This fix sambacry vulnerability in Linux systems

Source: Internet
Author: User
Tags unsupported xsl cve

Guide Samba has long been the standard for Windows clients on Linux systems to share file and print services. Home users, midsize businesses, and large companies are using it as the best solution to stand out in environments where multiple operating systems coexist, and most Samba installations face the risk of an attack that could exploit known vulnerabilities, due to the widespread use of tools, until WannaCry Ransomware attacks are considered unimportant before the news comes out.

650) this.width=650; "class=" AlignCenter "src=" http://www.linuxprobe.com/wp-content/uploads/2017/06/ 095734grkg01cz9rnrclnk.png "alt=" Linux system fix Sambacry Vulnerability (cve-2017-7494) "style=" Height:auto;margin-left:auto; Margin-right:auto; "/>

Loopholes

Outdated and unpatched systems are vulnerable to remote code execution vulnerabilities. Simply put, this means that someone who accesses a writable share can upload an arbitrary piece of code and execute it using root privileges on the server.

This issue is described as cve-2017-7494 on the samba website and is known to affect Samba v3.5 (released in early March 2010) and later versions. Because of similarities with WannaCry, it is unofficially named Sambacry: They are all targeted at the SMB protocol and may be worm-which can cause it to propagate from one system to another.

Debian, Ubuntu, CentOS, and Red Hat have taken swift action to protect their users and have released patches for their supported versions. In addition, an unsupported security temporary solution is available.

Update Samba

As mentioned earlier, there are two ways to update according to the method you have previously installed:

If you install Samba from a distribution repository

Let's look at what you need to do in this case:

Repair Sambacry under Debian

Add the following line to your source list (/etc/apt/sources.list) to ensure that apt is able to get the latest security updates:

Deb http://security.debian.org stable/updates maindeb-src http://security.debian.org/stable/updates Main

Next, update the available packages:

# Aptitude Update

Finally, make sure the version of the Samba package complies with the bug fix version (see CVE-2017-7494):

# Aptitude Show Samba

650) this.width=650; "class=" AlignCenter "src=" http://www.linuxprobe.com/wp-content/uploads/2017/06/ 095739iatdzb40jdk4pbzl-1.png "alt=" Linux system fix Sambacry Vulnerability (cve-2017-7494) "style=" Height:auto;margin-left:auto; Margin-right:auto; "/>

Repairing Sambacry in Debian

Fix Sambacry in Ubuntu

To start the fix, check the new available packages and update the Samba package as follows:

$ sudo apt-get update$ sudo apt-get install Samba

The version of Samba that has been repaired cve-2017-7494 has the following:

    • 17.04:samba 2:4.5.8+dfsg-0ubuntu0.17.04.2

    • 16.10:samba 2:4.4.5+dfsg-2ubuntu5.6

    • 16.04 Lts:samba 2:4.3.11+dfsg-0ubuntu0.16.04.7

    • 14.04 Lts:samba 2:4.3.11+dfsg-0ubuntu0.14.04.8

Finally, run the following command to verify that your Ubuntu has the correct version installed.

$ sudo apt-cache show Samba

Repairing Sambacry in Centos/rhel 7

The version of Samba patched in EL 7 is samba-4.4.4-14.el7_3. To install it, these do:

# yum Makecache fast# Yum Update Samba

As before, make sure you have the patched version of Samba installed:

# Yum Info Samba

650) this.width=650; "src=" Http://www.linuxprobe.com/wp-content/uploads/2017/06/095740l8j3383hjnhmd8ac-1.png "alt = "Fix sambacry vulnerability in Linux system (cve-2017-7494)" style= "Height:auto;"/>

Repairing Sambacry in CentOS

Old supported CentOS and the older version of RHEL have also been repaired. See rhsa-2017-1270 for more.

If you install Samba from the source,

Note: The following procedure assumes that you have previously built Samba from source. It is strongly recommended that you try the test environment before deploying to the production server.

Also, make sure you back up the smb.conf file before you start.

In this case, we will also compile and update Samba from the source code. Before we begin, however, we must ensure that all dependencies are installed. Note that this may take a few minutes.

In Debian and Ubuntu:

# aptitude Install ACL attr autoconf bison build-essential/debhelper dnsutils docbook-xml docbook-xsl Flex gdb Krb5-user /libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev/libcap-dev libcups2-dev libgnutls28-dev Libjson-perl/ Libldap2-dev Libncurses5-dev libpam0g-dev libparse-yapp-perl/libpopt-dev libreadline-dev perl perl-modules pkg-config /python-all-dev python-dev python-dnspython python-crypto xsltproc/zlib1g-dev libsystemd-dev Libgpgme11-dev Python-gpgme Python-m2crypto

In CentOS 7 or a similar version:

# yum Install attr bind-utils docbook-style-xsl gcc gdb krb5-workstation/libsemanage-python libxslt perl perl-extutils-ma Kemaker/perl-parse-yapp perl-test-base pkgconfig policycoreutils-python/python-crypto gnutls-devel libattr-devel Keyutils-libs-devel/libacl-devel libaio-devel libblkid-devel libxml2-devel openldap-devel/pam-devel popt-devel Python-devel Readline-devel Zlib-devel

Stop Service (LCTT: Not necessary here):

# Systemctl Stop SMBD

Download and unzip the source code (4.6.4 is the latest version when writing):

# wget https://www.samba.org/samba/ftp/samba-latest.tar.gz # tar xzf samba-latest.tar.gz# CD samba-4.6.4

For information purposes, use the following command to check for available configuration options.

#./configure--help

If you have used some of the options in the previous build, you may be able to include some options in the return of the above command, or you can choose to use the default values:

#./configure# make# Make Install

Finally, restart the service.

# systemctl Restart SMBD

and verify that you are using the updated version:

# Smbstatus--version

The return here should be 4.6.4.

Other information

If you're using an unsupported release, and for some reason you can't upgrade to the latest version, you might want to consider these suggestions:

    • If SELinux is enabled, you are under protection!

    • Make sure that Samba sharing is mounted with the NOEXEC option. This prevents binary files from being executed from the mounted file system.

There will also be:

NT Pipe support = no

Added to the [Global] field in smb.conf. You may want to remember that, depending on the Samba project, this "may disable certain features of the Windows client".

Important: Note the NT pipe support = no option disables the Windows client's shared list. For example: When you enter//10.100.10.2/in Windows Explorer on a Samba server, you see "Permission Denied". Windows clients have to manually perform shares such as//10.100.10.2/share_name to access the share.

Summarize

In this article, we have described the sambacry vulnerability and how to mitigate it. We hope you can use this information to protect the system you are responsible for.

If you have any questions or comments about this article, please use the comments section below to let us know.

Author Profile:

Gabriel Cánepa is a gnu/linux system administrator, a web developer of Saint Louis Villa Mercedes, Argentina. He works for an international large consumer goods company, using FOSS tools in his daily work to increase productivity and derive great pleasure from it.


Original address: http://www.linuxprobe.com/linux-sambacry.html

This article is from the "blog" blog, please be sure to keep this source http://coderhsf.blog.51cto.com/12629645/1936928

This fix sambacry vulnerability in Linux systems

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.