Samba vulnerability (CVE-2015-0240) Check and Fix

INTRODUCTION TO CVE-2015-0240

Another vulnerability was made public on 23 Feb 2015 which is the part of the Samba suite on Linux. Samba is a protocol used by Linux/Unix system to share the resources over the network among different machines specially with Windows Systems.

CVE-2015-0240 is actually a vulnerability in the server daemon (Smbd) and can be exploited with a samba client. A potential hacker can send malicious data packets to the samba server.

The vulnerability impact level is Critical because it doesn’t require any authentication to exploit it and can allow an attacker to execute an arbitrary code which can give root access to the hacker.

The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x before 3.6.25, 4.0.x before 4.0.25, 4.1.x before 4.1.17, and 4.2.x before 4.2.0rc5 performs a free operation on an uninitialized stack pointer, which allows remote attackers to execute arbitrary code via crafted Netlogon packets that use the ServerPasswordSet RPC API, as demonstrated by packets reaching the _netr_ServerPasswordSet function in rpc_server/netlogon/srv_netlog_nt.c.

 Samba 4.2.0rc5, 4.1.17, 4.0.25 and 3.6.25 have been
issued as security releases to correct the defect. Patches against
older Samba versions are available at http://samba.org/samba/patches/

DETECTION

On the Redhat Based system, you can use this script below which is provided by Redhat itself. Just save the script as check.sh:

#!/bin/sh

SAMBA=$(rpm -q samba >/dev/null 2>&1; echo $?)
SAMBA3=$(rpm -q samba3x >/dev/null 2>&1; echo $?)
SAMBA4=$(rpm -q samba4 >/dev/null 2>&1; echo $?)
RHEL5=$(grep -qi "release 5" /etc/redhat-release; echo $?)
RHEL4=$(grep -qi "release 4" /etc/redhat-release; echo $?)
AFFECTED=0
UPDATED=0

if [ ${SAMBA3} == "0" ] ; then
 if [ "$(rpm -q --changelog samba3x | grep -q CVE-2015-0240; echo $?)" == "1" ]; then
 echo "A vulnerable samba3x is installed! Please see https://access.redhat.com/articles/1346913 for instructions to upgrade to a newer version."
 AFFECTED=1
 else
 echo "You have installed the patched samba updates."
 UPDATED=1
 fi
fi

if [ ${SAMBA4} == "0" ]; then
 if [ "$(rpm -q --changelog samba4 | grep -q CVE-2015-0240; echo $?)" == "1" ]; then
 echo "A vulnerable samba4 is installed! Please see https://access.redhat.com/articles/1346913 for instructions to upgrade to a newer version."
 AFFECTED=1
 else
 echo "You have installed the patched samba updates."
 UPDATED=1
 fi
fi

if [ ${SAMBA} == "0" ] && [ ${RHEL5} == "1" ] && [ ${RHEL4} == "1" ]; then
 if [ "$(rpm -q --changelog samba | grep -q CVE-2015-0240; echo $?)" == "1" ]; then
 echo "A vulnerable samba is installed! Please see https://access.redhat.com/articles/1346913 for instructions to upgrade to a newer version."
 AFFECTED=1
 else
 echo "You have installed the patched samba updates."
 UPDATED=1
 fi
elif [ ${SAMBA} == "0" ] && [ ${RHEL5} == "0" ]; then
 echo "The installed 'samba' package on Red Hat Enterprise Linux 5 is not affected by this flaw."
elif [ ${SAMBA} == "0" ] && [ ${RHEL4} == "0" ]; then
 echo "The installed 'samba' package on Red Hat Enterprise Linux 4 is not affected by this flaw."
fi

if [ ${AFFECTED} == "0" ]; then
 echo "No vulnerable packages installed!"
elif [ ${UPDATED} == "1" ]; then
 echo "You have installed the patched samba update(s)."
fi

Give the execute permission to the script:

$ chmod +x check.sh

Execute the script:

$ ./check.sh

If you are using a vulnerable samba server then it will print on the terminal screen, that you samba is vulnerable. Otherwise, it will tell you that you have already patched your samba server or your samba server is not affected by this flaw.

To Detect vulnerability on Debian based systems(Debian, Ubuntu, Kali etc), you can check it using the version of the Samba, you can find the version of the samba installed using the command below:

$ smbstatus

The first line of the output will tell you the version. Compare the version with the versions specified above in the Introduction part. If the version falls in the vulnerable versions, then you have the vulnerable samba server installed.

Vulnerability Resolution

On Redhat based system (RHEL, FEDORA or CENTOS), you can use the commands below to update:

$ yum update
$ yum update samba

If you use RHEL 5 and the samba3x package:

$ yum update samba3x

If you use RHEL 6 and the samba4 package:

$ yum update samba4

Restart the Samba service and you are done!!

On debian based system, you can update the Samba server as below:

$ apt-get update
$ apt-get upgrade samba

You might need to prefix the above command with sudo.

Mitigating GHOST Vulnerability (CVE-2015-0235)

Recently on 27th Jan 2015, a new very Critical Vulnerability named GHOST was discovered and made public. This vulnerability is mainly effecting the servers/systems running Linux OS. Since, the Vulnerability is there in the glib package of the linux.

A heap-based buffer overflow was found in glibc’s __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. It allows a remote attacker to be able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.

The vulnerability was Named as Ghost because it can be triggered by gethostbyname and gethostbyaddr functions of GNU/Linux C Library.

Now, the Question arises, how do we fix/patch this Vulnerability and secure our System?? So, first of all, we need to diagnose whether our server/system is really vulnerable to this threat??

