Bug 1038231 - (CVE-2017-7494) VUL-0: CVE-2017-7494: samba: authenticated remote code execution bug
(CVE-2017-7494)
VUL-0: CVE-2017-7494: samba: authenticated remote code execution bug
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P1 - Urgent : Major
: ---
Assigned To: The 'Opening Windows to a Wider World' guys
Security Team bot
CVSSv2:SUSE:CVE-2017-7494:9.0:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-09 10:44 UTC by Marcus Meissner
Modified: 2017-07-04 22:47 UTC (History)
18 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 25 David Disseldorp 2017-05-24 08:09:20 UTC
Fix is now public:
https://git.samba.org/?p=samba.git;a=commit;h=04a3ba4dbcc4be0ffc706ccc0b586d151d360015

Submitted for openSUSE factory:
https://build.opensuse.org/request/show/497890
Comment 27 Marcus Meissner 2017-05-24 08:47:05 UTC
is public now:

https://www.samba.org/samba/security/CVE-2017-7494.html

====================================================================
== Subject:     Remote code execution from a writable share.
==
== CVE ID#:     CVE-2017-7494
==
== Versions:    All versions of Samba from 3.5.0 onwards.
==
== Summary:     Malicious clients can upload and cause the smbd server
==              to execute a shared library from a writable share.
==
====================================================================

===========
Description
===========

All versions of Samba from 3.5.0 onwards are vulnerable to a remote
code execution vulnerability, allowing a malicious client to upload a
shared library to a writable share, and then cause the server to load
and execute it.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

Add the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restart smbd. This
prevents clients from accessing any named pipe endpoints. Note this
can disable some expected functionality for Windows clients.

=======
Credits
=======

This problem was found by steelo <knownsteelo@gmail.com>. Volker
Lendecke of SerNet and the Samba Team provided the fix.
Comment 29 Bernhard Wiedemann 2017-05-24 10:01:10 UTC
This is an autogenerated message for OBS integration:
This bug (1038231) was mentioned in
https://build.opensuse.org/request/show/497905 Factory / samba
Comment 34 Johannes Segitz 2017-05-24 12:05:40 UTC
I checked on SLE 12 SP2 and there
/usr/share/samba/update-apparmor-samba-profile
is used to dynamically generate profiles with rwlk, so if apparmor is active this shouldn't be exploitable directly.
Comment 35 Swamp Workflow Management 2017-05-24 13:09:36 UTC
SUSE-SU-2017:1391-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1038231
CVE References: CVE-2017-7494
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    samba-3.6.3-93.1
SUSE Linux Enterprise Server 11-SP4 (src):    samba-3.6.3-93.1, samba-doc-3.6.3-93.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    samba-3.6.3-93.1, samba-doc-3.6.3-93.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    samba-3.6.3-93.1, samba-doc-3.6.3-93.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-93.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    samba-3.6.3-93.1
Comment 36 Swamp Workflow Management 2017-05-24 13:10:07 UTC
SUSE-SU-2017:1392-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1038231
CVE References: CVE-2017-7494
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    samba-4.2.4-28.14.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    samba-4.2.4-28.14.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    samba-4.2.4-28.14.1
SUSE Linux Enterprise Server 12-SP2 (src):    samba-4.2.4-28.14.1
SUSE Linux Enterprise Server 12-SP1 (src):    samba-4.2.4-28.14.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    samba-4.2.4-28.14.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    samba-4.2.4-28.14.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    samba-4.2.4-28.14.1
Comment 37 Swamp Workflow Management 2017-05-24 13:10:34 UTC
SUSE-SU-2017:1393-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1038231
CVE References: CVE-2017-7494
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    samba-4.4.2-38.6.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    samba-4.4.2-38.6.1
SUSE Linux Enterprise Server 12-SP2 (src):    samba-4.4.2-38.6.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    samba-4.4.2-38.6.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    samba-4.4.2-38.6.1
Comment 38 Swamp Workflow Management 2017-05-24 13:11:39 UTC
SUSE-SU-2017:1396-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1038231
CVE References: CVE-2017-7494
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    samba-4.2.4-18.41.1
SUSE Linux Enterprise Server 12-LTSS (src):    samba-4.2.4-18.41.1
Comment 39 Swamp Workflow Management 2017-05-24 19:12:21 UTC
openSUSE-SU-2017:1401-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1038231
CVE References: CVE-2017-7494
Sources used:
openSUSE Leap 42.2 (src):    samba-4.4.2-11.9.1
Comment 40 Haral Tsitsivas 2017-05-25 23:01:15 UTC
Are systems where only libsmbclient0-3.6.3 are installed affected by this bug/vulnerability?
Comment 41 Marcus Meissner 2017-05-26 05:43:05 UTC
No, this is a server specific issue and the bug is in the server package/RPM
Comment 42 Sascha Weber 2017-05-26 10:44:47 UTC
hi guys,

quick question, on https://access.redhat.com/security/cve/CVE-2017-7494 unde "mitigation" we found:
+++++++++++++++
Add the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restart smbd. This prevents clients from accessing any named pipe endpoints. Note this can disable some expected functionality for Windows clients.
+++++++++++++++

^^ is this something we should add to the TID?

Sascha
Comment 44 Marcus Meissner 2017-05-26 12:40:32 UTC
(In reply to Sascha Weber from comment #42)
> hi guys,
> 
> quick question, on https://access.redhat.com/security/cve/CVE-2017-7494 unde
> "mitigation" we found:
> +++++++++++++++
> Add the parameter:
> 
> nt pipe support = no
> 
> to the [global] section of your smb.conf and restart smbd. This prevents
> clients from accessing any named pipe endpoints. Note this can disable some
> expected functionality for Windows clients.
> +++++++++++++++
> 
> ^^ is this something we should add to the TID?
> 
> Sascha

Sascha, yes please.
Comment 48 Sascha Weber 2017-05-26 14:10:11 UTC
@Markus Meisters: please reference the bug you are talking about.

@Markus/David: TID is updated, I added the note about "apparmor" into the additional information section:
++++++++++
AppArmor

If AppArmor is active, /usr/share/samba/update-apparmor-samba-profile is used to dynamically generate profiles with rwlk preventing a possible exploit.
++++++++++
Comment 49 Swamp Workflow Management 2017-05-26 16:09:37 UTC
openSUSE-SU-2017:1415-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1038231
CVE References: CVE-2017-7494
Sources used:
openSUSE Leap 42.1 (src):    samba-4.2.4-33.1
Comment 52 James McDonough 2017-06-05 17:39:15 UTC
all shipped