MA-305.042012 : MyCERT Alert - Critical Vulnerability in Samba
Date of publication: 2011-04-11
A critical vulnerability has been identified in Samba, an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients . This vulnerability allows remote code execution as the "root" user from an anonymous connection.
The code generator for Samba's remote procedure call (RPC) code contained an error, which caused it to generate code containing a security flaw. This generated code is used in the parts of Samba that control marshalling and unmarshalling of RPC calls over the network.
The flaw caused checks on the variable containing the length of an allocated array to be done independently from the checks on the variable used to allocate the memory for that array. As both these variables are controlled by the connecting client it makes it possible for a specially crafted RPC call to cause the server to execute arbitrary code. 
3.0 Affected Products
Majority of the Samba versions are prone to these vulnerabilities. Below is the list of vulnerable versions:
MyCERT recommends system administrator of this application to upgrade to the latest version of Samba. Samba 3.6.4, Samba 3.5.14 and 3.4.16 have been issued as security releases to correct the defect. Patches against older Samba versions are available at:
For those who are unable to upgrade to the latest version, as for the workaround, Samba contains a "hosts allow" parameter that can be used inside smb.conf to restrict the clients allowed to connect to the server to a trusted list. This can be used to help mitigate the problem caused by this bug but it is by no means a real fix, as client addresses can be easily faked.
MyCERT advises the users of this software to be updated with the latest security announcements by the vendor.
MyCERT can be reached through the following channels:
E-mail : firstname.lastname@example.org or email@example.com
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT