Follow

Security bug for sernet-samba4 - CVE-2017-7494

Subject:

Known security bug for customers that have deployed sernet-samba4 on QuantaStor based on 12.04 Precise platforms using the samba4-install script.

Please note that some features will stop functioning once the suggested workaround is applied for CVE-2017-7494, see below for additional details.

 

Detail:

 

Ubuntu has provided a patch to address this bug so loading the packages from the link below will address the bug and there are no additional workarounds or changes that will need to be made:

 

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7494.html

 

Here is the description of the bug and workround from the samba.org site:

https://www.samba.org/samba/security/CVE-2017-7494.html

=========== Description =========== All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== Add the parameter: nt pipe support = no to the [global] section of your smb.conf and restart smbd. This prevents clients from accessing any named pipe endpoints. Note this can disable some expected functionality for Windows clients.


Bug Workaround:

1.
QuantaStor 4.3 includes support for managing the suggested 'nt pipe support = no' workaround with the below two steps:

sudo -i
touch /etc/qs_smb_fix_cve20177494.enable
service quantastor restart

2.
Otherwise if you are unable to upgrade to QuantaStor 4.3,you could apply the Samba service workaround manually with the steps below:


vim /etc/samba/smb.conf

Add the 'nt pipe support = no' to the [globals] section:

'nt pipe support = no'

restart sernet samba:

service sernet-samba-smbd restart

NOTE:
We have confirmed the features below stops functioning once the suggested workaround is applied for CVE-2017-7494: 

1. 'nt pipe support = no' option disables the ability to list shares at the UNC folder location. e.g. \\10.0.12.31\ You have to pass in the share name for you to be able to see the share. e.g. \\10.0.12.31\testshare1

2. Unable to perform user lookups in the Windows Folder Properties Windows>Security tab.

3. Unable to see share access in the Windows Folder Properties Windows>Security tab>Advanced Windows>Share Tab.
4. Unable to select a user in the Windows Folder Properties Windows>Security tab>Advanced Windows>Effective Access Tab or review effective access.

5. If a User uses the Computer Management MMC to connect to the QuantaStor, the Shares, Sessions and Open Files views will return a access denied message.

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk