IBM Patches Samba Vulnerabilities In IBM i
April 16, 2018 Alex Woodie
Big Blue has issued two patches for serious flaws in IBM i’s implementation of Samba, flaws that could result in an attacker launching a denial of service attack or changing user’s passwords. The company patched IBM i 7.2 and 7.3, as support for IBM i 7.1 wanes.
On April 3, IBM published a security bulletin informing users of the existence of two flaws in IBM i, as well as the existence of two program temporary fixes (PTFs) to patch the problems. Both of the flaws involve Samba, a free and open source implementation of the SMB/CIFS protocol to provide interoperability among different operating systems for file and print operations.
The first flaw, identified as CVE-2018-1050, identifies missing null pointer checks when the remote procedure call (RPC) “spools” service in Samba 4.0 and later is configured to run as an external daemon. According to the Common Vulnerabilities and Exposures (CVE) database entry, this flaw could allow a hacker to cause the print spooler service to crash by sending malicious RPC messages.
This denial of service (DOS) attack was first identified to IBM on March 13, according to the IBM X-Force report. Thanks to its network-based attack vector, lack of required privileges and user interaction, and its low complexity, it carries a CVSS Base Score of 7.5, making it a serious vulnerability.
The second flaw, CVE-2018-1057, also impacts Samba 4.0, but in a different way. According to security researchers, a problem with the validation of permissions when Samba is used as an Active Directory (AD) domain controller (DC) could allow an authenticated user to change the passwords of any other users managed in an LDAP network, including administrative users and privileged service accounts.
IBM first identified this vulnerability on March 13, according to IBM’s X-Force report. While it has a network origin, a low complexity level, and a high potential for impact the integrity of a server, the fact that a user must first be authenticated mitigates the impact somewhat, so it was given a CVSS Base Score of 6.5, making it a moderately serious threat.
The fix for both flaws is to upgrade to a newer version of Samba that doesn’t suffer from the flaws. According to IBM, that means users should be on Samba version 4.5.16, 4.6.14, or 4.7.6. Luckily, IBM is making it easy for IBM i users by packaging a newer version of Samba that’s not impacted by the flaws into handy-dandy PTFS, including PTF number SI67329 for IBM i 7.2 and PTF number SI67330 for IBM i 7.3.
It’s unclear if older releases of IBM i, including IBM i 7.1, 6.1, and i5/OS V5R4, are impacted by the Samba flaw. In any event, those releases are no longer supported by IBM, so there will be no patches forthcoming from IBM to fix any potential problems in those operating systems.
While security flaws in core IBM i operating system components or Power Systems firmware components are rare (but not unheard of), the IBM i platform today is composed of many bits that are sourced from the open computing community. Over the past few years, there have been many vulnerabilities discovered in open source components that IBM incorporates into the IBM i and Power System platform.