
Samba hit by eight-year old flaw
Security firm posted advisory containing ready-made exploit
Samba, the widely used open source technology for sharing Windows files between Unix and Linux systems, has suffered its second security embarrassment of the last few weeks.
And the situation was worsened when a security firm accidentally posted its internal advisory featuring an exploit to the vulnerability that had remained hidden in the code for eight years.
The Samba team, in association with security firm Digital Defense, released an advisory on Monday concerning a major bug affecting all versions of Samba that are currently shipping.
"This vulnerability, if exploited correctly, leads to an anonymous user gaining root access on a Samba serving system," said the Samba team.
Yesterday's revelation is unrelated to a previous flaw identified on 14 March. But that did not fix the latest flaw, which is believed to have been present in the code for as long as eight years, and it is being actively exploited.
Digital Defense discovered the bug on 1 April when it analysed a live attack against a host running Samba and quickly alerted the developers to the glitch.
With the vulnerability being actively exploited, Samba made the controversial decision of posting its advisory before all vendors had a chance to update their packages.
But the firm slipped up by posting the wrong advisory, which contained a ready and working exploit written in Perl. Any user who downloaded the code could simply run it against a vulnerable server to spawn a root shell on the target machine.
"The version of the advisory posted by Digital Defense did not have management approval and included exploit code that was not authorised for external distribution," the company admitted.
"We have taken aggressive procedural and policy measures to reduce the likelihood of a similar recurrence."
Users of Samba are advised to update immediately to the 2.2.8a release to fix this security issue.
V3 Latest
First plant to grow on the Moon, err, dies
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite news and updates: Fortnite made $2.4bn in 2018, according to SuperData
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Japanese firm sends micro-satellites into space to deliver artificial meteor showers on demand
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago