[Solved] NethServer AD vulnerable?

NethServer Version: 7.6.1810
Module: Samba AD

Good morning, i recently came across this page and wanted to share as fyi and see if there is any need for concern for AD implementation with Nethserver? If i read it correctly RPC is not an issue with current version of Samba as it is affected in 4.9 and 4.10 but the ldap side is where i am curious as the patch they provide i am not sure if we can use.

LDAP RPC

As always i thank you for any guidance or input.

Well… following your link, CVE-2019-12436 if patched should be enough to not being vulnerable to CVE-2019-12435.
According to RedHat…
https://access.redhat.com/security/cve/cve-2019-12436
No version of RHEL are vulnerable, without any guarantee…

Latest Samba4 release available is 4.10.6
I do not use NSDC feature in my setups, would you please @corum post the result of smbstatus --version please?
With an updated installation, of course.

somehow the commandline commands to show samba version don’t work. (getting “command not found”)
in servermanager it shows:
smbversion

This server is updated to latest patchlevel (subscription!!)

Time to summon @davidep, who touched the latest release of NSDC on Git


Readme and SHA1SUM are… inconsistent as release number. And Samba 4.8.12 seems the latest 4.8 version available.

The DC component which is compiled by NethServer is at the latest 4.8.12 release. According to https://wiki.samba.org/index.php/Samba_Release_Planning, the 4.8.x branch still receives security updates.

So it’s still up to the Samba project to evaluate the vulnerability scores and release a security fix.

Nevertheless, we’re moving to 4.9.x in the next weeks, as 4.8.x is approaching the discontinued state (EOL).

All of the above does not apply to the samba packages from the upstream distro, which are maintained by Red Hat.

1 Like

Good afternoon, per your request:

smbstatus -V

Version 4.8.3

So as i read this we should move to subscription status soon then for the server before production. Thank you all for the advice. :slight_smile:

It’s fully updated? Quite strange that Samba is “that old”…
Subscription usually delays the updates until they are verified, avoiding issues and incompatibilities or “upgrade problems” related.

Here is an overview, which samba version is implemented in which system.

https://rpms.remirepo.net/rpmphp/zoom.php?rpm=samba

Aye, fully updated from what i can tell.

yum update

Loaded plugins: changelog, fastestmirror, nethserver_events
Loading mirror speeds from cached hostfile

It is the upstream Samba package, providing file server.

The DC component is provided by the nethserver-dc package, runs in a Linux container and is at version 4.8.12.

nsdc-run -- samba -V

That’s true for all NethServer installations, Community, Enterprise and Subscription.

Confirm this is the actual version of the DC component:

[root@ns7 ~]# nsdc-run – samba -V
Version 4.8.12

2 Likes

Ok i ran this ( i did not know this command )

# nsdc-run -- samba -V

Version 4.8.12

Thank you all!