Security advisory: Badlock Bug

giacomo · April 13, 2016, 2:18pm

Yesterday, on April 12th, 2016, a new security bug named Badlock, has been disclosed.
The bug affects almost all current Samba releases.
Official site: http://badlock.org

Red Hat and CentOS already released the updates: https://access.redhat.com/security/vulnerabilities/badlock

Be aware that updating current NethServer installations could potentially lead to problems if Samba is configured in PDC mode and Windows workstations have joined the domain.

ATTENTION
Actually all Windows machines joined to NethServer will not be able to login to the server after Samba update.
We are still investigating the issue, updates will be posted here, in the meanwhile we suggest not to update the Samba packages if you’re using NS as PDC.

Workaround 1: users who already updated the system, should downgrade all samba packages sign following command (edited, thanks to @maxbet): yum downgrade samba* tdb-tools libtdb libtevent libtalloc pytalloc libldbWorkaround 2: use local cached credentials by disconnecting network cable from the Windows machine before login.

davidep · April 13, 2016, 2:32pm

To circumvent a PDC mode issue with workstation trust we are testing this custom-template fragment for smb.conf:

cat /etc/e-smith/templates-custom/etc/samba/smb.conf/30badlock

30badlock workaround – custom template

[global]

allow dcerpc auth level connect = yes
server signing = mandatory

warning This may break older clients.

Edit: run also this command

 signal-event nethserver-samba-update

marceloeng · April 13, 2016, 8:40pm

Hi,

I have this issue.

I tryed these workarounds, but not work.

fasttech · April 13, 2016, 8:42pm

Hence my vote for selective updates in the gui instead of “all or nothing”.

davidep · April 13, 2016, 9:07pm

Could you describe your environment?

I guess there is a NethServer 6.7 PDC as server. Am I right?

What Windows clients are there?

marceloeng · April 13, 2016, 9:12pm

I have Nethserver 7 Alpha2…

Clientes, are Windows 10.

davidep · April 13, 2016, 9:16pm

I didn’t test ns7: there will not be PDC mode on ns7! At least I have no plans for it! We will try the “classic upgrade” to AD mode

Are they already joined to domain or you were attempting to join a new machine? Did they receive the latest security update?

marceloeng · April 13, 2016, 10:05pm

I have PDC mode. It was working until yesterday. Has a planning for launch of next release (alpha or beta)?

I’m already joined to windows.

giacomo · April 14, 2016, 6:56am

I can confirm that this configuration works flawlessly withn Win 10 machines but not with XP machines.

davidep · April 14, 2016, 7:28am

I’m sorry but upstream updates are out of our control; the only thing we can do is tweak our configuration! I think we are in an exceptional situation; usually security fixes do not break running systems…

We’re working out the kinks in development of NethServer 7 as Samba AD controller; some packages have been uploaded to the testing repository. You can follow this guide to check them out on a clean ns7 alpha 2:

http://wiki.nethserver.org/doku.php?id=samba_dc

It would be great to check out the “classic upgrade” path! Any volunteer?

https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_(classic_upgrade)

I think a similar feature is for experts only. Maybe I’m wrong; those who can decide if an update should be excluded or not can also tweak the YUM configuration to exclude it

I think we should find a working configuration and apply it. If this is not possible, we can open a upstream bug.

maxbet · April 14, 2016, 10:59am

Unfortunately today I updated our office NS running as PDC with several windows clients (Win7 and Win10).
I just read the warning (… a little late) and I tried to apply Giacomo’s suggestion to downgrade, but YUM stops with the error shown in the attached picture.

How can I restore the access to the server before the users will login tomorrow morning (China time)?

Thank you

Massimo

dnutan · April 14, 2016, 11:50am

MAYBE undoing yum history changes will take you to a working state (but with unpatched vulnerabilities).
Have not tested this. What are your thoughts (to you all)?
Apart from the security issue, any possible conflict with NethServer config or packages?

giacomo · April 14, 2016, 12:02pm

Follow @dnutan advise or try to uninstall also pytalloc:

yum downgrade samba* tdb-tools libtdb libtevent libtalloc pytalloc

The log you posted is quite clear

dnutan · April 14, 2016, 12:16pm

Try @giacomo’s suggestion first, as knowing the specific conflicting packages can help others pinpoint similar issues.

maxbet · April 14, 2016, 12:32pm

I tried Giacomo’s suggestion; almost there … but not yet.

Any further ideas?

Massimo

giacomo · April 14, 2016, 12:34pm

Try to downgrade also libldb.

maxbet · April 14, 2016, 12:49pm

OK, that did it!

the complete command to restore the previous configuration is :

yum downgrade samba* tdb-tools libtdb libtevent libtalloc pytalloc libldb

I hope this can help others as well…

Thank you for the help, I will let you know tomorrow if we could login regularly.

alefattorini · April 14, 2016, 2:11pm

Thanks for sharing, it will definitely help others!

Manuel_Perez · April 18, 2016, 8:23pm

Not Working for me. If i update after try this solution, same error of dependencies…