Home / ubuntu / Questions / 924181
Accepted
Ravexina
Asked: 2017-06-11 14:34:37 +0800 CST

Is my Ubuntu vulnerable to SambaCry?

  • 772

I read these two threads:

  1. Warning! Hackers Started Using "SambaCry Flaw" to Hack Linux Systems
  2. 7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely

SambaCry

And I got a little bit worried, is my Ubuntu machine safe? Or am I vulnerable to this vulnerability?

The second article mentioned that:

The flaw actually resided in the way Samba handled shared libraries.

The other thing that they say is all versions from versions 3.5.0 onwards since 2010 are vulnerable.

At that time, nearly 485,000 Samba-enabled computers were found to be exposed on the Internet, and researchers predicted that the SambaCry-based attacks also have potential to spread just like WannaCry ransomware widely. (here).

I don't have a samba server however I've got samba-libs package installed.

What, if anything, should I do?

I'm running Ubuntu 16.04.

package-management

2 Answers

  1. Best Answer

    First of all you should have a samba server running to be vulnerable to this bug which you don't have.

    This vulnerability already has been patched, its CVE-ID is: "CVE-2017-7494":

    Samba since version 3.5.0 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

    So what you should do is a system upgrade if you didn't have done it already, then you are safe to go.

    Check your apt's "history logs" to see if your Ubuntu recently received any upgrade for samba or its libraries .

    grep -B10 samba- /var/log/apt/history.log

    to make sure you've got last updates use:

    sudo apt update
sudo apt upgrade

    Also use:

    apt changelog samba

    or aptitude changelog samba if you are running an older version Ubuntu to get a list of last changes in this package, and if you pay attention you will see:

    samba (2:4.3.11+dfsg-0ubuntu0.16.04.7) xenial-security; urgency=medium

  * SECURITY UPDATE: remote code execution from a writable share
  - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
    slash inside in source3/rpc_server/srv_pipe.c.
  - CVE-2017-7494

    Pay attention to the version: "2:4.3.11+dfsg-0ubuntu0.16.04.7", Then use:

    $ dpkg -l samba* | awk "( !(/none/) && /^ii/ )"
ii samba-libs:amd64  2:4.3.11+dfsg-0ubuntu0.16.04.7 amd64  Samba core libraries

    to see if you have patched version installed or not.

    Extra steps

    If you're really paranoia, grab a copy of source code, e.g:

    apt source --download samba-libs

    it will download the corresponding source code and all patches, extracts the source and apply the patches.

    then go to:

    head /path-to-extract/samba-4.3.11+dfsg/debian/changelog

    You'll see the same stuff, as apt changelog samba. you can even look for patch itself:

    cat /home/ravexina/samba-4.3.11+dfsg/debian/patches/CVE-2017-7494.patch

+   if (strchr(pipename, '/')) {
+       DEBUG(1, ("Refusing open on pipe %s\n", pipename));
+       return false;
+   }
+

    or even compile and install it, if you wish.

    If you're carious, you can see a proof of concept for cve-2017-7494 here.

    • 6

  2. The Ubuntu Security Notice associated with the CVE has a list of affected Ubuntu releases and package versions where the patch was applied. From USN-3296-1:

    The problem can be corrected by updating your system to the following package version:

    Ubuntu 17.04:

    samba 2:4.5.8+dfsg-0ubuntu0.17.04.2

    Ubuntu 16.10:

    samba 2:4.4.5+dfsg-2ubuntu5.6

    Ubuntu 16.04 LTS:

    samba 2:4.3.11+dfsg-0ubuntu0.16.04.7

    Ubuntu 14.04 LTS:

    samba 2:4.3.11+dfsg-0ubuntu0.14.04.8

    In addition, USN-3296-2 states that 12.04 ESM users also have a patched version available:

    Ubuntu 12.04 LTS:

    samba 2:3.6.25-0ubuntu0.12.04.11

    • 1