March 18, 2003, 9:02 AM — The developers of the open-source Samba file server product are urging users to upgrade to the latest 2.2.8 stable version of Samba after discovering a potentially critical flaw in earlier versions.
The flaw exists in versions of Samba from 2.0.x to 2.2.7a inclusive, and if users are not in a position to upgrade immediately to 2.2.8, they should prohibit access to TCP (Transmission Control Protocol) ports 139 and 445 on machines running the Samba server, the Samba organization said.
The flaw in the Samba code could allow an external attacker to remotely and anonymously gain super-user, or root, privileges on a server running Samba. This would enable the remote user to execute any code on the server without restrictions.
Samba is an open-source software suite that enables Unix and Linux servers to offer file and print services for Windows systems running the Server Message Block/Common Internet File System (SMB/CIFS) protocols. A Samba-enabled Unix machine can therefore be used as an alternative to a Windows server on a corporate network.
The Samba team also said that the SMB/CIFS protocol implemented by Samba is vulnerable to many attacks, even without specific security holes. The TCP ports 139 and the new port 445 used by Windows 2000, and the Samba 3.0 alpha code in particular, should never be exposed to untrusted networks, the group said.
The Samba team said the new release could be downloaded from: http://download.samba.org/samba/ftp/ in the file samba-2.2.8.tar.gz or samba-2.2.8.tar.bz2.