Buzz
Traditionally, Samba has been the standard for providing file sharing and print services to Windows clients on various * nix systems. Utilized by a diverse range of users, including households, small businesses, and large companies, Samba has emerged as a solution for accessing environments with different operating systems coexisting.
In the past, Windows faced two highly severe network attacks - WannaCry and EternalRocks. These incidents prompted users to explore every avenue to protect crucial data on their computers. While WannaCry directly infiltrated and seized important data, extorting users for its retrieval, EternalRocks is considered even more dangerous than WannaCry. This malware operates silently within the system, capable of transforming into any malicious code without direct extortion.
In this insightful article, Tải miễn phí will unravel the perils of Samba and provide guidance on patching the SambaCry vulnerability (CVE-2017-7494) on your Linux operating system. Depending on your setup (from repositories or source), you'll need to adopt different approaches.
Whether you're using Samba in any environment or are aware of someone utilizing Samba, continue reading below.
Vulnerability at a Glance
Outdated and unpatched systems are susceptible to attacks exploiting a remote code execution vulnerability. Simply put, this means someone with access to a writable share can upload arbitrary code and execute it with root privileges on the server. We often hear about rooting Android devices, but this takes it to a whole new level.
The issue, documented on the Samba website as CVE-2017-7494, impacts Samba 3.5 (released in early March 2010) and later versions. Known as Samba Cry, it bears resemblance to WannaCry—both targeting the SMB protocol with significant potential for cross-system propagation via SMB.
Debian, Ubuntu, CentOS, and Red Hat promptly released patches for supported versions. Additionally, alternative security solutions were provided for unsupported users.
Securing SambaCry Vulnerability (CVE-2017-7494) on Linux
As mentioned earlier, there are two approaches to follow based on the previous setup method:
Case 1: Installing Samba from the distributor's repository
If you're installing Samba from the distributor's repositories, here's what you need to do in this scenario:
- Fixing SambaCry on Debian:
Ensure that apt is configured to receive the latest security updates by adding the lines below to your sources list (/etc/apt/sources.list):
deb http://security.debian.org stable/updates main
deb-src http://security.debian.org/ stable/updates main
Next, update the list of available packages:
# aptitude update
Finally, ensure that the version of the Samba package aligns with the patched security vulnerabilities (refer to CVE-2017-7494):
Link to CVE-2017-7494: https://security-tracker.debian.org/tracker/CVE-2017-7494
# aptitude show samba
- Fixing SambaCry on Ubuntu:
To kick off the process, check for new packages and update the Samba packages:
$ sudo apt-get update
$ sudo apt-get install samba
The Samba versions addressing the CVE-2017-7494 fix are as follows:
17.04: samba 2:4.5.8+dfsg-0ubuntu0.17.04.2
16.10: samba 2:4.4.5+dfsg-2ubuntu5.6
16.04 LTS: samba 2:4.3.11+dfsg-0ubuntu0.16.04.7
14.04 LTS: samba 2:4.3.11+dfsg-0ubuntu0.14.04.8
Finally, run the command below to confirm that Ubuntu has the privilege to install the Samba version:
$ sudo apt-cache show samba
- Fixing SambaCry on CentOS/RHEL 7:
The patched Samba version in EL 7 is samba-4.4.4-14.el7_3. To install this version, use the following command:
# yum makecache fast
# yum update samba
Similar to the steps above, ensure that you have the Samba patch:
# yum info samba
Older supported versions of CentOS and RHEL also have available patches. You can check HERE for more information.
Case 2: Installing Samba from source
Note:
The steps below assume you've compiled Samba from source. Test in a LAB environment BEFORE deploying it on a production server.
Additionally, ensure you've backed up the smb.conf file before commencing the process.
In this case, we'll also compile and update Samba from source. Before starting, ensure that all necessary dependencies are installed beforehand. The process may take a few minutes.
- On Debian and Ubuntu:
# aptitude install acl attr autoconf bison build-essential \
debhelper dnsutils docbook-xml docbook-xsl flex gdb krb5-user \
libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev \
libcap-dev libcups2-dev libgnutls28-dev libjson-perl \
libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \
libpopt-dev libreadline-dev perl perl-modules pkg-config \
python-all-dev python-dev python-dnspython python-crypto xsltproc \
zlib1g-dev libsystemd-dev libgpgme11-dev python-gpgme python-m2crypto
- On CentOS 7 or similar distributions:
# yum install attr bind-utils docbook-style-xsl gcc gdb krb5-workstation \
libsemanage-python libxslt perl perl-ExtUtils-MakeMaker \
perl-Parse-Yapp perl-Test-Base pkgconfig policycoreutils-python \
python-crypto gnutls-devel libattr-devel keyutils-libs-devel \
libacl-devel libaio-devel libblkid-devel libxml2-devel openldap-devel \
pam-devel popt-devel python-devel readline-devel zlib-devel
Stop the services:
# systemctl stop smbd
Download and unpack the source (using 4.6.4 as the latest version):
# wget https://www.samba.org/samba/ftp/samba-latest.tar.gz
# tar xzf samba-latest.tar.gz
# cd samba-4.6.4
The goal is information; check the available configuration options for the current release with:
# ./configure -help
You can include some options returned by the command above if used in the previous build, or you can choose the defaults:
# ./configure
# make
# make install
Finally, restart the service:
# systemctl restart smbd
And confirm you're running the update:
# smbstatus --version
That's version 4.6.4.
General Overview
If running an unsupported version from a specific distribution and for some reason unable to upgrade to a more recent release, you can consider applying the suggestions below:
If SELinux is enabled, you are under protection.
Ensure Samba share is mounted with the noexec option. This prevents the execution of binary programs on the mounted file system.
Add 'nt pipe support = no' to the [global] section of the smb.conf file and restart the service. Note that doing this 'may disable some features in Windows clients,' according to the Samba project.
Important Note: Remember that the 'nt pipe support = no' option will disable the feature of shares listed from Windows clients.
For example, when you enter \\10.100.10.2\ in Windows Explorer on the Samba server, the result you receive will be permission denied. Windows clients will have to manually specify the share as \\10.100.10.2\share_name to access the share.
In the above article, Tai mien phi described the SambaCry vulnerability and how to patch the SambaCry vulnerability (CVE-2017-7494) on Linux. Hope the information in the article is helpful to you.
If you have any questions or concerns about SambaCry, feel free to leave your comments below, and Mytour will address those queries for you.
For Windows 10 users, the SMB zero-day vulnerability has been widely warned by experts. The SMB zero-day vulnerability is a point where malicious code can easily infiltrate, often caused by users clicking on unfamiliar links without virus protection. To avoid viruses and malware spreading through the SMB zero-day vulnerability, the only solution is to refrain from clicking on suspicious links received on social media or emails. For more details about this vulnerability, refer to the review on the SMB zero-day vulnerability and preventive measures.
