郭冠樱
作者郭冠樱2017-05-27 00:19
系统运维工程师, 华胜天成

又双叒叕出重大漏洞了,关于Unix版本永恒之蓝,CVE-2017-7494

字数 6408阅读 6686评论 4赞 3

没错,这是一个非常不好的消息,而且在可预见的未来,类似的问题会越来越多。

Samba远程代码执行漏洞可以理解成一个unix版本的永恒之蓝,可以通过仅仅一个管道符对本地的.so文件进行提权,依然是通过445端口,主要影响设备为nas设备和运行Samba服务的服务器,针对个人版的nas设备,主要厂商群晖已经进行了版本更新(最新的版本为DSM6.1.1 update4),对于生产环境,只能劳烦各位兄弟们亲自动手了。

关于漏洞的简要说明

简介

Samba 是一个能让类 Unix 计算机和其它 MS Windows 计算机相互共享资源的软件。 Samba 提供有关资源共享的三个功能,包括: smbd ,可以使类 Unix 计算机能够共享资源给其它的计算机; smbclient 是让类 Unix 计算机去存取其它计算机的资源;最后一个 smbmount 是类似 MS Windwos 下“网络 磁盘驱动器 ”的功能,可以把其它计算机的资源挂载到当前系统下。

受影响的版本

Samba Version < 4.6.4
Samba Version < 4.5.10
Samba Version < 4.4.14
不受影响的版本

Samba Version = 4.6.4
Samba Version = 4.5.10
Samba Version = 4.4.14
官方建议

Samba 官方已经提供了新版本来修复上述漏洞,请受影响的用户尽快升级到新版本,下载链接如下:

https://download.samba.org/pub/samba/stable/samba-4.6.4.tar.gz

https://download.samba.org/pub/samba/stable/samba-4.5.10.tar.gz

https://download.samba.org/pub/samba/stable/samba-4.4.14.tar.gz

然后是帽厂的说明,由于服务对象(收费用户,普通使用者)的区别,这时候更简单直观并且有效的当然是看我帽的说明,我使用自己的订阅把帽厂的说明copy如下,供参考,另外,对rpm包有强烈需求者,可以使用centos的源,一般在centos发布后,先修改一个yum的参数,改为在安装后本地保留yum包,然后使用yum install samba的方法,即可获取更新包,和红帽的一毛一样的。

QQ图片20170526235649.png

QQ图片20170526235649.png

Samba Remote Code Execution Vulnerability - CVE-2017-7494
Solution 已验证 - 已更新星期四 在 早上4点18 - English
环境
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Gluster Storage 3.2
问题
Samba version 3.5 and above is vulnerable to a remote code execution flaw. A remote malicious client which has write access to a samba share could upload a shared library and cause the samba server to execute it, this could result in code execution as root user.
决议
All Red Hat customers running affected versions of samba are strongly recommended to update as soon as patches are available. Details about impacted packages as well as recommended mitigation are noted below:
Red Hat Gluster Storage 3 (samba) - RHSA-2017:1273
Red Hat Enterprise Linux 7 (samba) - RHSA-2017:1270
Red Hat Enterprise Linux 6 (samba) - RHSA-2017:1270
Red Hat Enterprise Linux 6 (samba4) - RHSA-2017:1271
Red Hat Enterprise Linux 5 ELS (samba3x) - RHSA-2017:1272
Note: SELinux is enabled by default and our default policy prevents loading of modules from outside of samba's module directories and therefore blocks the exploit.
More information are available on the the following pages:
https://access.redhat.com/security/vulnerabilities/3034621
https://www.samba.org/samba/security/CVE-2017-7494.html

确认影响的是所有版本,我随意点进Red Hat Enterprise Linux 6 (samba) - RHSA-2017:1270

Important: samba security update
Advisory:
RHSA-2017:1270-1
Type:
Security Advisory
Severity:
Important
Issued on:
2017-05-24
Last updated on:
2017-05-24
Affected Products:
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux HPC Node (v. 7)
Red Hat Enterprise Linux Resilient Storage (v. 7)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Server TUS (v. 7.3)
Red Hat Enterprise Linux Workstation (v. 6)
Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org):
CVE-2017-7494

Details
An update for samba is now available for Red Hat Enterprise Linux 6 and Red Hat
Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Samba is an open-source implementation of the Server Message Block (SMB)
protocol and the related Common Internet File System (CIFS) protocol, which
allow PC-compatible machines to share files, printers, and various information.

Security Fix(es):

  • A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root. (CVE-2017-7494)

Red Hat would like to thank the Samba project for reporting this issue. Upstream
acknowledges steelo as the original reporter.

Solution
For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the smb service will be restarted automatically.

