Implications of Samba Patch for CVE-2017-14746

security
testing

(James Nesbitt) #1

What are the implications for Samba and Shared Folder when RHEL roll out the fix for https://www.samba.org/samba/security/CVE-2017-14746.html?


(Marc) #2

More info (to track): Red Hat CVE-2017-14746


(Dominik) #3

Adding this
server min protocol = SMB2
to samba conf on global section should do the trick but now i cannot check it because i don’t have access to any NS7 server. Maybe its allready patched.


(Marc) #4

Samba fix for RHEL7/CentOS7 was released on November 27th, and available through usual update procedure.

New version of packages is 4.6.2-12 (for libsmbclient, libwbclient, samba* an many other).


(James Nesbitt) #5

Thanks, I saw the updates, haven’t applied them yet.

Prefer to be onsite when I apply it in case something goes wrong


(Davide Principi) #6

I’m testing it

==========================================================================================================
 Package                       Arch              Version                         Repository          Size
==========================================================================================================
Updating:
 apr                           x86_64            1.4.8-3.el7_4.1                 updates            103 k
 curl                          x86_64            7.29.0-42.el7_4.1               updates            267 k
 libcurl                       x86_64            7.29.0-42.el7_4.1               updates            219 k
 libsmbclient                  x86_64            4.6.2-12.el7_4                  updates            130 k
 libwbclient                   x86_64            4.6.2-12.el7_4                  updates            104 k
 procmail                      x86_64            3.22-36.el7_4.1                 updates            171 k
 samba                         x86_64            4.6.2-12.el7_4                  updates            633 k
 samba-client                  x86_64            4.6.2-12.el7_4                  updates            598 k
 samba-client-libs             x86_64            4.6.2-12.el7_4                  updates            4.7 M
 samba-common                  noarch            4.6.2-12.el7_4                  updates            197 k
 samba-common-libs             x86_64            4.6.2-12.el7_4                  updates            164 k
 samba-common-tools            x86_64            4.6.2-12.el7_4                  updates            456 k
 samba-libs                    x86_64            4.6.2-12.el7_4                  updates            265 k

Transaction Summary
==========================================================================================================
Upgrade  13 Packages

Total download size: 7.9 M

Edit: NTLM auth still works after updating upstream packages

smbclient -d 10 -U ... //IP/share
...
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Cannot do GSE to an IP address
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER
Starting GENSEC submechanism ntlmssp
...
ntlmssp_check_packet: NTLMSSP signature OK !

Bug is still undisclosed https://bugzilla.redhat.com/show_bug.cgi?id=1514314

I don’t know how it deals with old SMB1 clients… Any idea?


(Marc) #7

Also dc container should be update at least to samba 4.6.11 (maintenance mode) or 4.7.3


(Filippo Carletti) #8

I think that nothing will change, SMB1 will be working as before.


(Marc) #9

No idea. Samba 4.7.0 (old) release notes said:


(Davide Principi) #10

A the DC package is ready for testing:

yum install http://packages.nethserver.org/nethserver/7.4.1708/autobuild/x86_64/Packages/nethserver-dc-1.3.2-1.3.pr70.gfe2eff6.ns7.x86_64.rpm

(Davide Principi) #11

I tested the update on a production server. The DC package has been released.


(Davide Principi) #12

This topic was automatically closed after 4 days. New replies are no longer allowed.