Samba bug

Darryl Pearle

Samba bug

« on: April 08, 2003, 06:27:48 PM »

Displaying my ignorance here.. but where do we go for news and info on how Mitel are dealing with recently announced security weaknesses such as this one?

http://news.com.com/2100-1002-995834.html?tag=fd_top

Apparently this one has taken everyone by surprise but it would be nice at least to see Mitel mention that they know about it and are working on it.. I forget where I read this but the bug affects everything up to 2.2.8 so as far as I can tell that includes the latest SME server?

Logged

Andrew Hodgson

Re: Samba bug

« Reply #1 on: April 08, 2003, 08:42:41 PM »

Hi,

The SME server is protected by filtering external connections on the Samba ports, so this is not an issue with external connections. This has been discussed on the board in the past.

Andrew.

Logged

Steve Brock

Re: Samba bug

« Reply #2 on: April 08, 2003, 11:33:58 PM »

What about users on the local lan?

Logged

guestHH

Re: Samba bug

« Reply #3 on: April 09, 2003, 02:16:34 AM »

then you have another problem not related to samba...

Logged

s b

Re: Samba bug

« Reply #4 on: April 09, 2003, 04:46:52 AM »

guestHH wrote:
>
> then you have another problem not related to samba...

So you are saying that all users on the LAN are implicity trustworthy?

That is not an acceptable situation.

Logged

Darryl Pearle

Re: Samba bug

« Reply #5 on: April 09, 2003, 05:41:00 PM »

A. Hodgson - thanks. I knew that the crazy thing wasn't going to accept external connections on that port, just didn't make the connection. Duh!

I wonder though, what if I had the PPTP connection enabled and someone managed to compromise that? I believe you can limit connections to specific IP addresses but that's useless if your clients are using ISPs with dynamic addresses. Can it be configured to limit connections to a FQDN so that client with dynamic IP address could use a dynamic DNS service..?

Logged

Bill Talcott

Re: Samba bug

« Reply #6 on: April 09, 2003, 07:36:15 PM »

Darryl Pearle wrote:
>
> I wonder though, what if I had the PPTP connection enabled
> and someone managed to compromise that? I believe you can
> limit connections to specific IP addresses but that's useless
> if your clients are using ISPs with dynamic addresses. Can it
> be configured to limit connections to a FQDN so that client
> with dynamic IP address could use a dynamic DNS service..?

You can limit PPTP to certain users. I typed up the instructions from a thread here into a pretty HowTo in my space at contribs.org. I don't believe there's any way to restrict it to certain IPs without monkeying with the inner workings of stuff - firewall rules, etc.

I do agree that the bug should be fixed, rather than just firewalled. As others have said, you can't assume all users are trustworthy. Disgruntled employees, PPTP breaches like Darryl said, clueless employees tricked into running something, etc. Obviously the internet is the biggest threat, but I still consider it a problem until the bug is fixed against local access too.

Logged

Steve Brock

Re: Samba bug

« Reply #7 on: April 09, 2003, 09:17:30 PM »

Its bad policy. A bug left unpatched could jeopardize usage in corporate environments where no user should be considered trustworthy. Also, it kind of puts people off, a company not coming out with security patches swiftly. A good example is Sun Cobalt machines.... Serious bugs are left unpatched for months. You have to turn to the community to get secure, and void your warranty. Look at their patch for the sendmail problem. Issue was released March 3rd and a patch was made available from Sun on March 27th. Since Sun bought Cobalt, its as if they don't care. Hopefully Mitel cares about us!

And if i wanted insecure, buggy software, I'd be using windows.

Logged

guestHH

Re: Samba bug

« Reply #8 on: April 10, 2003, 10:33:01 AM »

issue addressed by the latest security update...

Logged

Danny Wong

Re: Samba bug

« Reply #9 on: April 10, 2003, 10:35:54 PM »

It actually appears that the bug is fixed in 2.2.8a not samba-2.2.7-3.7.3es1 which is included in the Update. Users should update to 2.2.8a after applying the Update3 in order to be clear of issue listed here. http://www.kb.cert.org/vuls/id/298233

Logged

Charlie Brady

Re: Samba bug

« Reply #10 on: April 11, 2003, 05:48:36 AM »

Danny Wong wrote:

> It actually appears that the bug is fixed in 2.2.8a not
> samba-2.2.7-3.7.3es1 which is included in the Update. Users
> should update to 2.2.8a after applying the Update3 in order
> to be clear of issue listed here.
> http://www.kb.cert.org/vuls/id/298233

Please check your facts before posting misleading information, Danny.

Here's the full story:

- Team samba released samba 2.2.8a containing the security fix
- RedHat released their update for RedHat 7.3, samba-2.2.7-3.7.3, containing the security fix applied to the version of samba shipped with RedHat 7.3.
- Mitel rebuilt the source code of RedHat's fix with a configuration change to remove a dependency on the cups libraries

This history is available in the changelog of the package, which you can see by running "rpm -q --changelog samba":

* Tue Apr 08 2003 Charlie Brady 2.2.7-3.7.3es1

- Rebuild using --without-cups.

* Sat Apr 05 2003 Jay Fenlason 2.2.7-3.7.3

- import security rollup patch for 2.2.7a
- import bugfix so that "logon script = %g.bat" won't hang smbd.
- import fix for "wide links = no" from 2.2.8

* Fri Mar 14 2003 Jay Fenlason 2.2.7-2.7.3

- import security fix from 2.2.8
- remove duplicate /sbin/chkconfig --del winbind from spec file

...

If you have any security concerns in the future, please raise them with smesecurity@mitel.com.

Thanks

Charlie

Logged

Danny Wong

Re: Samba bug

« Reply #11 on: April 11, 2003, 07:28:11 PM »

I appologize.

Logged