Samba slip-up smackdown: HPE stops NonStop Server bugs
If SambaCry escaped your notice in June, get busy
HPE NonStop users running Samba need to get busy applying workarounds to a pair of remotely exploitable vulnerabilities.
The first, SambaCry, has been present in Samba since 2010 but was named and outed in late May 2017. Assigned CVE-2017-7494, it allowed a malicious Samba client with write access could execute code as root.
F5 Networks explained that all the attacker need do is upload a shared library to a writable share, because the server will execute it with the privileges of the Samba daemon.
In June, SecureList spotted the vulnerability in the wild, being exploited to mine the Monero cryptocurrency.
The second, CVE-2017-2619, is a symlink race condition that lets a remote attacker bypass access restrictions and access files outside their share.
As the Samba maintainers explain: “Samba uses the realpath() system call to ensure when a client requests access to a pathname that it is under the exported share path on the server file system.”
If an attacker renames the realpath() checked path and create a symlink, the race condition can let the client point a new symlink to “anywhere on the server file system”.
The various vulnerability notes that have surfaced since May flesh out what was originally a much less detailed description. ®