BLSA-2017:0065 – [重要] samba 安全警告及修复方法



  • BLSA-2017:0065 – [重要] samba 安全警告及修复方法

    问题描述

    samba 最近暴露出一个严重的漏洞,被称之为Linux版“永恒之蓝”远程代码执行漏洞(CVE-2017-7494),该漏洞需要通过一个可写入的samba用户权限提权到samba所在服务器的root权限,利用这个漏洞,恶意攻击者可以远程执行任意代码。为了增加系统安全强度,建议所有受影响用户都安装BCLinux提供的升级包以修复这些漏洞,升级包包含了修复这些漏洞的补丁文件。

    Samba简介
    Samba是在Linux和UNIX系统上实现SMB协议的一个免费软件,由服务器及客户端程序构成。SMB(Server Messages Block,信息服务块)是一种在局域网上共享文件和打印机的一种通信协议,它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务(samba4是samba的4.0版本)。

    Linux版“永恒之蓝”远程代码执行漏洞
    编号为 CVE-2017-7494 的漏洞被称为Linux版“永恒之蓝”远程代码执行漏洞,该漏洞存在至今已有7年有余,只需满足以下几个条件,攻击者即可利用响应的exploit控制受影响的主机:在互联网上开启文件和打印机共享的445端口,可以通过该端口与存在漏洞的主机进行通信;配置共享文件为可写权限;攻击者已知或可猜测出对应文件的路径。当满足以上3个条件,远程的攻击者可以构造恶意代码,在服务器上执行。取决于存在漏洞的平台,有可能拿到存在漏洞机器的root权限。

    影响版本

    • BigCloud Enterprise Linux 7.2
    • Red Hat Enterprise Linux 7.2
    • CentOS Linux 7.2

    详细描述

    • CVE-2017-7494 [重要]
      samba近期被发现存在一个远程任意代码执行漏洞,经过身份验证的恶意samba客户端利用这个漏洞,可以对samba共享进行写操作,并以root权限远程执行任意代码。

    解决方案

    目前,BCLinux的官方源已经可以提供更新的 samba 软件包。
    BCLinux 7.2 用户需要升级到 4.2.10-11.el7_2 版本。

    BCLinux 7.2 用户安装更新步骤如下

    1.检查YUM源设置,确保使用的是BCLinux官方YUM源

    [root@BCLinux ~]# ls -l /etc/yum.repos.d/
    total 16
    -rw-r--r--. 1 root root 1127 Jan  7  2016 BCLinux-Base.repo
    -rw-r--r--. 1 root root  794 Jan  7  2016 BCLinux-Kernel.repo
    -rw-r--r--. 1 root root 1153 Jan  7  2016 BCLinux-Source.repo
    -rw-r--r--. 1 root root  801 Jan  7  2016 BigCloud.repo
    

    2.安装更新

    [root@BCLinux ~]# yum --releasever 7.2 update samba
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    Resolving Dependencies
    --> Running transaction check
    ---> Package samba.x86_64 0:4.2.3-10.el7 will be updated
    ---> Package samba.x86_64 0:4.2.10-11.el7_2 will be an update
    --> Processing Dependency: samba-libs = 4.2.10-11.el7_2 for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: samba-common-tools = 4.2.10-11.el7_2 for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: samba-common-libs = 4.2.10-11.el7_2 for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: samba-common = 4.2.10-11.el7_2 for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: samba-common = 4.2.10-11.el7_2 for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: samba-client-libs = 4.2.10-11.el7_2 for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libwbclient = 4.2.10-11.el7_2 for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libxattr-tdb-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libutil-tdb-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libutil-reg-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libsocket-blocking-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libsmbregistry-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libsmbd-shim-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libsmbd-base-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libsmb-transport-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libsecrets3-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libsamba3-util-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libsamba-sockets-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libsamba-security-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libsamba-debug-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libsamba-cluster-support-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libreplace-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libpopt-samba3-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libndr-samba-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: liblibsmb-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libgse-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: liberrors-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libdbwrap-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libcliauth-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libcli-smb-common-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libcli-nbt-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libcli-cldap-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libccan-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libauth-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Processing Dependency: libCHARSET3-samba4.so(SAMBA_4.2.10)(64bit) for package: samba-4.2.10-11.el7_2.x86_64
    --> Running transaction check
    ---> Package libwbclient.x86_64 0:4.2.3-10.el7 will be updated
    ---> Package libwbclient.x86_64 0:4.2.10-11.el7_2 will be an update
    ---> Package samba-client-libs.x86_64 0:4.2.3-10.el7 will be updated
    ---> Package samba-client-libs.x86_64 0:4.2.10-11.el7_2 will be an update
    ---> Package samba-common.noarch 0:4.2.3-10.el7 will be updated
    ---> Package samba-common.noarch 0:4.2.10-11.el7_2 will be an update
    ---> Package samba-common-libs.x86_64 0:4.2.3-10.el7 will be updated
    ---> Package samba-common-libs.x86_64 0:4.2.10-11.el7_2 will be an update
    ---> Package samba-common-tools.x86_64 0:4.2.3-10.el7 will be updated
    ---> Package samba-common-tools.x86_64 0:4.2.10-11.el7_2 will be an update
    ---> Package samba-libs.x86_64 0:4.2.3-10.el7 will be updated
    ---> Package samba-libs.x86_64 0:4.2.10-11.el7_2 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ===============================================================================================================================================
     Package                                 Arch                        Version                                Repository                    Size
    ===============================================================================================================================================
    Updating:
     samba                                   x86_64                      4.2.10-11.el7_2                        updates                      615 k
    Updating for dependencies:
     libwbclient                             x86_64                      4.2.10-11.el7_2                        updates                       96 k
     samba-client-libs                       x86_64                      4.2.10-11.el7_2                        updates                      4.3 M
     samba-common                            noarch                      4.2.10-11.el7_2                        updates                      272 k
     samba-common-libs                       x86_64                      4.2.10-11.el7_2                        updates                      157 k
     samba-common-tools                      x86_64                      4.2.10-11.el7_2                        updates                      444 k
     samba-libs                              x86_64                      4.2.10-11.el7_2                        updates                      260 k
    
    Transaction Summary
    ===============================================================================================================================================
    Upgrade  1 Package (+6 Dependent packages)
    
    Total download size: 6.1 M
    Is this ok [y/d/N]: y
    

    3.复查

    [root@BCLinux ~]# rpm -q samba
    samba-4.2.10-11.el7_2.x86_64
    

    4.重启应用

    安装升级包以后,重启应用,更新生效。

    外部链接

    1.BCLinux安全更新