Samba slip-up smackdown: HPE stops NonStop Server bugs

If SambaCry escaped your notice in June, get busy

HPE NonStop users running Samba need to get busy applying workarounds to a pair of remotely exploitable vulnerabilities.

The first, SambaCry, has been present in Samba since 2010 but was named and outed in late May 2017. Assigned CVE-2017-7494, it allowed a malicious Samba client with write access could execute code as root.

F5 Networks explained that all the attacker need do is upload a shared library to a writable share, because the server will execute it with the privileges of the Samba daemon.

In June, SecureList spotted the vulnerability in the wild, being exploited to mine the Monero cryptocurrency.

The second, CVE-2017-2619, is a symlink race condition that lets a remote attacker bypass access restrictions and access files outside their share.

As the Samba maintainers explain: “Samba uses the realpath() system call to ensure when a client requests access to a pathname that it is under the exported share path on the server file system.”

If an attacker renames the realpath() checked path and create a symlink, the race condition can let the client point a new symlink to “anywhere on the server file system”.

HPE hasn't shipped a patch yet, but described its workarounds here, and on Monday filed a Security Bulletin on BugTraq.

The various vulnerability notes that have surfaced since May flesh out what was originally a much less detailed description. ®

Biting the hand that feeds IT © 1998–2018