Personal computing discussed

Moderators: renee, SecretSquirrel, notfred

 
chuckula
Minister of Gerbil Affairs
Topic Author
Posts: 2109
Joined: Wed Jan 23, 2008 9:18 pm
Location: Probably where I don't belong.

Important Security Update for Samba Admins

Thu May 25, 2017 7:07 am

Spreading the word about this recently announced bug fix: https://www.samba.org/samba/security/CVE-2017-7494.html

From the announcement, Samba versions 4.6.4, 4.5.10 and 4.4.14 have been fixed although if you are stuck on the 3.5/3.6 series there is no word of an update (they are still vulnerable). There is also a patch that you can apply manually if you build from source.

From my initial read it looks like attack allows unauthorized users to do "blind" writes of data to writeable shares when they happen to already know the correct path. From there they could potentially execute malicious code on the server.

A work-around if you can't update immediately is to turn off NT pipes support, although this breaks certain functions so be careful.
4770K @ 4.7 GHz; 32GB DDR3-2133; Officially RX-560... that's right AMD you shills!; 512GB 840 Pro (2x); Fractal Define XL-R2; NZXT Kraken-X60
--Many thanks to the TR Forum for advice in getting it built.
 
chuckula
Minister of Gerbil Affairs
Topic Author
Posts: 2109
Joined: Wed Jan 23, 2008 9:18 pm
Location: Probably where I don't belong.

Re: Important Security Update for Samba Admins

Thu May 25, 2017 7:11 am

Reading the patch code in more detail (link here) the bug appears to be that Samba was previously accepting named pipes with the "/" directory character that could apparently be used to go directly to the filesystem instead of being restricted to a pipe IPC mechanism. If the attacker can guess your filesystem hierarchy then he can use a maliciously crafted pipe name to write data to a share.
4770K @ 4.7 GHz; 32GB DDR3-2133; Officially RX-560... that's right AMD you shills!; 512GB 840 Pro (2x); Fractal Define XL-R2; NZXT Kraken-X60
--Many thanks to the TR Forum for advice in getting it built.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Important Security Update for Samba Admins

Thu May 25, 2017 8:10 am

Looks like Debian and Ubuntu are on top of this, with backported fixes already available for the older versions of Samba included with supported versions of their OSes.
Nostalgia isn't what it used to be.
 
bthylafh
Maximum Gerbil
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: Important Security Update for Samba Admins

Thu May 25, 2017 8:12 am

Raspbian too; I got my Pi updated last night.
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
Waco
Maximum Gerbil
Posts: 4850
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: Important Security Update for Samba Admins

Thu May 25, 2017 10:04 pm

I'm so happy that I don't run Samba anywhere but my home NAS. :lol:
Victory requires no explanation. Defeat allows none.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Important Security Update for Samba Admins

Thu May 25, 2017 10:09 pm

Yeah, it's the sort of thing that gives corporate IT admins nightmares. One desktop/laptop on the network infected with malware that's aware of the vulnerability, and suddenly you're in deep doo-doo.
Nostalgia isn't what it used to be.
 
cheesyking
Minister of Gerbil Affairs
Posts: 2756
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)
Contact:

Re: Important Security Update for Samba Admins

Fri May 26, 2017 12:18 pm

Waco wrote:
I'm so happy that I don't run Samba anywhere but my home NAS. :lol:


You've got to wonder how many commercial NAS vendors won't bother including the patch either for month/years or ever.
Fernando!
Your mother ate my dog!
 
SuperSpy
Minister of Gerbil Affairs
Posts: 2403
Joined: Thu Sep 12, 2002 9:34 pm
Location: TR Forums

Re: Important Security Update for Samba Admins

Fri May 26, 2017 1:47 pm

cheesyking wrote:
Waco wrote:
I'm so happy that I don't run Samba anywhere but my home NAS. :lol:


You've got to wonder how many commercial NAS vendors won't bother including the patch either for month/years or ever.

No need to wonder, the answer is 'all of them'.
Desktop: i7-4790K @4.8 GHz | 32 GB | EVGA Gefore 1060 | Windows 10 x64
Laptop: MacBook Pro 2017 2.9GHz | 16 GB | Radeon Pro 560

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On