BLSA-2017:0059 – [重要] samba 安全警告及修复方法



  • BLSA-2017:0059 – [重要] samba 安全警告及修复方法

    问题描述

    samba 最近暴露出一个严重的漏洞,被称之为Linux版“永恒之蓝”远程代码执行漏洞(CVE-2017-7494),该漏洞需要通过一个可写入的samba用户权限提权到samba所在服务器的root权限,利用这个漏洞,恶意攻击者可以远程执行任意代码。为了增加系统安全强度,建议所有受影响用户都安装BCLinux提供的升级包以修复这些漏洞,升级包包含了修复这些漏洞的补丁文件。

    Samba简介
    Samba是在Linux和UNIX系统上实现SMB协议的一个免费软件,由服务器及客户端程序构成。SMB(Server Messages Block,信息服务块)是一种在局域网上共享文件和打印机的一种通信协议,它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务(samba4是samba的4.0版本)。

    Linux版“永恒之蓝”远程代码执行漏洞
    编号为 CVE-2017-7494 的漏洞被称为Linux版“永恒之蓝”远程代码执行漏洞,该漏洞存在至今已有7年有余,只需满足以下几个条件,攻击者即可利用响应的exploit控制受影响的主机:在互联网上开启文件和打印机共享的445端口,可以通过该端口与存在漏洞的主机进行通信;配置共享文件为可写权限;攻击者已知或可猜测出对应文件的路径。当满足以上3个条件,远程的攻击者可以构造恶意代码,在服务器上执行。取决于存在漏洞的平台,有可能拿到存在漏洞机器的root权限。

    影响版本

    • BigCloud Enterprise Linux 7
    • BigCloud Enterprise Linux 6
    • Red Hat Enterprise Linux 7
    • Red Hat Enterprise Linux 6
    • CentOS Linux 7
    • CentOS Linux 6

    详细描述

    • CVE-2017-7494 [重要]
      samba近期被发现存在一个远程任意代码执行漏洞,经过身份验证的恶意samba客户端利用这个漏洞,可以对samba共享进行写操作,并以root权限远程执行任意代码。

    解决方案

    目前,BCLinux的官方源已经可以提供更新的 samba 软件包。
    BCLinux 7 用户需要升级到 4.4.4-14.el7_3 版本;
    BCLinux 6 用户需要升级到 3.6.23-43.el6 版本。

    BCLinux 7 用户安装更新步骤如下

    1.检查YUM源设置,确保使用的是BCLinux官方YUM源

    [root@BCLinux ~]# ls -l /etc/yum.repos.d/
    total 16
    -rw-r--r--. 1 root root 1127 Jan  7  2016 BCLinux-Base.repo
    -rw-r--r--. 1 root root  794 Jan  7  2016 BCLinux-Kernel.repo
    -rw-r--r--. 1 root root 1153 Jan  7  2016 BCLinux-Source.repo
    -rw-r--r--. 1 root root  801 Jan  7  2016 BigCloud.repo
    

    2.安装更新

    [root@BCLinux ~]# yum update samba
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    Resolving Dependencies
    --> Running transaction check
    ---> Package samba.x86_64 0:4.4.4-9.el7 will be updated
    ---> Package samba.x86_64 0:4.4.4-14.el7_3 will be an update
    --> Processing Dependency: samba-libs = 4.4.4-14.el7_3 for package: samba-4.4.4-14.el7_3.x86_64
    --> Processing Dependency: samba-common-tools = 4.4.4-14.el7_3 for package: samba-4.4.4-14.el7_3.x86_64
    --> Processing Dependency: samba-common-libs = 4.4.4-14.el7_3 for package: samba-4.4.4-14.el7_3.x86_64
    --> Processing Dependency: samba-common = 4.4.4-14.el7_3 for package: samba-4.4.4-14.el7_3.x86_64
    --> Processing Dependency: samba-client-libs = 4.4.4-14.el7_3 for package: samba-4.4.4-14.el7_3.x86_64
    --> Processing Dependency: libwbclient = 4.4.4-14.el7_3 for package: samba-4.4.4-14.el7_3.x86_64
    --> Running transaction check
    ---> Package libwbclient.x86_64 0:4.4.4-9.el7 will be updated
    ---> Package libwbclient.x86_64 0:4.4.4-14.el7_3 will be an update
    ---> Package samba-client-libs.x86_64 0:4.4.4-9.el7 will be updated
    ---> Package samba-client-libs.x86_64 0:4.4.4-14.el7_3 will be an update
    ---> Package samba-common.noarch 0:4.4.4-9.el7 will be updated
    ---> Package samba-common.noarch 0:4.4.4-14.el7_3 will be an update
    ---> Package samba-common-libs.x86_64 0:4.4.4-9.el7 will be updated
    ---> Package samba-common-libs.x86_64 0:4.4.4-14.el7_3 will be an update
    ---> Package samba-common-tools.x86_64 0:4.4.4-9.el7 will be updated
    ---> Package samba-common-tools.x86_64 0:4.4.4-14.el7_3 will be an update
    ---> Package samba-libs.x86_64 0:4.4.4-9.el7 will be updated
    ---> Package samba-libs.x86_64 0:4.4.4-14.el7_3 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ================================================================================================================================================
     Package                                           Arch                                  Version                                          Reposi
    ================================================================================================================================================
    Updating:
     samba                                             x86_64                                4.4.4-14.el7_3                                   update
    Updating for dependencies:
     libwbclient                                       x86_64                                4.4.4-14.el7_3                                   update
     samba-client-libs                                 x86_64                                4.4.4-14.el7_3                                   update
     samba-common                                      noarch                                4.4.4-14.el7_3                                   update
     samba-common-libs                                 x86_64                                4.4.4-14.el7_3                                   update
     samba-common-tools                                x86_64                                4.4.4-14.el7_3                                   update
     samba-libs                                        x86_64                                4.4.4-14.el7_3                                   update
    