然后重点是以下,需要rpm包的可以参考以下在rpmfind 或者相关的yum源去找

Red Hat Enterprise Linux Server (v. 6)

SRPMS:
samba-3.6.23-43.el6_9.src.rpm
    MD5: 4885424f4c3a99a75d2b5917fb7bb8ba
SHA-256: cbe95eaa83567c3da0005b2894e0283230103901cbd516d2a11bf5ecae3c4d11
 
IA-32:
libsmbclient-3.6.23-43.el6_9.i686.rpm
    MD5: ae5053f2025e1ea5e9a8d626e7996f0e
SHA-256: 0d00c11a8c85cf3c532542dacd28d855b0bafe87ccafcbc82beb3d9bf286e32d
libsmbclient-devel-3.6.23-43.el6_9.i686.rpm
    MD5: ee73a2dae4978ba2b0327e4f3517cfbf
SHA-256: c2cc6a191420da38d86f974ae7f12546c9b7aeaf6d101894c0178b95f4729546
samba-3.6.23-43.el6_9.i686.rpm
    MD5: 94a54f297fefe7321ee40bb1e409e24b
SHA-256: 5b893c806592a8afa076a7fb85d447120446771349ca261fcd839062d96ef51e
samba-client-3.6.23-43.el6_9.i686.rpm
    MD5: b508766caa23e03010e0c76ebe37cf50
SHA-256: f547f66eb62ae7c67f1e2611844f45b07823745c3d3ecd318ca2b7ff218f309e
samba-common-3.6.23-43.el6_9.i686.rpm
    MD5: 0adb86bf00194b3c3aaa35d14d939f66
SHA-256: e6b918cbb365fcb793422755447e771c7910b06774d4a1b8246d1bee7e65f87b
samba-debuginfo-3.6.23-43.el6_9.i686.rpm
    MD5: 264a70b709aa181c79579bdc4107eadf
SHA-256: 6ee9976799445416eb86e475bc2bbb9eae4b543364a73e697f66d7bfba3019ff
samba-doc-3.6.23-43.el6_9.i686.rpm
    MD5: 91a9b13022075075fb7ed493050c40dd
SHA-256: 8e817539a6eaf53c4fb1a36e28e7e3ff20a7d2644db71811ee8f1e2d0c518647
samba-domainjoin-gui-3.6.23-43.el6_9.i686.rpm
    MD5: a7865ac61bcf8d599dcf0490d2c10eaf
SHA-256: afd3f47cd9ef873ef20e6d84e632c02b1b4e745de2a4aaa359e41bdaa13c5119
samba-swat-3.6.23-43.el6_9.i686.rpm
    MD5: 6696054ee982ed0c234b02df6f9e6bf8
SHA-256: 1b82575d2a83f8c8eb8e9ede3224564539aad12ae1fcc8679a68c7a559fd1427
samba-winbind-3.6.23-43.el6_9.i686.rpm
    MD5: bff0cb785818d9dd183061fa43eadbc9
SHA-256: d9ca7c6f7cfa9bc6985fda9f9d3ec5ce6da6af982dc4837918b06d65e13908db
samba-winbind-clients-3.6.23-43.el6_9.i686.rpm
    MD5: 8a97d90af0cba0f54d9cdc7d32622161
SHA-256: 289b069fcfcb221e3d8714cc3df35e04820845cd43d9c6f720c22ec72a0be658
samba-winbind-devel-3.6.23-43.el6_9.i686.rpm
    MD5: a20f7aba582d8fc75ee38a27273c731d
SHA-256: 960b32fe8b8605348c1fb9be31dd1ff39558884a03cbe5cedbe2ae58e91ab49e
samba-winbind-krb5-locator-3.6.23-43.el6_9.i686.rpm
    MD5: 438462e9c0220cc19afb86b9686088b4
SHA-256: 3823af18ed2314abe75caa323fe04f7e446a19a17b9060ca150e6599444c6914

如果觉得我的文章对您有用,请点赞。您的支持将鼓励我继续创作!

3

添加新评论4 条评论

#郭冠樱系统运维工程师, 华胜天成
2017-05-27 10:13
我再补充下 1:aix也受影响,所有使用samba服务的unix系统都受影响 2:设备影响范围,服务器设备,nas存储,统一存储(nas+san),内置linux的监控设备工控机平板电脑... 跟我有什么关系 1:首先不处理存在一种提权的可能,其实这也没有什么关系 2:在基线扫描和等保评测中,危害等级在严重以上的,执行的是版本检查,也就是针对重大级别漏洞,有版本缺陷的,不起服务一样会被报出来,报出来就要有人来改

郭冠樱@wangxuefeng 首先没启动确实会扫会报告,之前在移动组巡最头疼的就是这一类问题。再者是很有意义的,缺陷版本只要存在不启动也会有间接被提权的可能。

2017-05-27 14:11

wangxuefeng@郭冠樱 扫描设备的缺陷,漏洞,应该是启动的服务才扫描,没启动服务,弄没意义的。

2017-05-27 13:55
#张鹏技术总监, 中国金融电子化公司
2017-05-27 09:21
现在Linux 环境下用samba的也不多吧,不用紧张
#爱如潮水研发工程师, 四川农信
2017-05-27 08:54
AIX上使用samba协议与windows进行互操作的场景比较少。楼主的标题激起阵阵涟漪,呵呵

郭冠樱@爱如潮水 主要针对nas存储,统一存储,况且在基线扫描(主要绿盟)和等保中,危害等级在严重以上的,执行的是版本检查,也就是针对重大级别漏洞,有版本缺陷的,不起服务一样会被报出来,要求整改,严不严重见仁见智吧。

2017-05-27 10:00
#swlhfa系统工程师, IBM
2017-05-27 08:43
aix中招没?
Ctrl+Enter 发表

关于TWT  使用指南  社区专家合作  厂商入驻社区  企业招聘  投诉建议  版权与免责声明  联系我们
© 2019  talkwithtrend — talk with trend,talk with technologist 京ICP备09031017号-30