Security advisory: Badlock Bug

Yesterday, on April 12th, 2016, a new security bug named Badlock, has been disclosed.
The bug affects almost all current Samba releases.
Official site: http://badlock.org

Red Hat and CentOS already released the updates: https://access.redhat.com/security/vulnerabilities/badlock

Be aware that updating current NethServer installations could potentially lead to problems if Samba is configured in PDC mode and Windows workstations have joined the domain.

ATTENTION
Actually all Windows machines joined to NethServer will not be able to login to the server after Samba update.
We are still investigating the issue, updates will be posted here, in the meanwhile we suggest not to update the Samba packages if you’re using NS as PDC.

Workaround 1: users who already updated the system, should downgrade all samba packages sign following command (edited, thanks to @maxbet): yum downgrade samba* tdb-tools libtdb libtevent libtalloc pytalloc libldbWorkaround 2: use local cached credentials by disconnecting network cable from the Windows machine before login.

1 Like

To circumvent a PDC mode issue with workstation trust we are testing this custom-template fragment for smb.conf:


cat /etc/e-smith/templates-custom/etc/samba/smb.conf/30badlock

30badlock workaround – custom template

[global]

allow dcerpc auth level connect = yes
server signing = mandatory

warning This may break older clients.

Edit: run also this command

 signal-event nethserver-samba-update
2 Likes

Hi,

I have this issue.

I tryed these workarounds, but not work.

Hence my vote for selective updates in the gui instead of “all or nothing”.

Could you describe your environment?

I guess there is a NethServer 6.7 PDC as server. Am I right?

What Windows clients are there?

I have Nethserver 7 Alpha2…

Clientes, are Windows 10.

I didn’t test ns7: there will not be PDC mode on ns7! At least I have no plans for it! We will try the “classic upgrade” to AD mode :scream:

Are they already joined to domain or you were attempting to join a new machine? Did they receive the latest security update?

I have PDC mode. It was working until yesterday. Has a planning for launch of next release (alpha or beta)?

I’m already joined to windows.

I can confirm that this configuration works flawlessly withn Win 10 machines but not with XP machines.

1 Like

I’m sorry but upstream updates are out of our control; the only thing we can do is tweak our configuration! I think we are in an exceptional situation; usually security fixes do not break running systems…

We’re working out the kinks in development of NethServer 7 as Samba AD controller; some packages have been uploaded to the testing repository. You can follow this guide to check them out on a clean ns7 alpha 2:

http://wiki.nethserver.org/doku.php?id=samba_dc

It would be great to check out the “classic upgrade” path! Any volunteer?

https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_(classic_upgrade)

I think a similar feature is for experts only. Maybe I’m wrong; those who can decide if an update should be excluded or not can also tweak the YUM configuration to exclude it :wink:

I think we should find a working configuration and apply it. If this is not possible, we can open a upstream bug.

1 Like

Unfortunately today I updated our office NS running as PDC with several windows clients (Win7 and Win10).
I just read the warning (… a little late) and I tried to apply Giacomo’s suggestion to downgrade, but YUM stops with the error shown in the attached picture.

How can I restore the access to the server before the users will login tomorrow morning (China time)?

Thank you

Massimo

MAYBE undoing yum history changes will take you to a working state (but with unpatched vulnerabilities).
Have not tested this. What are your thoughts (to you all)?
Apart from the security issue, any possible conflict with NethServer config or packages?

Follow @dnutan advise or try to uninstall also pytalloc:

yum downgrade samba* tdb-tools libtdb libtevent libtalloc pytalloc

The log you posted is quite clear :wink:

Try @giacomo’s suggestion first, as knowing the specific conflicting packages can help others pinpoint similar issues.

I tried Giacomo’s suggestion; almost there … but not yet.

Any further ideas?

Massimo

Try to downgrade also libldb.

OK, that did it!

the complete command to restore the previous configuration is :

yum downgrade samba* tdb-tools libtdb libtevent libtalloc pytalloc libldb

I hope this can help others as well…

Thank you for the help, I will let you know tomorrow if we could login regularly.

2 Likes

Thanks for sharing, it will definitely help others!

Not Working for me. If i update after try this solution, same error of dependencies…