hi Cyrus,

>When you post a security problem here, what guarantee's do you have that Mitel
>will even notice it? When you send it to Mitel, you get a tag number and
>confirmation that they have recieve it and will be looking into it as soon as they
>can.

Actually, I have a long held belief that there should be another forum topic specifically for security and/or bugs. So then, instead of posting to general or exp. users forum, they should post it there. This then should be a Mitel monitored forum (which by the way, I believe all the current forums are monitored, just not necessarily often enough or responded to).

>Also you might send into panic all the users who aren't so technically inclined
>into posts on wether a posted problem has been fixed or not, when sometimes
>the problem did not affect SME in the first place.

I also believe, if you have a forum dedicated to these issues (that has been presented correctly), you will also go a long way in quelling any "panic attacks" and fears that might arise. Eg. Look at the Symantec (or any  other major AV vendor's) web site. If there is a new or potentially dangerous outbreak, there's always an entry on the main page telling you about it. And if a fix or repair tool is available, then you can download it. The same should apply in SME. If a problem is identified and noted visibly on the correct forum, then anyone going to that page will be able to see that it has already been brought up, addresses or being looked into. If a fix is available, MAKE it available for download, much like a M$ "hotfix" update. Then, there will be less of a need to tell people "Search first and you will find ...." especially if it is a current topic (like the current Samba issue).


>I have no problems with people posting security issues, just as long as they
>have contacted Mitel first and then if they are either not happy with that responce
>or need more information, then post here with Mitel's reponce and then we all
>know where Mitel stands on the certain problem, does that not make more
>sence then stiring up a hornets nest sometimes for nothing?

I would not call bringing up security issue awareness "stirring up a hornets nest for nothing". Becoming complacent about security is worse. However, even if you send a bug / security request to Mitel, it could be sometime before you hear back from them, as we are not paying customers, and are thus attended to with lower priority. However, paying customer or not, most bug issues can and do affect their server product and a fix for us is also a fix for them, and the sooner the better.

I respect your opinion on this and am very aware of your point of view (been around computers long enough !) and believe me, I'm not offended in any way at all. I've said in my original posting that this is a double edged sword. Everyone life experiences help shape his or her own thinking and opinions.

> Noone bothered to answer the poor man's question.

No should really have to because this comes down to poor documentation. Yes, the source is there, blah.. blah.. blah.. Not everyone who uses SME should be expected to be Linux proficient. Ideally, SME users should not even need to go near a command prompt. Lots of Windows users I know don't know about a command prompt at all but they get by everyday and get work done. It really irks me that no documentation exists for :-

a) Major component versions in use for a particular SME release
(Mitel is proud to announce the release of SME Version ......
This is a major update to .....
This version is based on :
Redhat Version aaa.bbb
Samba Version nnn.mmm
MySQL Version fff.ggg.....)

b) What are the templates / events / databases in use, what are the values, settings, what do they do, which template does what which affects what (a flowchart helps) and so on.

Kelvin

[Cyrus Bharda]

Well put Kelvin,

I support your idea of a Security forum that users could just disscuss these types of issues, unfortunatly I wont hold my breath waiting for it, unless we pay for it

Cyrus Bharda

[Jens Kruuse]

When I look at the top of my Server-Manager it says "Unsupported Developer Release". That is important. We do get lots of documentation but not *all* of it. And I accept that. If you are using a Developer Release, you should know what you're doing - or be willing to find out. SME was my first experience with Linux and it has taught me a lot about *nix, and also a lot about the special features of the SME Server.

At times I also want more documentation but the great support community helps a lot - as does Google. And in my experience you get excellent support when you report a bug or security problem - even with the Developer Release.

Cheers,
Jens

[Kelvin]

Hi Jens,

> We do get lots of documentation but not *all* of it.

Define "lots".

> If you are using a Developer Release, you should know what you're doing

I disagree - again, this is splitting hairs over the use of the words "developer release".

> or be willing to find out.

I think I can safely say, *everyone* who plays with *nix must be willing to "find out" things by themselves, Linux just simply isn't there yet as far as being a "user friendly" operating system -> which is ironic because my use of "user friendly" is also in many ways splitting hairs over the use of those words.

>SME was my first experience with Linux and it has taught me a lot about *nix,
>and also a lot about the special features of the SME Server.

SME was not my first experience with Linux but it is my first *real* and *serious* use of Linux. One of the things you learn quite early on in the Linux world is that hard core *nix users are almost as bad as hard core Mac users (OK, I know this is leaving myself wide open for flame attacks). They simply refuse to see the shortcomings of the systems when compared with the Windows World. M$ products are not perfect but neither are *nix and Macs (and yes I've worked with both). All products have good and bad points but like most things in the world, millions and millions of users using Windows daily cannot be all wrong or stupid - never let arrogance cloud objectivity.

Also never forget what SME was intended for - it was meant to be a simple to implement file / gateway / firewall server for Small & Medium Enterprises. Again, splitting hairs, this by itself carries with it the implication that it should be easy to use and as user friendly as possible. To this aim, Mitel has gone a long way towards achieving. However, I maintain the lack of a complete set of documentation hampers even those of us who wish to be "developers" as well as ordinary users who just want a simple to install & manage server system (as close to a network appliance as possible). Hence the need sometimes for "developers" to come up with initiatives of their own to better utilise and manage the SME servers (case in point : the contribs.org initiative).

As for bug reporting with the developer release, the commercial release is not supposed to be any different from the developer release aside from the managed server service, blades and commercially available add-ons. Therefore, any "bugs" for the developer release would also normally affect the commercial release. It would be in Mitel's interest to attend to the bugs as a fix for the developer release also fixes it for the commercial one.

Kelvin