Two Security Vulnerabilities in SAMBA(7) May Allow Unauthorized Access to the Remote Root Filesystem or May Lead to a Denial of Service (DoS) Condition

---

Two Security Vulnerabilities in SAMBA(7) May Allow Unauthorized Access to the Remote Root Filesystem or May Lead to a Denial of Service (DoS) Condition

1. Impact

Two security vulnerabilities in SAMBA(7) may result in one or both of the following issues:

1. A remote unprivileged user with a valid SAMBA account may gain unauthorized access to the remote root file system. This issue is referenced in the following CVE document:


2. A remote unprivileged user on an authenticated SAMBA connection may cause a Denial of Service (DoS) condition via specially crafted SMB requests. This issue is referenced in the following CVE document:


2. Contributing Factors

These issues can occur in the following releases:

SPARC Platform

• Solaris 9
• Solaris 10 without patch 119757-17
• OpenSolaris based upon builds snv_01 through 126
  

X86 Platform

• Solaris 9
• Solaris 10 without patch 119758-17
• OpenSolaris based upon builds snv_01 through 126

running SAMBA software 3.0.36 and earlier.

Notes:

1. Solaris 8 does not include the SAMBA software and is not affected by this issue.

2. OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. To determine the base build of OpenSolaris, the following command can be run:

$ uname -v
snv_125

3. These issues can only occur if the following conditions are true:


To determine if a system is configured as a SAMBA server, the following command can be run to check for processes related to SAMBA:

% ps -ef | grep mbd
root   317     1   0   May 26 ?           0:01 /usr/sfw/sbin/smbd -D
root   325   317   0   May 26 ?           0:00 /usr/sfw/sbin/smbd -D
root   314     1   0   May 26 ?           0:27 /usr/sfw/sbin/nmbd -D
root 28369 17382   0 23:17:46 pts/2       0:00 grep mbd

If the output shows "smbd" or "nmbd" running as a daemon (with the -D parameter), the system is configured as a SAMBA server.

To determine the SAMBA version, the following command can be run:

$ /usr/sfw/sbin/smbd -V
Version 3.0.28

4. The issue described in CVE-2009-2813 only occurs for users with an empty home directory and if automated [homes] share is enabled in SAMBA.

To determine which users have an empty home directory, the following command can be run:

$ getent passwd | /usr/bin/grep '^[^:]*:[^:]*:[^:]*:[^:]*:[^:]*::'
joe:x:62237:6883:Test User::/bin/ksh

The above example shows that the user 'Test User' has an empty home directory.

To determine if automated [homes] share is enabled in SAMBA, the following command can be run:

$ /usr/bin/grep '\[homes\]' /etc/sfw/smb.conf || echo "Automated [homes] share was not enabled"

3. Symptoms

Should the issue described in CVE-2009-2906 occur, the smbd(1M) daemon will consume a large amount of CPU resources. The prstat(1M) command may be used to verify the CPU usage of the smbd(1M) process as indicated in the following example:

=========================Example output: ===================================

PID   USERNAME   SIZE   RSS   STATE  PRI  NICE   TIME    CPU PROCESS/NLWP       
28452  root       11M 1172K   sleep   59    0    1:09:11    43% smbd/1
...
============================================================================

On machines with multiple CPUs, the smbd(1M) daemon utilizes a large amount of resources on a single CPU.

There are no predictable symptoms to indicate the issue described in CVE-2009-2813 is exploited to gain unauthorized access to the remote root filesystem.

4. Workaround

To work around the issue described in CVE-2009-2813, the SAMBA service may be configured to disable the automated [homes] share. This may be done by removing the entry '[homes]' from '/etc/sfw/smb.conf' as follows:

On Solaris 9:

# /etc/init.d/samba stop

# /etc/init.d/samba start

On Solaris 10:

# svcadm disable samba

# svcadm enable samba

To work around the issue described in CVE-2009-2906, disable the SAMBA service by using the following commands:

# /etc/init.d/samba stop

# svcadm disable samba

5. Resolution

This issue is addressed in the following releases:

SPARC Platform

• Solaris 10 with patch 119757-17 or later
• OpenSolaris based upon builds snv_127 or later
  

x86 Platform

• Solaris 10 with patch 119758-17 or later
• OpenSolaris based upon builds snv_127 or later

A final resolution is pending completion for Solaris 9.

For more information on Security Sun Alerts, see Technical Instruction ID 213557.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.




Attachments

This solution has no attachment