Note: This is an archival copy of Security Sun Alert 271069 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021111.1.
Article ID : 1021111.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-02-10
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Two Security Vulnerabilities in SAMBA(7) May Allow Unauthorized Access to the Remote Root Filesystem or May Lead to a Denial of Service (DoS) Condition



Category
Security

Release Phase
Resolved

Bug Id
6888097

Product
SAMBA
Solaris 9 Operating System
Solaris 10 Operating System
OpenSolaris

Date of Workaround Release
17-Nov-2009

Date of Resolved Release
11-Feb-2010

Two Security Vulnerabilities in SAMBA(7) May Allow Unauthorized Access to the Remote Root Filesystem or May Lead to a Denial of Service (DoS) Condition

1. Impact

Two security vulnerabilities in SAMBA(7) may result in one or both of the following issues:

1. A remote unprivileged user with a valid SAMBA account may gain unauthorized access to the remote root file system. This issue is referenced in the following CVE document:


2. A remote unprivileged user on an authenticated SAMBA connection may cause a Denial of Service (DoS) condition via specially crafted SMB requests. This issue is referenced in the following CVE document:


2. Contributing Factors

These issues can occur in the following releases:

SPARC Platform
  • Solaris 9 without patch 114684-15
  • Solaris 10 without patch 119757-17
  • OpenSolaris based upon builds snv_01 through 126
X86 Platform
  • Solaris 9 without patch 114685-15
  • Solaris 10 without patch 119758-17
  • OpenSolaris based upon builds snv_01 through 126
running SAMBA software 3.0.36 and earlier.

Notes:

1. Solaris 8 does not include the SAMBA software and is not affected by this issue.

2. OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. To determine the base build of OpenSolaris, the following command can be run:
$ uname -v
snv_125
3. These issues can only occur if the following conditions are true:

- The system is configured as a SAMBA server
- The version of SAMBA installed is earlier than 3.0.37

To determine if a system is configured as a SAMBA server, the following command can be run to check for processes related to SAMBA:
% ps -ef | grep mbd
root   317     1   0   May 26 ?           0:01 /usr/sfw/sbin/smbd -D
root   325   317   0   May 26 ?           0:00 /usr/sfw/sbin/smbd -D
root   314     1   0   May 26 ?           0:27 /usr/sfw/sbin/nmbd -D
root 28369 17382   0 23:17:46 pts/2       0:00 grep mbd
If the output shows "smbd" or "nmbd" running as a daemon (with the -D parameter), the system is configured as a SAMBA server.

To determine the SAMBA version, the following command can be run:
$ /usr/sfw/sbin/smbd -V
Version 3.0.28
4. The issue described in CVE-2009-2813 only occurs for users with an empty home directory and if automated [homes] share is enabled in SAMBA.

To determine which users have an empty home directory, the following command can be run:
$ getent passwd | /usr/bin/grep '^[^:]*:[^:]*:[^:]*:[^:]*:[^:]*::'
joe:x:62237:6883:Test User::/bin/ksh
The above example shows that the user 'Test User' has an empty home directory.

To determine if automated [homes] share is enabled in SAMBA, the following command can be run:
$ /usr/bin/grep '\[homes\]' /etc/sfw/smb.conf || echo "Automated [homes] share was not enabled"
3. Symptoms

Should the issue described in CVE-2009-2906 occur, the smbd(1M) daemon will consume a large amount of CPU resources. The prstat(1M) command may be used to verify the CPU usage of the smbd(1M) process as indicated in the following example:
=========================Example output: ===================================
PID   USERNAME   SIZE   RSS   STATE  PRI  NICE   TIME    CPU PROCESS/NLWP       
28452  root       11M 1172K   sleep   59    0    1:09:11    43% smbd/1
...
============================================================================
On machines with multiple CPUs, the smbd(1M) daemon utilizes a large amount of resources on a single CPU.

There are no predictable symptoms to indicate the issue described in CVE-2009-2813 is exploited to gain unauthorized access to the remote root filesystem.

4. Workaround

To work around the issue described in CVE-2009-2813, the SAMBA service may be configured to disable the automated [homes] share. This may be done by removing the entry '[homes]' from '/etc/sfw/smb.conf' as follows:

On Solaris 9:

1. Stop the SAMBA service:
# /etc/init.d/samba stop
2. Edit the '/etc/sfw/smb.conf' file and remove the entry '[homes]'

3. Start the SAMBA service again:
# /etc/init.d/samba start
On Solaris 10:

1. Stop the SAMBA service:
# svcadm disable samba
2. Edit the '/etc/sfw/smb.conf' file and remove the entry '[homes]'

3. Start the SAMBA service again:
# svcadm enable samba
To work around the issue described in CVE-2009-2906, disable the SAMBA service by using the following commands:

On Solaris 9:
# /etc/init.d/samba stop
On Solaris 10:
# svcadm disable samba
5. Resolution

This issue is addressed in the following releases:

SPARC Platform
  • Solaris 9 with patch 114684-15 or later
  • Solaris 10 with patch 119757-17 or later
  • OpenSolaris based upon builds snv_127 or later
x86 Platform
  • Solaris 9 with patch 114685-15 or later
  • Solaris 10 with patch 119758-17 or later
  • OpenSolaris based upon builds snv_127 or later
For more information on Security Sun Alerts, see 1009886.1.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.


Modification History
05-Feb-2010: Updated Contributing Factors and Resolution sections for Solaris 9 patches
11-Feb-2010: Final patches released, updated Contributing Factors and Resolution sections, now Resolved


References

119757-17
119758-17
122675-04
122676-04
114684-15
114685-15





Attachments
This solution has no attachment