Samba security issue CVE-2017-7494

Dear Turris users,
the new security issue has been discovered in samba packages from version 3.5 onwards. This issue allows the attacker to run the malicious code of his choice on the vulnerable device.

We are testing the security patch for Turris routers right now and we want to release it tomorrow.

Until that, samba users can use this workaround:

Add the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restart smbd. This
prevents clients from accessing any named pipe endpoints. Note this
can disable some expected functionality for Windows clients.

Good to know:

• Please, do not open smb sharing to the Internet. Never. It is not secure.
• Keep automatic updates on.

You can find out more about this issue on following links:
Official info from Samba
Article about the issue on Arstechnica
short mention on root.cz for Czech users

Thank you for staying secure with us,
Václav
your Community Manager

Vulnerability with CVE-2017-7494 allows the attacker to upload a dynamic malicious code library to a server or PC with a secure Samba file sharing and to ensure it runs. On multiple platforms it can be with root privileges and thus gaining full control over the computer.
https://www.samba.org/samba/security/CVE-2017-7494.html
However, Samba’s announcement last night is rather brief and detailed explanation of the circumstances is lacking.

Of course, the developers released edited versions 4.6.4, 4.5.10 and 4.4.14 for supported versions, patches available for others. The main recommendation is to install repaired versions, with obviously released versions already available to individual Linux distributions.

The vulnerability, similar to the vulnerability in Windows used by WannaCry worm, has the potential to create a worm when the user’s interaction is not exploited and the infected computer can also attack other computers.
Is Turris omnia safe?

sry for my eng

Thanks for quick reaction

Wouldn’t be better to send email notification for every security issues or send it to someone, who has installed samba or other affected package in future?
I doubt that many users are watching this forum.

We’ve looked into it a bit more. The attacker needs all of this to succeed:

• Write access to a share. This means either being logged in, or a share being anonymously writable ‒ which is not safe in the first place.
• Your samba being accessible from the Internet (bad idea to start with) or you are having an infected computer inside your network already.
• A binary code for the correct architecture ‒ ARM processor and running on top of the libraries in Omnia ‒ so, likely, specifically targeting Omnia or similar devices. It is more likely attackers will start with more common devices.

So, there’s a chance this could be used to attack you (depending on your configuration), but it sounds a bit unlikely.

To be on the safe side, use the configuration recommended above ‒ it just turns the whole part that is vulnerable off. Or, if you can, just turn samba off completely until tomorrow. If everything goes as planned, you’ll get a fix then.

This is what I gathered from the available information ‒ which is, as you noticed, not much. There might be parts that are not 100% correct. But the configuration is recommended by samba itself, so that should help (turning it off will work for sure as well).

Good point!

Actually, we are thinking about this as a future feature for Turris users but we don’t have an agreement from our users to send them this type of e-mails yet. So…this time it is on our forum, website and Twitter!

Hi @Vaclav (and others),

Thanks for promptly responding!!

I was about to post the question what to do about this, but clearly you guys are already on top of things (another +1 for this dream-router and corresponding support):

Although a Turris patch will probably be available today, can anyone in the mean time:

1. Inform me were to find the smb.conf (I tried /etc/samba/ but was not able to find it there)?
2. Where and/or how to check whether we are vulnerable (is samba installed by default and are therefore all Turris Omnia’s vulnerable out-of-the-box, or should samba explicitly be installed first)?

Thanks all - STAY SAFE!

Hi,
ad 1. /etc/samba/smb.conf (but on TurrisOS it is only symlink to /var/etc/smb.conf)
ad 2. samba is installed on Turris router by NAS choice in updater (or manually via opkg)

You can find more about SAMBA configuration there.

Thanks!

I do not remember having it installed during (or after) the initialization nor from the updater of the router. So I checked the locations you mentioned manually. Just to be sure:

root@turris:/# ls /etc/samba
lowcase.dat        smb.conf.template  upcase.dat         valid.dat

So, no symlink for me in /etc/samba. But I do see a smb.conf.template (as also discussed at the OpenWRT page you linked):

image.png796×71 2.29 KB

But that one has a totally other format; so I do not think that is the place to append with the suggested nt pipe support = no, right (otherwise how do I know that it is being added to the [global] section that is being referred to on every site?

Nor did I find any (real) samba config file in /var/etc/smb.conf:

root@turris:/# ls /var/etc/
dnsmasq.conf           ssh                    ulogd-turris.conf      ulogd-turris.conf.md5  ulogd.conf

This all made me happy on fist thought, as that would mean no samba and (hence) my Turris not being vulnerable.

However after checking whether samba may have been installed more explicitly I got the following output from opkg:

root@turris:/# opkg list-installed | grep samba
luci-app-samba - git-17.009.29435-7d19852-1
luci-i18n-samba-cs - git-17.009.29435-7d19852-1
luci-i18n-samba-en - git-17.009.29435-7d19852-1
samba36-client - 3.6.25-5
samba36-server - 3.6.25-5

Which confuses me, as especially the latter line would suggest samba36-server to be installed (and would be the client on the line above it)? Upon those results I also checked in LuCi:

image.png957×318 7.81 KB

Should I (and others getting the same results) worry (until the patch is pushed to our systems), and should we therefore still apply that line in some config file (question remaining would than still be: what /path/file to place it in), or are we in the green?

Sorry for being picky, but when it comes to security I always get nervous (which is why I love Turris; as it is so much better than most propriety stuff).

I write what I did on my Turris:

1. I edited the “/etc/samba//smb.conf.template” file and added “nt pipe support = no” line into it
2. I restarted samba daemon by command “/etc/init.d/samba restart”

The appropriate config option is in really config file “/var/etc/smb.conf”

But, don’t worry. Today will be probably released the security patch for TurrisOS and everything will be OK again!

Aight!

Going to do the same then, in anticipation of the update!

Thanks!

To explain that behaviour. Samba is installed as part of the NAS choice, which is on by default. However, it is only installed, not started, therefore safe by default.

The user needs to configure and enable it to get started.

By that restart you did, you actually started it. You might want to turn it off again (if it wasn’t running before, you probably don’t need it and it’s always safer not to run services you don’t need).

DOH…

@vorner you are right! Thanks for sharing that insight!!

That makes the complete mitigation until update for me (inspired by @Nones input):

cp /etc/samba/smb.conf.template /etc/samba/smb.conf.template.bak20172605_pre_cve-2017-7494_patch && \
echo "        nt pipe support = no" >> /etc/samba/smb.conf.template && \
/etc/init.d/samba restart && \
/etc/init.d/samba stop && \
/etc/init.d/samba disable

To both patch the config (and disable the part of SAMBA that is vulnerable) and stop the samba service as a whole (after restarting it to load the new confit), and even keeping samba from auto-starting.

So; a bit double (even tripple), but better safe than sorry.

I hope it helps others too (trying to add my “two cents” to the FOSS community on my level…

@vorner and @Vaclav m assuming you cz.nic peeps will post it here too once the update is available?

Hi folks, we have released the kraken…ehm, the fix! It is living in RC for now and will be in master (for all users) around 16:00.

3.6.5 is out for all, stay secure and send us your feedback