Full Report
Aaron Adams over at SYMANTEC, did a quick check on the version of Samba running on currently up to date OSX machines and found that the Macs were still running 3.0.10. He did a quick mod on the existing Metasploit module and has reliable code execution going.. If you are running OSX, you probably want to make sure your samba isnt exposed while you grab the latest source and build.. /mh
Analysis Summary
As a vulnerability research specialist, here is the requested summary of the disclosed security issue:
# Vulnerability: Outdated Samba Version on OSX Leading to Remote Code Execution
## CVE Details
- CVE ID: **Not explicitly mentioned in the provided text.** (Note: Without an explicit vendor or researcher identifier matching the vulnerability to a known CVE, this field remains blank based *only* on the source text.)
- CVSS Score: **Undetermined.** (Implied high due to reliable code execution.)
- CWE: **CWE-119 or similar** (Related to buffer overflow or input validation flaws that lead to code execution, typical of older Samba exploits.)
## Affected Systems
- Products: Apple OSX Machines (running default file-sharing service).
- Versions: Systems running **Samba version 3.0.10** (or older versions depending on the OSX build).
- Configurations: Systems where the Samba service (Windows file sharing) is exposed externally.
## Vulnerability Description
An independent check identified that up-to-date versions of Apple OSX were shipping with a Samba component stuck at version 3.0.10. This specific version is susceptible to a flaw (implied to be a pre-existing, known exploit against Samba 3.0.x) that allows an attacker to achieve reliable remote code execution.
## Exploitation
- Status: **PoC available** (A modified Metasploit module exists).
- Complexity: **Low** (Implied by the ease of modification of an existing module leading to "reliable code execution").
- Attack Vector: **Network** (Remote exploitation of the exposed file-sharing service).
## Impact
- Confidentiality: **High** (Guaranteed execution implies attacker control).
- Integrity: **High** (Guaranteed execution implies attacker control).
- Availability: **High** (Guaranteed execution implies attacker control).
## Remediation
### Patches
- **Apply the latest system updates for OSX** to receive the patched Samba version.
- **Manually download and build the latest stable Samba source code** if immediate OS patches are unavailable.
### Workarounds
- **Ensure the Samba/Windows file-sharing service is not exposed externally** (i.e., restrict access via firewall rules to local networks only, or disable the service entirely if not needed).
## Detection
- **Indicator of Compromise (IOC):** Search logs for unusual connection attempts targeting the SMB ports (139, 445) originating from untrusted IPs, followed by abnormal process execution originating from the Samba daemon.
- **Detection Methods and Tools:** Monitor host-based intrusion detection systems (HIDS) or network security monitoring tools for signatures matching the known Metasploit module payload execution attempts against the Samba service.
## References
- Vendor Advisory (Symantec/OSX Update context): hxxp://www.symantec.com/enterprise/security_response/weblog/2007/06/samba\_update.html
- Samba Source Download: hxxp://us1.samba.org/samba/ftp/samba-latest.tar.gz