    Transaction Summary
    ================================================================================================================================================
    Upgrade  1 Package (+6 Dependent packages)
    
    Total download size: 6.3 M
    Is this ok [y/d/N]: y
    

    3.复查

    [root@BCLinux ~]# rpm -q samba
    samba-4.4.4-14.el7_3.x86_64
    

    4.重启应用

    安装升级包以后,重启应用,更新生效。

    BCLinux 6 用户安装更新步骤如下

    1.检查YUM源设置,确保使用的是BCLinux官方YUM源

    [root@BCLinux ~]#  ls -l /etc/yum.repos.d/
    total 12
    -rw-r--r--. 1 root root  969 Nov 16  2015 BCLinux-Base.repo
    -rw-r--r--. 1 root root 1053 Nov 16  2015 BCLinux-Source.repo
    -rw-r--r--. 1 root root 1184 Nov 16  2015 BigCloud.repo
    

    2.安装更新

    [root@BCLinux ~]# yum update samba
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    Setting up Update Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package samba.x86_64 0:3.6.9-164.el6 will be updated
    ---> Package samba.x86_64 0:3.6.23-43.el6 will be an update
    --> Processing Dependency: samba-winbind-clients = 3.6.23-43.el6 for package: samba-3.6.23-43.el6.x86_64
    --> Processing Dependency: samba-common = 3.6.23-43.el6 for package: samba-3.6.23-43.el6.x86_64
    --> Running transaction check
    ---> Package samba-common.x86_64 0:3.6.9-164.el6 will be updated
    --> Processing Dependency: samba-common = 3.6.9-164.el6 for package: samba-winbind-3.6.9-164.el6.x86_64
    ---> Package samba-common.x86_64 0:3.6.23-43.el6 will be an update
    ---> Package samba-winbind-clients.x86_64 0:3.6.9-164.el6 will be updated
    ---> Package samba-winbind-clients.x86_64 0:3.6.23-43.el6 will be an update
    --> Running transaction check
    ---> Package samba-winbind.x86_64 0:3.6.9-164.el6 will be updated
    ---> Package samba-winbind.x86_64 0:3.6.23-43.el6 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ================================================================================================================================================
     Package                                              Arch                                  Version                                       Reposi
    ================================================================================================================================================
    Updating:
     samba                                                x86_64                                3.6.23-43.el6                                 update
    Updating for dependencies:
     samba-common                                         x86_64                                3.6.23-43.el6                                 update
     samba-winbind                                        x86_64                                3.6.23-43.el6                                 update
     samba-winbind-clients                                x86_64                                3.6.23-43.el6                                 update
    
    Transaction Summary
    ================================================================================================================================================
    Upgrade       4 Package(s)
    
    Total download size: 19 M
    Is this ok [y/N]: y
    

    3.复查

    [root@BCLinux ~]# rpm -q samba
    samba-3.6.23-43.el6.x86_64
    

    4.重启应用

    安装升级包以后,重启应用,更新生效。

    外部链接

    1.BCLinux安全更新