Critical Samba RCE Vulnerability Enables Arbitrary Code Execution

[Deleted member 210773]

Critical Samba RCE Vulnerability Enables Arbitrary Code Execution

Samba has disclosed a severe remote code execution (RCE) flaw that could allow attackers to hijack Active Directory domain controllers.

cybersecuritynews.com

(I use as firewall Firewalld)
$ sudo firewall-cmd --remove-port=445/tcp --permanent
[sudo] password for destan:
Warning: NOT_ENABLED: 445:tcp
success
destan@destran ~ $

(I have also removed samba from my Linux OS)

I used the lsof command to list the open ports on the system:

~ $ sudo lsof -i -P -n | grep LISTEN
[sudo] password for destan:
systemd 1 root 36u IPv4 10299 0t0 TCP *:111 (LISTEN)
systemd 1 root 38u IPv6 970 0t0 TCP *:111 (LISTEN)
rpcbind 684 rpc 5u IPv4 10299 0t0 TCP *:111 (LISTEN)
rpcbind 684 rpc 7u IPv6 970 0t0 TCP *:111 (LISTEN)
systemd-r 850 systemd-resolve 12u IPv4 10704 0t0 TCP *:5355 (LISTEN)
systemd-r 850 systemd-resolve 14u IPv6 10712 0t0 TCP *:5355 (LISTEN)
systemd-r 850 systemd-resolve 21u IPv4 10719 0t0 TCP 127.0.0.53:53 (LISTEN)
systemd-r 850 systemd-resolve 23u IPv4 10721 0t0 TCP 127.0.0.54:53 (LISTEN)
cupsd 940 root 6u IPv4 11950 0t0 TCP *:631 (LISTEN)
cupsd 940 root 7u IPv6 11951 0t0 TCP *:631 (LISTEN)
spoofdpi 1083 destan 3u IPv4 12193 0t0 TCP 127.0.0.1:8080 (LISTEN)
python3 1128 wsdd 10u IPv4 13553 0t0 TCP 192.168.1.43:5357 (LISTEN)
python3 1128 wsdd 14u IPv4 19498 0t0 TCP 10.152.235.198:5357 (LISTEN)
python3 1128 wsdd 18u IPv6 13572 0t0 TCP
[fe80::92e6:baff:fe4a:2656]:5357 (LISTEN)

But why is Samba installed and enabled by default in most Linux distributions?

(In the attached screenshot the result of scanning port 127.0.0.1)

 

[KGIII]

That's a good use of this sub-section.

The content in this sub-section of the forum is very important content. It's automated, drawing data from other sources. But you have to seek it out yourself. Those automated submissions do not get pushed into your feed when you're viewing the forum's latest activity, or whatnot.

The URL is:

https://www.linux.org/forums/linux-security.15/

For those people who think is magically secure, this is a good resource. We have security bugs all the time. We just tend to treat them openly and quickly. We tend to use 'responsible disclosure' when we find security bugs. Not all bugs are causing security issues. This sub-section of the forum is about those bugs that do impact security.

 

[Deleted member 210773]

That's a good use of this sub-section.

The content in this sub-section of the forum is very important content. It's automated, drawing data from other sources. But you have to seek it out yourself. Those automated submissions do not get pushed into your feed when you're viewing the forum's latest activity, or whatnot.

The URL is:

https://www.linux.org/forums/linux-security.15/

For those people who think is magically secure, this is a good resource. We have security bugs all the time. We just tend to treat them openly and quickly. We tend to use 'responsible disclosure' when we find security bugs. Not all bugs are causing security issues. This sub-section of the forum is about those bugs that do impact security.

I agree with you that subsection is very useful, but I noticed that most of the posts about Samba are related to Ubuntu.

 

[KGIII]

I agree with you that subsection is very useful, but I noticed that most of the posts about Samba are related to Ubuntu.

Ubuntu is a popular distro. The distros are all using the same Samba versions, more or less. Some LTS distros might be using some LTS release of Samba. Odds are (I haven't checked) that those flaws are even in the LTS versions. If so, the system will work as intended. Samba's LTS versions will get a new 'minor' release, going from something like ver. 12.4.1 ot the like.

If the distro compiles it themselves, they may add the distro name to the version. They could be doing the work to maintain a stable version. In this case, stable refers to keeping things the same and not to running in a stable condition. I mean, it shoulld still run in a stable condition, but this sort of stable means there won't be any breaking changes. While using this stable version, all your scripts should still work - even though it's upgraded with bug fixes along the way.

(That's what it means when a distro is referred to as 'LTS'. It means the software will keep its current features and functionality. If new features are added to the software, this may not be reflected in the LTS versions. It depends. They may test to see if those new features break anything and then decide to include the changes if nothing appears to break.)

 

[Deleted member 210773]

Ubuntu is a popular distro. The distros are all using the same Samba versions, more or less. Some LTS distros might be using some LTS release of Samba. Odds are (I haven't checked) that those flaws are even in the LTS versions. If so, the system will work as intended. Samba's LTS versions will get a new 'minor' release, going from something like ver. 12.4.1 ot the like.

If the distro compiles it themselves, they may add the distro name to the version. They could be doing the work to maintain a stable version. In this case, stable refers to keeping things the same and not to running in a stable condition. I mean, it shoulld still run in a stable condition, but this sort of stable means there won't be any breaking changes. While using this stable version, all your scripts should still work - even though it's upgraded with bug fixes along the way.

