Samba breaches vs. features: UX vs. MPE
February 1, 2010
HP released a new security patch last week to block a back door in the HP-UX Samba software, one of many that surface for HP's Unix environment. The vulnerability in versions A.02.03.04 and vA.02.04 running on HP-UX B.11.11, B.11.23, or B.11.31 could let a remote user gain unauthorized access to an Integrity or PA-RISC Unix server.
HP has a software update available for download to block the breach. Meanwhile, the HP 3000 user who's employing Samba for file and printer sharing isn't affected by this vulnerability. The most recent Samba/iX is 3.0.22, one of the final projects released by the HP labs. Samba has been installed with any MPE/iX release newer than 6.0, and patches for Samba/iX to lift it up the 3.0.2 version are available for free download from the HP IT Response Center Web site. There's even a SWAT Samba administration tool that runs with Samba/iX. If you're unfamiliar with how SWAT makes Samba an even better tool, Samba.org has a SWAT primer online.
Samba has helped the HP 3000 join the standard networks of many heterogenous shops in the decade-plus it's been available. But the MPE/iX version is behind the current HP-UX release. This is a tradeoff for companies using Samba -- run it on the Unix servers and apply security patches, or use the HP 3000s and enjoy the security-by-design, but with fewer features and no bug fixes.
The 3000 version is not very many months out of date. In October of last year, the 3.0.37 version emerged for the community to add security patches. But the patches are aimed at more Unix-like environments, such as the Apple OSX, HP's HP-UX, as well as Linux.
The latest public release of Samba for the non-3000 world is version 3.4. The feature set that the 3000 version is frozen in includes these features, new in 2006 and ported in 2007:
Choosing to use Samba under HP-UX eliminates the questions of whether the release is bug-fixed. The security breaches for Unix-based servers are an every-week occurrence. Sendmail versions 8.9.3 and 8.11.1 have been hit with a Denial of Service vulnerability, which HP has patched with an update.
Inin 2007 HP wrote a white paper on bringing Samba from the 3.0.22 MPE/iX version to full compliance with the latest release. The paper says that it gives the techniques to
1. Refresh a new version of Samba on MPE/iX,
2. Apply future patches released by the Samba organization and
3. Quickly fix defects in Samba/iX