Hi Folks, It looks like samba has a remote-root-wormable vulnerability, present in all versions for the past seven years. https://arstechnica.com/security/2017/05/a-wormable-code-execution-bug-has-l... Note that a work-around is setting this in /etc/samba/smb.conf: nt pipe support = no Then restart smbd. While the workaround is fine, what about all those routers and NAS boxes out there that will never get updated? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang wrote:
Hi Folks,
It looks like samba has a remote-root-wormable vulnerability, present in all versions for the past seven years.
https://arstechnica.com/security/2017/05/a-wormable-code-execution-bug-has-l...
Note that a work-around is setting this in /etc/samba/smb.conf:
nt pipe support = no
Then restart smbd.
While the workaround is fine, what about all those routers and NAS boxes out there that will never get updated?
Routers with samba? The NAS boxes - if people make them available on the net, well. Run owncloud or some such on them. -- Per Jessen, Zürich (21.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/01/2017 11:49 AM, Per Jessen wrote:
While the workaround is fine, what about all those routers and NAS boxes out there that will never get updated? Routers with samba? The NAS boxes - if people make them available on the net, well. Run owncloud or some such on them.
Sure, many home routers have file and printer sharing capability. I think that UPnP could possibly exacerbate the problem too. They don't have to be available on the net if a local machine becomes compromised by some other means. The worm would travel through a private network like snails thorough a goose! Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang wrote:
On 06/01/2017 11:49 AM, Per Jessen wrote:
While the workaround is fine, what about all those routers and NAS boxes out there that will never get updated? Routers with samba? The NAS boxes - if people make them available on the net, well. Run owncloud or some such on them.
Sure, many home routers have file and printer sharing capability.
Really? I was not aware.
I think that UPnP could possibly exacerbate the problem too. They don't have to be available on the net if a local machine becomes compromised by some other means. The worm would travel through a private network like snails thorough a goose!
Wasn't there one recently just like that? That one that paralyzed the British NHS and many other places? -- Per Jessen, Zürich (18.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-06-02 07:40, Per Jessen wrote:
Lew Wolfgang wrote:
On 06/01/2017 11:49 AM, Per Jessen wrote:
While the workaround is fine, what about all those routers and NAS boxes out there that will never get updated? Routers with samba? The NAS boxes - if people make them available on the net, well. Run owncloud or some such on them.
Sure, many home routers have file and printer sharing capability.
Really? I was not aware.
Yes. You can connect a USB disk and share it. Also a printer via USB. I saw it first about five years ago.
I think that UPnP could possibly exacerbate the problem too. They don't have to be available on the net if a local machine becomes compromised by some other means. The worm would travel through a private network like snails thorough a goose!
Wasn't there one recently just like that? That one that paralyzed the British NHS and many other places?
Yes, that is worrying, if samba is also vulnerable. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 06/01/2017 12:43 PM, Lew Wolfgang wrote:
Note that a work-around is setting this in /etc/samba/smb.conf:
nt pipe support = no
Well, not much of a work-around since it prevents Vista+ windoze clients from connecting... Kinda defeats the purpose... Looks like it is fixed in samba 4.5.10. Good heads up Wolfgang! -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On June 5, 2017 12:15:20 AM PDT, "David C. Rankin" <drankinatty@suddenlinkmail.com> wrote:
On 06/01/2017 12:43 PM, Lew Wolfgang wrote:
Note that a work-around is setting this in /etc/samba/smb.conf:
nt pipe support = no
Well, not much of a work-around since it prevents Vista+ windoze clients from connecting... Kinda defeats the purpose... Looks like it is fixed in samba 4.5.10.
Doesn't prevent any such thing for me. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/05/2017 02:42 AM, John Andersen wrote:
Doesn't prevent any such thing for me.
It sure did for me, as soon as I enabled nt pipe support = no in smb.conf, win10 would no longer browse the shares. It could still see the server, but all access to the shares was denied. (they are all non-public shares requiring group membership and user/pass to access). I didn't dissect the logs to determine if it was a Windows config setting or a setting in my smb.conf in addition to the `nt pipe support = no` that was the culprit, I just commented the addition out and updated samba and all was well. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* David C. Rankin <drankinatty@suddenlinkmail.com> [06-06-17 03:43]:
On 06/05/2017 02:42 AM, John Andersen wrote:
Doesn't prevent any such thing for me.
It sure did for me, as soon as I enabled
nt pipe support = no
in smb.conf, win10 would no longer browse the shares. It could still see the server, but all access to the shares was denied. (they are all non-public shares requiring group membership and user/pass to access). I didn't dissect the logs to determine if it was a Windows config setting or a setting in my smb.conf in addition to the `nt pipe support = no` that was the culprit, I just commented the addition out and updated samba and all was well.
works fine here with four Tw and one 42.2 boxes. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/06/2017 06:04 AM, Patrick Shanahan wrote:
works fine here with four Tw and one 42.2 boxes.
Then it is definitely a supplemental config issue on my end. Are you running samba as part of a domain, or do you have it set up 'stand alone' (I run 'stand alone') If I get a chance I'll dig deeper into the reason, but as samba 4.6.4 came out today and there are no further issues, it will have to wait for the weekend. Thanks for the feedback Patrick. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* David C. Rankin <drankinatty@suddenlinkmail.com> [06-07-17 03:08]:
On 06/06/2017 06:04 AM, Patrick Shanahan wrote:
works fine here with four Tw and one 42.2 boxes.
Then it is definitely a supplemental config issue on my end. Are you running samba as part of a domain, or do you have it set up 'stand alone' (I run 'stand alone')
stand alone, didn't even need configuration, just enabled systemctl enable smb systemctl start smb -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/06/2017 04:04 AM, Patrick Shanahan wrote:
works fine here with four Tw and one 42.2 boxes.
Well the issue here is can Win10 clients see your opensuse boxen, not whether the opensuse versions can see each other. My ONE Win10 box can see my several Opensuse and Manjaro samba servers, as can all older versions of windows. However, who knows what hacks I may have done to that Win10 box in the past to make this work. I use it so seldom I really don't remember. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Carlos E. R. -
David C. Rankin -
John Andersen -
Lew Wolfgang -
Patrick Shanahan -
Per Jessen