Samba Patches Heap Overflow Bug in Current Versions

The keepers of Samba, an open source software package that provides Windows operability for Linux and UNIX systems, have patched a serious heap overflow vulnerability in all 4.x.x versions of the software.

The bug was in the nmbd NetBIOS name services daemon, and a hacker exploiting the flaw could run code remotely on the underlying system.

“A malicious browser can send packets that may overwrite the heap of the target nmbd NetBIOS name services daemon,” Samba said in a security advisory released on Friday. “It may be possible to use this to generate a remote code execution vulnerability as the superuser (root).”

Samba urges administrators and vendors running any of the affected versions in their products to patch CVE-2014-3560 immediately. Disabling the NetBIOS name services daemon is a temporary workaround.

Samba enables file and print services to SMB/CIFS clients allowing Windows clients to interoperate with file and print servers running on Linux and UNIX. Samba also runs on IBM System 390, OpenVMS and other operating systems, according to the samba.org website.

The affected service provides NetBIOS over IP naming services to Windows clients.

Samba has made the patch available on its security page. Current versions of Samba 4.1.11 and 4.0.21 have already been fixed.