又双叒叕出重大漏洞了，关于Unix版本永恒之蓝，CVE-2017-7494

没错，这是一个非常不好的消息，而且在可预见的未来，类似的问题会越来越多。

Samba远程代码执行漏洞可以理解成一个unix版本的永恒之蓝，可以通过仅仅一个管道符对本地的.so文件进行提权，依然是通过445端口，主要影响设备为nas设备和运行Samba服务的服务器，针对个人版的nas设备，主要厂商群晖已经进行了版本更新（最新的版本为DSM6.1.1 update4），对于生产环境，只能劳烦各位兄弟们亲自动手了。

关于漏洞的简要说明

简介

Samba 是一个能让类 Unix 计算机和其它 MS Windows 计算机相互共享资源的软件。 Samba 提供有关资源共享的三个功能，包括： smbd ，可以使类 Unix 计算机能够共享资源给其它的计算机； smbclient 是让类 Unix 计算机去存取其它计算机的资源；最后一个 smbmount 是类似 MS Windwos 下“网络 磁盘驱动器 ”的功能，可以把其它计算机的资源挂载到当前系统下。

受影响的版本

Samba Version < 4.6.4

Samba Version < 4.5.10

Samba Version < 4.4.14

不受影响的版本

Samba Version = 4.6.4

Samba Version = 4.5.10

Samba Version = 4.4.14

官方建议

Samba 官方已经提供了新版本来修复上述漏洞，请受影响的用户尽快升级到新版本，下载链接如下：

https://download.samba.org/pub/samba/stable/samba-4.6.4.tar.gz

https://download.samba.org/pub/samba/stable/samba-4.5.10.tar.gz

https://download.samba.org/pub/samba/stable/samba-4.4.14.tar.gz

然后是帽厂的说明，由于服务对象（收费用户，普通使用者）的区别，这时候更简单直观并且有效的当然是看我帽的说明，我使用自己的订阅把帽厂的说明copy如下，供参考，另外，对rpm包有强烈需求者，可以使用centos的源，一般在centos发布后，先修改一个yum的参数，改为在安装后本地保留yum包，然后使用yum install samba的方法，即可获取更新包，和红帽的一毛一样的。

“

Samba Remote Code Execution Vulnerability - CVE-2017-7494

Solution 已验证 - 已更新星期四 在 早上4点18 - English

环境

Red Hat Enterprise Linux 5

Red Hat Enterprise Linux 6

Red Hat Enterprise Linux 7

Red Hat Gluster Storage 3.2

问题

Samba version 3.5 and above is vulnerable to a remote code execution flaw. A remote malicious client which has write access to a samba share could upload a shared library and cause the samba server to execute it, this could result in code execution as root user.

决议

All Red Hat customers running affected versions of samba are strongly recommended to update as soon as patches are available. Details about impacted packages as well as recommended mitigation are noted below:

Red Hat Gluster Storage 3 (samba) - RHSA-2017:1273

Red Hat Enterprise Linux 7 (samba) - RHSA-2017:1270

Red Hat Enterprise Linux 6 (samba) - RHSA-2017:1270

Red Hat Enterprise Linux 6 (samba4) - RHSA-2017:1271

Red Hat Enterprise Linux 5 ELS (samba3x) - RHSA-2017:1272

Note: SELinux is enabled by default and our default policy prevents loading of modules from outside of samba's module directories and therefore blocks the exploit.

More information are available on the the following pages:

https://access.redhat.com/security/vulnerabilities/3034621

https://www.samba.org/samba/security/CVE-2017-7494.html

”

确认影响的是所有版本，我随意点进Red Hat Enterprise Linux 6 (samba) - RHSA-2017:1270

“

Important: samba security update

Advisory:

RHSA-2017:1270-1

Type:

Security Advisory

Severity:

Important

Issued on:

2017-05-24

Last updated on:

2017-05-24

Affected Products:

Red Hat Enterprise Linux Desktop (v. 6)

Red Hat Enterprise Linux Desktop (v. 7)

Red Hat Enterprise Linux HPC Node (v. 6)

Red Hat Enterprise Linux HPC Node (v. 7)

Red Hat Enterprise Linux Resilient Storage (v. 7)

Red Hat Enterprise Linux Server (v. 6)

Red Hat Enterprise Linux Server (v. 7)

Red Hat Enterprise Linux Server TUS (v. 7.3)

Red Hat Enterprise Linux Workstation (v. 6)

Red Hat Enterprise Linux Workstation (v. 7)

CVEs (cve.mitre.org):

CVE-2017-7494

Details

An update for samba is now available for Red Hat Enterprise Linux 6 and Red Hat

Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of

Important. A Common Vulnerability Scoring System (CVSS) base score, which gives

a detailed severity rating, is available for each vulnerability from the CVE

link(s) in the References section.

Samba is an open-source implementation of the Server Message Block (SMB)

protocol and the related Common Internet File System (CIFS) protocol, which

allow PC-compatible machines to share files, printers, and various information.

