Samba

How to Fix SambaCry Vulnerability (CVE-2017-7494) in Linux Systems

How to Fix SambaCry Vulnerability (CVE-2017-7494) in Linux Systems &-8211; this Article or News was published on this date:2019-05-28 16:52:51 kindly share it with friends if you find it helpful

Samba has long been the standard for providing shared file and print services to Windows clients on *nix systems. Used by home users, mid-size businesses, and large companies alike, it stands out as the go-to solution in environments where different operating systems coexist.

As it sadly happens with broadly-used tools, most Samba installations are under risk of an attack that may exploit a known vulnerability, which was not considered to be serious until the WannaCry ransomware attack hit the news not too long ago.

In this article, we will explain what this Samba vulnerability is and how to protect the systems you are responsible for against it. Depending on your installation type (from repositories or from source), you will need to take a different approach to do it.

If you are currently using Samba in any environment or know someone who does, read on!

The Vulnerability

Outdated and unpatched systems are vulnerable to a remote code execution vulnerability. In simple terms, this means that a person with access to a writeable share can upload a piece of arbitrary code and execute it with root permissions in the server.

The issue is described in the Samba website as CVE-2017-7494 and is known to affect Samba versions 3.5 (released in early March 2010) and onwards. Unofficially, it has been named SambaCry due to its similarities with WannaCry: both target the SMB protocol and are potentially wormable – which can cause it to spread from system to system.

Debian, Ubuntu, CentOS and Red Hat have taken rapid action to protect its users and have released patches for their supported versions. Additionally, security workarounds have also been provided for unsupported ones.

Updating Samba

As mentioned earlier, there are two approaches to follow depending on the previous installation method:

If you installed Samba from your distribution’s repositories.

Let’s take a look at what you need to do in this case:

Fix Sambacry in Debian

Make sure apt is set to get the latest security updates by adding the following lines to your sources list (/etc/apt/sources.list):

deb http://security.debian.org stable/updates main
deb-src http://security.debian.org/ stable/updates main

Next, update the list of available packages:

- aptitude update

Finally, make sure the version of the samba package matches the version where the vulnerability has been fixed (see CVE-2017-7494):

- aptitude show samba
Fix Sambacry in DebianFix Sambacry in Debian

Fix Sambacry in Debian

Fix Sambacry in Ubuntu

To begin, check for new available packages and update the samba package as follows:

$ sudo apt-get update
$ sudo apt-get install samba

The Samba versions where the fix for CVE-2017-7494 has already been applied are the following:

  • 17.04: samba 2:4.5.8+dfsg-0ubuntu0.17.04.2
  • 16.10: samba 2:4.4.5+dfsg-2ubuntu5.6
  • 16.04 LTS: samba 2:4.3.11+dfsg-0ubuntu0.16.04.7
  • 14.04 LTS: samba 2:4.3.11+dfsg-0ubuntu0.14.04.8

Finally, run the following command to verify that your Ubuntu box now has the right Samba version installed.

$ sudo apt-cache show samba

Fix Sambacry on CentOS/RHEL 7

The patched Samba version in EL 7 is samba-4.4.4-14.el7_3. To install it, do

- yum makecache fast
- yum update samba

As before, make sure you have now the patched Samba version:

- yum info samba
Fix Sambacry in DebianFix Sambacry in CentOS

Fix Sambacry in CentOS

Older, still supported versions of CentOS and RHEL have available fixes as well. Check RHSA-2017-1270 to find out more.

If you installed Samba from source

Note: The following procedure assumes that you have previously built Samba from source. You are highly encouraged to try it out extensively in a testing environment BEFORE deploying it to a production server.

Additionally, make sure you back up the smb.conf file before you start.

In this case, we will compile and update Samba from source as well. Before we begin, however, we must ensure all the dependencies are previously installed. Note that this may take several minutes.

In Debian and Ubuntu:

- aptitude install acl attr autoconf bison build-essential 
    debhelper dnsutils docbook-xml docbook-xsl flex gdb krb5-user 
    libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev 
    libcap-dev libcups2-dev libgnutls28-dev libjson-perl 
    libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl 
    libpopt-dev libreadline-dev perl perl-modules pkg-config 
    python-all-dev python-dev python-dnspython python-crypto xsltproc 
    zlib1g-dev libsystemd-dev libgpgme11-dev python-gpgme python-m2crypto

In CentOS 7 or similar:

- yum install attr bind-utils docbook-style-xsl gcc gdb krb5-workstation 
    libsemanage-python libxslt perl perl-ExtUtils-MakeMaker 
    perl-Parse-Yapp perl-Test-Base pkgconfig policycoreutils-python 
    python-crypto gnutls-devel libattr-devel keyutils-libs-devel 
    libacl-devel libaio-devel libblkid-devel libxml2-devel openldap-devel 
    pam-devel popt-devel python-devel readline-devel zlib-devel

Stop the service:

- systemctl stop smbd

Download and untar the source (with 4.6.4 being the latest version at the time of this writing):

- wget https://www.samba.org/samba/ftp/samba-latest.tar.gz 
- tar xzf samba-latest.tar.gz
- cd samba-4.6.4

For informative purposes only, check the available configure options for the current release with.

