Samba servers vulnerable to denial-of-service attacks

Patches released for flaws in software package that lets Windows files and printers be shared by Unix and Linux systems.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
The Samba Team released on Tuesday a patch to fix two flaws that could result in disruptions for networks using the widely installed Unix and Linux software.

The two relatively minor flaws could crash or make unresponsive systems running version 3 of Samba, an open-source software package that allows Windows files and printers to be shared by Unix and Linux systems.

The flaws, known as denial-of-service vulnerabilities, basically could be used to disconnect Samba servers from the network by either overrunning the computer's memory to such an extent that it cannot function or by sending a specially crafted network request that would crash the NetBIOS function.

"We have not had any reports in the wild of these" flaws being used by attackers, said Gerald Carter, a member of the Samba Team.

The Samba open-source software project has had its share of flaws since version 3.0 was published a year ago, including two vulnerabilities announced in July and another vulnerability reported in February. The current release, 3.0.7, fixes the two denial-of-service issues. The flaws do not affect versions of the software prior to 3.0.

Security information provider Secunia rated the flaws "less critical," that company's second-lowest grading of threats.