Security Fix(es):

A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root. (CVE-2017-7494)

A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root. (CVE-2017-7494)

Red Hat would like to thank the Samba project for reporting this issue. Upstream

acknowledges steelo as the original reporter.

Solution

For details on how to apply this update, which includes the changes described in

this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the smb service will be restarted automatically.

”

然后重点是以下，需要rpm包的可以参考以下在rpmfind 或者相关的yum源去找

“

Red Hat Enterprise Linux Server (v. 6)

SRPMS:

samba-3.6.23-43.el6_9.src.rpm

MD5: 4885424f4c3a99a75d2b5917fb7bb8ba

SHA-256: cbe95eaa83567c3da0005b2894e0283230103901cbd516d2a11bf5ecae3c4d11

IA-32:

libsmbclient-3.6.23-43.el6_9.i686.rpm

MD5: ae5053f2025e1ea5e9a8d626e7996f0e

SHA-256: 0d00c11a8c85cf3c532542dacd28d855b0bafe87ccafcbc82beb3d9bf286e32d

libsmbclient-devel-3.6.23-43.el6_9.i686.rpm

MD5: ee73a2dae4978ba2b0327e4f3517cfbf

SHA-256: c2cc6a191420da38d86f974ae7f12546c9b7aeaf6d101894c0178b95f4729546

samba-3.6.23-43.el6_9.i686.rpm

MD5: 94a54f297fefe7321ee40bb1e409e24b

SHA-256: 5b893c806592a8afa076a7fb85d447120446771349ca261fcd839062d96ef51e

samba-client-3.6.23-43.el6_9.i686.rpm

MD5: b508766caa23e03010e0c76ebe37cf50

SHA-256: f547f66eb62ae7c67f1e2611844f45b07823745c3d3ecd318ca2b7ff218f309e

samba-common-3.6.23-43.el6_9.i686.rpm

MD5: 0adb86bf00194b3c3aaa35d14d939f66

SHA-256: e6b918cbb365fcb793422755447e771c7910b06774d4a1b8246d1bee7e65f87b

samba-debuginfo-3.6.23-43.el6_9.i686.rpm

MD5: 264a70b709aa181c79579bdc4107eadf

SHA-256: 6ee9976799445416eb86e475bc2bbb9eae4b543364a73e697f66d7bfba3019ff

samba-doc-3.6.23-43.el6_9.i686.rpm

MD5: 91a9b13022075075fb7ed493050c40dd

SHA-256: 8e817539a6eaf53c4fb1a36e28e7e3ff20a7d2644db71811ee8f1e2d0c518647

samba-domainjoin-gui-3.6.23-43.el6_9.i686.rpm

MD5: a7865ac61bcf8d599dcf0490d2c10eaf

SHA-256: afd3f47cd9ef873ef20e6d84e632c02b1b4e745de2a4aaa359e41bdaa13c5119

samba-swat-3.6.23-43.el6_9.i686.rpm

MD5: 6696054ee982ed0c234b02df6f9e6bf8

SHA-256: 1b82575d2a83f8c8eb8e9ede3224564539aad12ae1fcc8679a68c7a559fd1427

samba-winbind-3.6.23-43.el6_9.i686.rpm

MD5: bff0cb785818d9dd183061fa43eadbc9

SHA-256: d9ca7c6f7cfa9bc6985fda9f9d3ec5ce6da6af982dc4837918b06d65e13908db

samba-winbind-clients-3.6.23-43.el6_9.i686.rpm

MD5: 8a97d90af0cba0f54d9cdc7d32622161

SHA-256: 289b069fcfcb221e3d8714cc3df35e04820845cd43d9c6f720c22ec72a0be658

samba-winbind-devel-3.6.23-43.el6_9.i686.rpm

MD5: a20f7aba582d8fc75ee38a27273c731d

SHA-256: 960b32fe8b8605348c1fb9be31dd1ff39558884a03cbe5cedbe2ae58e91ab49e

samba-winbind-krb5-locator-3.6.23-43.el6_9.i686.rpm

MD5: 438462e9c0220cc19afb86b9686088b4

SHA-256: 3823af18ed2314abe75caa323fe04f7e446a19a17b9060ca150e6599444c6914

”

补充

1：aix也受影响，所有使用samba服务的unix系统都受影响 2：设备影响范围，服务器设备，nas存储，统一存储（nas+san），内置linux的监控设备工控机平板电脑... 跟我有什么关系 1：首先不处理存在一种提权的可能，其实这也没有什么关系 2：在基线扫描和等保评测中，危害等级在严重以上的，执行的是版本检查，也就是针对重大级别漏洞，有版本缺陷的，不起服务一样会被报出来，报出来就要有人来改。

作者：郭冠樱 华胜天成 系统运维工程师

原文地址：http://www.aixchina.net/Article/178265

作者：郭冠樱 华胜天成 系统运维工程师

原文地址：http://www.aixchina.net/Article/178265

* “AIX专家俱乐部”发布内容代表社区会员观点，不代表社区立场，供大家参考之用。