- ./configure --help

You may include some of the options returned by the above command if they were used in the previous build, or you may choose to go with the default:

- ./configure
- make
- make install

Finally, restart the service.

- systemctl restart smbd

and verify you’re running the updated version:

- smbstatus --version

which should return 4.6.4.

General Considerations

If you are running an unsupported version of a given distribution and are unable to upgrade to a more recent one for some reason, you may want to take the following suggestions into account:

  • If SELinux is enabled, you are protected!
  • Make sure Samba shares are mounted with the noexec option. This will prevent the execution of binaries residing on the mounted filesystem.

Add,

nt pipe support = no

to the [global] section of your smb.conf file and restart the service. You may want to keep in mind that this “may disable some functionality in Windows clients”, as per the Samba project.

Important: Be aware that the option “nt pipe support = no” would disable shares listing from Windows clients. Eg: When you type \10.100.10.2 from Windows Explorer on a samba server you would get a permission denied. Windows clients would have to manually specify the share as \10.100.10.2share_name to access the share.

Summary

In this article, we have described the vulnerability known as SambaCry and how to mitigate it. We hope that you will be able to use this information to protect the systems you’re responsible for.

If you have any questions or comments about this article, feel free to use the form below to let us know.

How to Install Samba on Ubuntu for File Sharing on Windows

How to Install Samba on Ubuntu for File Sharing on Windows &-8211; this Article or News was published on this date:2019-05-28 16:51:15 kindly share it with friends if you find it helpful

Samba is a free/open source and popularly used software for sharing files and print services between Unix-like systems including Linux and Windows hosts on the same network.

In this guide, we will show how to setup Samba4 for basic file sharing between a Ubuntu systems and Windows machines. We will cover two possible scenarios: anonymous (unsecure) as well as secure file sharing.

Suggested Read: How to Install Samba4 on CentOS/RHEL 7 for File Sharing on Windows

Note that starting from version 4.0, Samba can be used as an Active Directory (AD) domain controller (DC). We have organized a special series for setting up Samba4 Active Directory Domain Controller, which comprises of key topics under Ubuntu, CentOS, and Windows.

  1. Setting Up Samba4 Active Directory Domain Controller

Install and Configure Samba in Ubuntu

Samba server is available to install from the default Ubuntu repositories using the apt package manager tool as shown.

$ sudo apt install samba samba-common python-dnspython

Once samba server installed, now its time to configure samba server as: unsecure anonymous and secure file sharing.

For this, we need to edit the main Samba configuration file /etc/samba/smb.conf (which explain various configuration directives).

First backup the original samba configuration file as follows.

$ sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.orig

Afterwards, we’ll proceed to configure samba for anonymous and secure file sharing services as explained below.

Important: Before moving any further, ensure that the Windows machine is in the same workgroup which will be configured on the Ubuntu server.

Check Windows Machine WorkGroup Settings

Login into your Windows machine, right click on “This PC” or “My Computer Properties Advanced System Settings Computer Name to verify the workgroup.

Check Windows WorkGroupCheck Windows WorkGroup

Check Windows WorkGroup

Alternatively, open the command prompt and view it by running the command below and look for “workstation domain”.

>net config workstation
Check Windows WorkGroupVerify Windows WorkGroup

Verify Windows WorkGroup

Once you know your Windows workgroup its time to move ahead and configure samba server for file sharing.

Anonymous Samba File Sharing

First start by creating a shared samba directory where the files will be stored.

$ sudo mkdir -p /srv/samba/anonymous_shares

Then set the appropriate permissions on the directory.

$ sudo chmod -R 0775 /srv/samba/anonymous_shares
$ sudo chown -R nobody:nogroup /srv/samba/anonymous_shares

Now open the configuration file.

$ sudo vi /etc/samba/smb.conf
OR
$ sudo nano /etc/samba/smb.conf

Next edit or modify the directive settings as described below.

global]
	workgroup = WORKGROUP
	netbios name = ubuntu
	security = user
[Anonymous]
	comment = Anonymous File Server Share
	path = /srv/samba/anonymous_shares
	browsable =yes
	writable = yes
	guest ok = yes
	read only = no
	force user = nobody

Now verify current samba settings by running the command below.

$ testparm
Samba Current Configuration Settings
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
Processing section "[printers]"
Processing section "[print$]"
Processing section "[Shares]"
Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

- Global parameters
[global]
	netbios name = UBUNTU
	server string = %h server (Samba, Ubuntu)
	server role = standalone server
	map to guest = Bad User
	obey pam restrictions = Yes
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
	unix password sync = Yes
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	dns proxy = No
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	idmap config * : backend = tdb

[printers]
	comment = All Printers
	path = /var/spool/samba
	create mask = 0700
	printable = Yes
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers
	browseable = No
[Anonymous]
	comment = Anonymous File Server Share
	path = /srv/samba/anonymous_shares
	force user = nobody
	read only = No
	guest ok = Yes

Then restart Samba services to effect the above changes.

