July 2001

Samba file sharing has a security leak, including HP 3000s

The version of Samba/iX installed on thousands of HP 3000s has developed a security leak, one serious enough to earn a notice from HP. In some configurations, the file-sharing and printer-sharing software that’s become a part of MPE/iX fundamental operating system can compromise system security, according to an HP advisory. HP transmitted its notice July 3, but by that time HP community already had a workaround available, as well as a newer version of Samba for the 3000 that doesn’t permit the security breech.

The workaround is pretty direct: take all occurances of the macro “%m” out of the configuration file smb.conf. HP said the NetBIOS name of remote clients is being substituted into this macro. The use of contrived NetBIOS names may result in Samba using a file path outside of the intended Samba directories. This can be used to cause Samba to append data to important system files, which in turn can be used to compromise security on the HP 3000 server. HP said the “log file” option is the most vulnerable to this redefinition problem. The sample configuration file supplied with Samba/iX contains the path “/var/opt/samba/log.%m” for this option. HP stressed that “Using this default path does NOT create a vulnerability, unless there happens to exist a subdirectory in /var/opt/samba which starts with the prefix ‘log.’ ” Sites choosing to continue using the “%m” macro in the log file option should use the default value /var/opt/samba/log.%m.

Although it hadn’t been completely tested, the e3000 community released software that eliminates the potential for configuration problems. Version 2.0.10 of Samba/iX emerged from test bench of Lars Appel, the HP engineer who first ported Samba to the 3000 five years ago. Appel rolled his MPE/iX-specific changes into the latest version of Samba and has made that version available to the community as a download, either from www.sambaix.com or from his home page at www.editcorp.com/Personal/Lars_Appel/samba. Setup and usage documents are also available at those sites.

Appel has also rolled in his bug fix for the Samba Web Administration Tool (SWAT) in the new 2.0.10 release. SWAT is a Web-based tool which can be used remotely to configure the Samba configuration file. SWAT lets system administrators set parameters, share security, and modify other features from a browser interface, and has help and related documentation available online. Michael Gueterman of Easy Does It Technologies, a keeper of the Samba/iX source code and host of www.sambaix.com, noted that “This MPE/iX version of Samba is actually out and available quicker than many of the other platforms that Samba runs on!” HP hadn’t crafted an official patch to repair the Samba/iX security vulnerability as we took our issue to press.


Copyright The 3000 NewsWire. All rights reserved