(That's what it means when a distro is referred to as 'LTS'. It means the software will keep its current features and functionality. If new features are added to the software, this may not be reflected in the LTS versions. It depends. They may test to see if those new features break anything and then decide to include the changes if nothing appears to break.)

But why is Samba installed and enabled by default in most Linux distributions?

 

[KGIII]

But why is Samba installed and enabled by default in most Linux distributions?

I suspect it's because they assume people will want to interact with Windows systems. Frankly, in my own situation, I see no reason to have it installed and enabled by default. It does me no good because I don't need to interact with Windows. It's a file access and print system using MSFT's SMB protocol. I have zero use for it.

In fact, it probably doesn't need to be installed or enabled by default. It might be time to move on from the mindset that we're interacting with a blended system that includes Windows. People who need those features can install and configure Samba on their own.

 

[Trml]

Sadly, the Linux native alternative NFS is historically considerably weaker in security than SMB, and the distance between widened with new SMB security mechanisms (if you can disable the old parts).

It's a file access and print system using MSFT's SMB protocol.

If it is enabled, it's the client portion (be able to offer a network share or print). I've not seen the daemon (smbd) enabled per default in a distro and it requires some configuration. Also, this RCE is for the ancient WINS protocol, if it is activated on a Linux smb active-directory server. That very special circumstances. https://www.samba.org/samba/security/CVE-2025-10230.html

 

[KGIII]

Sadly, the Linux native alternative NFS is historically considerably weaker in security than SMB, and the distance between widened with new SMB security mechanisms (if you can disable the old parts).

I'd think that the majority of users, at least those represented in the communities I'm familiar with, don't need it installed by default. Then again, it may no longer frequently insttalled by default. I just checked a running system and it's not installed. So, that may have changed. In the past, I'd remove it in my process of trimming the fat. I'm not sure if I removed it or if it's not installed by default these days. I know it once was, but I haven't done a new install for a long time.

I probably should do a clean installation at some point. It has been a while. I just keep upgrading. When I get a new device, it's to replace an old device. So, I just move the storage media over and keep going. It has literally been some years since I did a clean install.

 

[Condobloke]

In Linux Mint 22.2 Cinnamon

from : https://easylinuxtipsproject.blogspot.com/p/first-mint-cinnamon.html

'There are sensible exceptions in the default firewall settings (rules), which should ensure that the firewall is never in the way of normal average use. For example, with the default profile the use of Samba should be no problem. Also downloading torrents (fetch) should be possible; but seeding torrents (serve), might require a temporal disabling of ufw.'
=====================================
However, there is a folder in /etc, named Samba
When that folder is right clicked on and 'Sharing Options' is selected, the result is as shown below:

==========================================

In terminal:

brian@brian-desktop:~$ dpkg -l | grep samba

ii  libldb2:amd64                                  2:2.8.0+samba4.19.5+dfsg-4ubuntu9.4                  amd64        LDAP-like embedded database - shared library

ii  python3-ldb                                    2:2.8.0+samba4.19.5+dfsg-4ubuntu9.4                  amd64        Python 3 bindings for LDB

ii  python3-samba                                  2:4.19.5+dfsg-4ubuntu9.4                             amd64        Python 3 bindings for Samba

ii  samba-common                                   2:4.19.5+dfsg-4ubuntu9.4                             all          common files used by both the Samba server and client

ii  samba-common-bin                               2:4.19.5+dfsg-4ubuntu9.4                             amd64        Samba common files used by both the server and the client

ii  samba-libs:amd64                               2:4.19.5+dfsg-4ubuntu9.4                             amd64        Samba core libraries

ii  vlc-plugin-samba:amd64                         3.0.20-3build6                                       amd64        Samba plugin for VLC

brian@brian-desktop:~$

??

@osprey
@wizardfromoz
@GatorsFan

 

[wizardfromoz]

@wizardfromoz

No problema compadre, for you and I.

The outputs you list above are for forward compatibility should you feel a need to install and employ the full Samba, but that is not so with your LM 22.2 'Zara', nor your LMDE 7 'Gigi'

Although you may have a config file /etc/samba/samba.conf for such an occasion, you will find it (it is long) to be bereft of references to

wins support

and that is rightly so.

By default that does not appear in modern Samba and is only used in legacy systems support.

Cheers

Wiz

 

[Trml]

Also downloading torrents (fetch) should be possible; but seeding torrents (serve), might require a temporal disabling of ufw.'

I've never used Mint hence don't know that torrent app it bundles and may be nit-picking wrong, but that's pretty bad advice by the blog to disable ufw just to serve torrents.

Ufw is bundled with pre-build profiles for a number of torrent applications. Most definitely there is a way to configure firewall rules with it to cater for serving torrents.

 

[Condobloke]

Worth taking note of the fact that the author of 'Easy Linux Tips is none other than Pjotr

I have better things to do than 'nit pick' with any advice he gives.

All of the torrent clients I have used, do work seamlessly in both download and seeding mode, without any need for fiddling with ufw's settings etc

 

[Trml]

@Condobloke See, you don't have to, that's my point. Disabling a firewall, especially for the purpose to accept incoming connections like torrent seeding, is not the right way to configure it.

It was probably simply written prior to the ufw profiles including popular most popular application, but that just means configuration got more seamless and easy for users.