CVE-2017-7494 - Samba version > 3.50 < 4.4.14 remote code execution vulnerability

  • A fix has already been released. You can't always go by package version since fixes are backported to older versions.


    Look: https://security-tracker.debian.org/tracker/CVE-2017-7494


    I'm safe :)
    # dpkg -l | grep samba
    ii samba 2:4.2.14+dfsg-0+deb8u6 amd64 SMB/CIFS file, print, and login server for Unix

    omv 5.3.9 usul | 64 bit | 5.3 proxmox kernel | omvextrasorg 5.2.6
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • OMV Version 2.1.13 (Stone burner) does appear to still be vulnerable:


    Code
    # dpkg -l | grep samba
    ii samba 2:3.6.6-6+deb7u10 amd64 SMB/CIFS file, print, and login server for Unix
    ii samba-common 2:3.6.6-6+deb7u10 all common files used by both the Samba server and client
    ii samba-common-bin 2:3.6.6-6+deb7u10 amd64 common files used by both the Samba server and client

    It needs to be at 2:3.6.6-6+deb7u13 for the vulnerability to be fixed.


    The workaround is to add nt pipe support = no to the [global] section of your smb.conf and restart smbd.


    This can be done in the GUI by going to Services > SMB/CIFS > Settings > Advanced settings > Extra options and adding nt pipe support = no to the normally empty dialogue.

  • I'm not sure why I thought this would have been done automatically, but I guess I should add it as a cron job.

    Updating the repo and downloading (but not installing) updates is a cron job in OMV. Not sure why your cron job seems to not be working.

    omv 5.3.9 usul | 64 bit | 5.3 proxmox kernel | omvextrasorg 5.2.6
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Is there a way to check your version in the GUI? Or a way to use the commandline in the GUI or a url? I'm using a Raspberry which is far away from any screen... I just updated everything, my omv version is 3.0.76. Should I still be worried? Thanks!

  • Is there a way to check your version in the GUI? Or a way to use the commandline in the GUI or a url? I'm using a Raspberry which is far away from any screen... I just updated everything, my omv version is 3.0.76. Should I still be worried? Thanks!

    What's wrong with ssh and then:


    apt-cache-policy samba

    --
    Google is your friend and Bob's your uncle!


    RAID - Its ability to disappoint is inversely proportional to the user's understanding of it.


    OMV 5.x on ASRock Rack C2550D4I C0 Stepping - 16GB ECC - Silverstone DS380 + Silverstone DS380 DAS Box.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!