Ubuntu – Is the Ubuntu vulnerable to SambaCry

package-managementsambaSecurity

I read these two threads:

  1. Warning! Hackers Started Using "SambaCry Flaw" to Hack Linux Systems
  2. 7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely

SambaCry

And I got a little bit worried, is my Ubuntu machine safe? Or am I vulnerable to this vulnerability?

The second article mentioned that:

The flaw actually resided in the way Samba handled shared libraries.

The other thing that they say is all versions from versions 3.5.0 onwards since 2010 are vulnerable.

At that time, nearly 485,000 Samba-enabled computers were found to be exposed on the Internet, and researchers predicted that the SambaCry-based attacks also have potential to spread just like WannaCry ransomware widely.
(here).

I don't have a samba server however I've got samba-libs package installed.

What, if anything, should I do?

I'm running Ubuntu 16.04.

Best Answer

First of all you should have a samba server running to be vulnerable to this bug which you don't have.

This vulnerability already has been patched, its CVE-ID is: "CVE-2017-7494":

Samba since version 3.5.0 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

So what you should do is a system upgrade if you didn't have done it already, then you are safe to go.

Check your apt's "history logs" to see if your Ubuntu recently received any upgrade for samba or its libraries .

grep -B10 samba- /var/log/apt/history.log

to make sure you've got last updates use:

sudo apt update
sudo apt upgrade

Also use:

apt changelog samba

or aptitude changelog samba if you are running an older version Ubuntu to get a list of last changes in this package, and if you pay attention you will see:

samba (2:4.3.11+dfsg-0ubuntu0.16.04.7) xenial-security; urgency=medium

  * SECURITY UPDATE: remote code execution from a writable share
  - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
    slash inside in source3/rpc_server/srv_pipe.c.
  - CVE-2017-7494

Pay attention to the version: "2:4.3.11+dfsg-0ubuntu0.16.04.7", Then use:

$ dpkg -l samba* | awk "( !(/none/) && /^ii/ )"
ii samba-libs:amd64  2:4.3.11+dfsg-0ubuntu0.16.04.7 amd64  Samba core libraries

to see if you have patched version installed or not.

Extra steps

If you're really paranoia, grab a copy of source code, e.g:

apt source --download samba-libs

it will download the corresponding source code and all patches, extracts the source and apply the patches.

then go to:

head /path-to-extract/samba-4.3.11+dfsg/debian/changelog

You'll see the same stuff, as apt changelog samba. you can even look for patch itself:

cat /home/ravexina/samba-4.3.11+dfsg/debian/patches/CVE-2017-7494.patch

+   if (strchr(pipename, '/')) {
+       DEBUG(1, ("Refusing open on pipe %s\n", pipename));
+       return false;
+   }
+

or even compile and install it, if you wish.

If you're carious, you can see a proof of concept for cve-2017-7494 here.

Related Question