$ sudo systemctl restart smbd   [Systemd]
$ sudo service smbd restart     [Sys V]

Testing Anonymous Samba File Sharing

Go to the Windows machine, and open “Network” from a Windows Explorer window. Click on the Ubuntu host (TECMINT for our case), or else try to access the samba server using its IP address.

192.168.43.168

Note: Use the ifconfig command to get your Ubuntu server IP address.

Check Windows WorkGroupConnect to Samba Share

Connect to Samba Share

Then open the Anonymous directory and try to add files in there to share with other users.

Check Windows WorkGroupAdd Files to Samba Share

Add Files to Samba Share

Secure Samba File Sharing

To password-protect a samba share, you need to create a group “smbgrp” and set a password for each user. In this example I use aaronkilik as user and password as “sfnews“.

$ sudo addgroup smbgrp
$ sudo usermod aaronkilik -aG smbgrp
$ sudo smbpasswd -a aaronkilik

Note: The samba security mode: security = user requires clients to enter a username and password to connect to shares.

Samba user accounts are separate from system accounts, however, you can optionally install the libpam-winbind package which is used to sync system users and passwords with the samba user database.

$ sudo apt install libpam-winbind

Then create the secure directory where the shared files will be kept.

$ sudo mkdir -p /srv/samba/secure_shares

Next, set the appropriate permissions on the directory.

$ sudo chmod -R 0770 /srv/samba/secure_shares
$ sudo chown -R root:smbgrp /srv/samba/secure_shares

Now open the configuration file.

$ sudo vi /etc/samba/smb.conf
OR
$ sudo nano /etc/samba/smb.conf

Next edit or modify the directive settings as described below.

[Secure]
	comment = Secure File Server Share
	path =  /srv/samba/secure_shares
	valid users = @smbgrp
	guest ok = no
	writable = yes
	browsable = yes

Just like before, run this command to see your current samba settings.

$ testparm
Samba Current Configuration Settings
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
Processing section "[printers]"
Processing section "[print$]"
Processing section "[Shares]"
Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

- Global parameters
[global]
	netbios name = UBUNTU
	server string = %h server (Samba, Ubuntu)
	server role = standalone server
	map to guest = Bad User
	obey pam restrictions = Yes
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
	unix password sync = Yes
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	dns proxy = No
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	idmap config * : backend = tdb
[printers]
	comment = All Printers
	path = /var/spool/samba
	create mask = 0700
	printable = Yes
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers
	browseable = No
[Anonymous]
	comment = Anonymous File Server Share
	path = /srv/samba/anonymous_shares
	force user = nobody
	read only = No
	guest ok = Yes
[Secure]
	comment = Secure File Server Share
	path = /srv/samba/secure_shares
	valid users = @smbgrp
	read only = No

Once you done with the above configurations, restart Samba services to apply the changes.

$ sudo systemctl restart smbd   [Systemd]
$ sudo service smbd restart     [Sys V]

Testing Secure Samba File Sharing

As before, in the Windows machine, and open “Network” from a Windows Explorer window. Click on the Ubuntu host (TECMINT for our case). You may get the error below, if not proceed to the next step.

Check Windows WorkGroupConnect to Secure Samba Share

Connect to Secure Samba Share

Try to access the server using its IP address, e.g. \192.168.43.168 like this. Then enter the credentials (username and password) for user aaronkilik and click OK.

Check Windows WorkGroupSamba Share User Login

Samba Share User Login

You’ll now view all the shared directories, click on Secure to open it.

Check Windows WorkGroupSamba Secure Share

Samba Secure Share

You can securely share some files with other permitted users on the network by dropping them in this directory.

Check Windows WorkGroupAdd Files on Samba Share

Add Files on Samba Share

Enable Samba in UFW Firewall in Ubuntu

If you have UFW firewall enabled/active on your system, you must add the rules to allow Samba to pass through your firewall.

To test this, we’ve used the 192.168.43.0 network scheme. Run the commands below specifying your network address.

$ sudo ufw allow proto udp to any port 137 from 192.168.43.0/24
$ sudo ufw allow proto udp to any port 138 from 192.168.43.0/24
$ sudo ufw allow proto tcp to any port 139 from 192.168.43.0/24
$ sudo ufw allow proto tcp to any port 445 from 192.168.43.0/24

You can also check out these useful articles concerning Samba file sharing on a network.

  1. Setting Up Samba4 Active Directory Domain Controller- Part 1 to 14
  2. How to Mount/Unmount Local and Network (Samba & NFS) Filesystems in Linux
  3. Using ACLs (Access Control Lists) and Mounting Samba / NFS Shares
  4. How to Fix SambaCry Vulnerability (CVE-2017-7494) in Linux Systems

That’s all! In this guide, we showed you how to setup Samba4 for anonymous and secure file sharing between Ubuntu and Windows machines. Use the feedback form below to share any thoughts with us.