In-Depth

In Brief

Samba Exploits, Dumping IE, and Securing iPaqs

• By Mathew Schwartz
• 08/04/2004

Samba: Multiple Buffer Overflow Vulnerabilities

Samba, a Unix-based print and file server, contains multiple buffer overflow vulnerabilities. Versions of Samba 3 prior to version 3.0.5 are affected.

Information vulnerability provider Secunia rated this as a “moderately critical” security problem.

Samba released a patch. According to a statement from the company, one vulnerability is found in the internal routine used by the Samba Web Administration Tool (SWAT), which allows an administrator to configure Samba via a Web browser. SWAT handles decoding of “base64 data during HTTP basic authentication,” says Samba. Substituting invalid base64 characters in that process can trigger the buffer overflow.

Attack proof-of-concept code has been posted publicly. A successful attack could give the attacker root privileges.

Given the vulnerability, “sites using an LDAP directory service with Samba are strongly encouraged to verify that the DIT [Domain Information Tree] only allows write access to sambaSamAccount attributes by a sufficiently authorized user,” says Samba.

The second vulnerability involves so-called name-mangling capabilities, which are also handled in Samba by the code responsible for the first vulnerability. According to SANS, name mangling “allows DOS and Windows clients to use files that do not conform to the ‘8.3 Windows’ naming convention.” Samba notes the default Munge settings, however, are not vulnerable. No details of an attack method using this vulnerability have been publicly released or thought to exist, though security experts caution attackers may compare patched and unpatched versions of Samba to gain clues.

Samba recommends patching or upgrading to Samba 3.0.5.

Link:
http://www.samba.org/samba/whatsnew/samba-3.0.5.html

- - -

Dumping IE No Solution, Says Vendor

Last month many security experts recommend enterprises consider switching from Internet Explorer to another browser, such as Mozilla’s Firefox, in the wake of serious IE vulnerabilities. According to host-intrusion security vendor PivX, however, that approach still won’t solve the problem.

“US-CERT’s advice to Internet users to find another browser rather than use IE may stop those users from experiencing many security problems, but this will not be 100 percent efficient and does nothing to find a solution to the fundamental problems that are inherent with using Internet Explorer," wrote PivX CEO Rob Shively, in a letter to Amit Yoran, director of the National Cyber Security Division (NCSD) at the Department of Homeland Security. US-CERT is run in coordination with the CERT Coordination Center at Carnegie Mellon University, and is the NCSD’s operational arm.

In other words, wrote Shively, “although a default Web browser other than IE may reduce exposure to some vulnerabilities, it cannot eliminate exposure because IE is still present as an integral part of Windows.” As a result, he says, additional security technologies are needed.

- - -

New iPAQs to Ship with Mobile Security Software

The push is on to better protect corporate information beyond corporate PCs and laptops. In particular, Gartner forecasts that by 2005, 40 percent of corporate data will reside on handheld devices.

For companies using PDAs running Microsoft’s Pocket PC operating system, new business-level PDAs from HP will ship with improved security software built in. In particular, the recently released iPAQ hx4700-series PDAs from HP ship with client security software dubbed HP ProtectTools. Those tools also include a version of Credant Mobile Guardian software. For centralized PDA administration, however, companies must upgrade Credant to the group or enterprise edition.

HP ProtectTools will allow security policies to be applied to PDAs. For example, security managers can require PINs or passwords to access a PDA. In addition, information—from e-mail and contacts to calendars and files on removable media—can be kept encrypted, complicating efforts to read such information if the device is lost or stolen. Multiple failed log-on attempts can also trigger a hard reset of the device, which wipes PDA data and reverts the PDA to its factory defaults, to further protect against loss or theft.

Related Articles

Used Laptops Offer Secrets for Sale—Cheap
http://info.101com.com/default.asp?id=7822

Businesses Ignore Mobile PDA Threat
http://info.101com.com/default.asp?id=6448

Case Study: Fielding Service Calls Securely
http://info.101com.com/default.asp?id=5416