There are 2 ways to detect it. We can either use a C program to test it. Or we can use a Script which is provided by the Redhat to detect vulnerability on Redhat based system i.e. RHEL. CENTOS, FEDORA etc. So, let’s diagnose it now:

Affected distributions:

  • RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
  • CentOS Linux version 5.x, 6.x & 7.x
  • Ubuntu Linux version 10.04, 12.04 LTS
  • Debian Linux version 7.x
  • Linux Mint version 13.0
  • Fedora Linux version 19 or older

Basically, all the Linux distribution which are using glibc version less than glibc-2.18. Because vulnerability isn’t in the OS but the C library which is being used by many modules of the OS. And the functions gethostbyname() and gethostbyaddr() are much used in network modules.

Using the C Program:

1. Create a file on your machine with the name GHOST.c and paste the following code in that file:

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY "in_the_coal_mine"

struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}

2. Compile the Script using the command below. Basically, here we are compiling the code in GHOST.c and sending the Output in a file name GHOST:

gcc GHOST.c -o GHOST

3. Execute the compiled GHOST script. Your terminal should print “vulnerable” or “not vulnerable” depending on your system’s status.

./GHOST

Using the Shell Script:

1. Create a file with the name Ghost.sh and paste the following code in that file and save it.

#!/bin/bash
#Version 3

echo "Installed glibc version(s)"

rv=0
for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' )
glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }')
glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }')

echo -n "- $glibc_nvr: "
if [ "$glibc_maj" -gt 2 -o \
\( "$glibc_maj" -eq 2 -a "$glibc_min" -ge 18 \) ]; then
# fixed upstream version
echo 'not vulnerable'
else
# all RHEL updates include CVE in rpm %changelog
if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then
echo "not vulnerable"
else
echo "vulnerable"
rv=1
fi
fi
done

if [ $rv -ne 0 ]; then
cat <<EOF

This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Please refer to <https://access.redhat.com/articles/1332213> for remediation steps
EOF
fi

exit $rv

2. Before running the script, we need to add execute permission to it. So, use the following command:

chmod +x Ghost.sh

3. Running the script:

./Ghost.sh

So, if you see output as “Vulnerable” in any of the methods above. Then, it’s time to apply the patch else you can stop reading further from here…:)

Patching Vulnerability

Most of the distributors of the Linux Distros have already released the patches in the package repositories. Because a patch already exists since May 21, 2013.  So, you just need install the updates.

In the systems which are based on Redhat distribution i.e. RHEL, CentOS, Fedora etc. use the commands below:

sudo yum clean all
sudo yum update
sudo reboot

In the systems which are based on Debian based distribution i.e. Debian Linux, Ubuntu etc. use the commands below:

sudo apt-get clean
sudo apt-get update
sudo apt-get upgrade
sudo reboot

You don’t need to use sudo if you are a root user.

You are Done!

How to check and Mitigate Shellshock?

On 24th September 2014, a new vulnerability (CVE-2014-6271) of GNU BASH was reported to the National Vulnerability Database (NVD).

As per the NVD information here , The bug allows the remote attackers to remotely execute shell commands by attaching malicious code in environment variables used by the operating system.

US Cert has provide More details at https://www.us-cert.gov/ncas/alerts/TA14-268A

If you are running your box with BASH, then this article is for you. So, that you can check and mitigate the bug from you Server Linux Box. Continue reading How to check and Mitigate Shellshock?

Why homes and small businesses need Intrusion defense systems?

Are you the owner, manager, or employee in a small business? If so, you know just how important it is to keep all important information stored in the computer data systems safe and sound at all times. But, the reality is that it is not always possible to ensure the safety and security of this vital information largely due to the revolution which is the digital age. Computers get hacked all the time, information gets stolen, and worse of all, ideas, projects, and reports get plagiarized simply because someone was able to get into a computer system that they were not authorized into in the first place.

This is where we come in, we are LionCageDefender.com, and we are here to help you safeguard your home, small business and website from the horrible pitfalls that come with digital technology. LionCageDefender.com is easy to use and extremely effective! Simply put, we scan your environment find your vulnerabilities so that you can secure them. Finding your weak vulnerable security points and notifying you of these weak points is why LionCageDefender.com was created. We provide easy to use, automated security defense tools to help you protect your environment, all you need to do is LionCageDefender scan. Our intrusion detection reports are simple to read, if you rectify the solutions that we discovered in our scans then you can sleep well knowing that your precious information will remain YOUR precious info. Continue reading Why homes and small businesses need Intrusion defense systems?

Introduction & Welcome To LionCageDefender

Being this is the first blog post for LionCageDefender.com, I would like to introduce myself, the company, the need for the service and you!

My name is Moti Mitteldorf, I am the CTO and owner of LionCage Data Security Solutions Inc. the parent company of LionCageDefender.com, LionCageShredding.com as well as LionCageBackup.com. We are a New York, USA based corporation headquartered in Kew Gardens, NY. Our programmers and support are based in New York, Israel, and Romania with servers based in the USA and plans to expand into the UK. My initial web venture was our online backup solution called OnlineBackupVault.com which was developed in 2006 as a solution for my then computer consulting business in New York called Tech-Keys. I built out our backup product following the failure to be able to restore data using what is now a competitor. Within a couple of short years OnlineBackupVault.com became a full time job and I gave over my consulting firm to the techs who serviced my Tech-Keys clients. Continue reading Introduction & Welcome To LionCageDefender