Samba vulnerability discovered. Actually not WD's fault


#1

"SambaCry" vulnerability
SambaCry in the wild
#2

Direct link to Samba security announcement: https://www.samba.org/samba/security/CVE-2017-7494.html

CVE-2017-7494.html:

====================================================================
== Subject: Remote code execution from a writable share.

== CVE ID#: CVE-2017-7494

== Versions: All versions of Samba from 3.5.0 onwards.

== Summary: Malicious clients can upload and cause the smbd server
== to execute a shared library from a writable share.

====================================================================

===========
Description

All versions of Samba from 3.5.0 onwards are vulnerable to a remote
code execution vulnerability, allowing a malicious client to upload a
shared library to a writable share, and then cause the server to load
and execute it.

==================
Patch Availability

A patch addressing this defect has been posted to

http://www.samba.org/samba/security/

Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround

Add the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restart smbd. This
prevents clients from accessing any named pipe endpoints. Note this
can disable some expected functionality for Windows clients.

=======
Credits

This problem was found by steelo knownsteelo@gmail.com. Volker
Lendecke of SerNet and the Samba Team provided the fix.


#3

Okay, this one isn’t WD’s fault.

But let’s see how long it takes them to roll out the security patch…


#4

Heh. Optimist.


#5

You can use the following link in order to submit a report about this:

https://www.wdc.com/security/reporting.html1


Betriebssystem von WDmyCloud?
#6

go figure…


#7

I have no idea how that “1” got there. Here’s the updated link:

https://www.wdc.com/security/reporting.html


#8

uh huh… fool me once… not going there…


#9

The link won’t bite. I promise.


#10

The link gives you an email address.

Why didn’t you just post up the email address instead of a link to an email address?

So I was going to send in an Samba Vulnerability email report by attaching a link to this thread, encrypted by the encryption key provided on the link but the problem is that I really don’t want to deal with PSIRT in 3 days :stuck_out_tongue: The last time the PSIRT contacted me, they want to trade my brand new WD Cloud for an old used one.

Anyways, I’ll leave the reporting to someone that is feeling more vulnerable than I…


#11

Haha exactly what I thought :slight_smile:
First they want a support file of your device, no matter what you Tell them.
The whole process takes forever…


#12

That’s the WD way of “Customers First” … :rage: If I was to bet, I would wager it will take months for WD to do anything, if at all. Maybe it will take another incident like the one that happened earlier this year and posted publicly before WD will do anything.


#13

I don’t understand why wd needs a report to fix this.
Synology and QNAP rolled out a patch within 24 hours without letting customers begging for.


#14

They really do not need a report, it’s just a delay tactic not to do anything.


#15

Maybe a forum moderator could pass the problem report on…

Or maybe WD’s security team [splutters] could actively monitor vulnerabilities reported within the security community that are relevant to the open source components they are using in their product, release a warning to their customers, and issue a security patch to close the vulnerability.

Because that’s what a company that takes product and customer data security seriously would do…

[hears the deafening sound of silence]


#16

Oh, yes, look how security-aware companies behave…


#18

WD staff don’t read the forums. Or the security community pages…

They should do both.


#19

It’s because WD is a hard drive manufacturer, who know or care nothing about networking or security. The only reason they sell these things is to move more hard drives.

Personally, I’m done with this insecure piece of trash. I’m buying a proper NAS, but I’m going to populate it with Hitachi drives. Edit This is terrible, when did WD buy Hitachi?

On a positive note, I stopped a customer from buying a MyCloud today. That’s three this month.


#22

You’re right.

But they don’t do anything useful as a result of reading them…

BTW, I think most of the “I’ve not tried this, let’s hope someone with an actual Clue comes along” comments are from moderators. I don’t think many moderators are WD Staff. Which, again, is a WD failing. Although relying on user to user forums for first line support is not an approach unique to WD.

[edit: I missed this comment]

No this is not the official WD Support forum (there isn’t one, only a Support portal). This is the WD Community, a user-to-user forum, hosted by WD, and moderated by invited members. Lots of companies (Microsoft included) provide user-to-user communities for users to help each other. It’s a cheap corporate cop-out so they can reduce the size of their actual customer support function, and rely on the free support provided by users.

I’ve been here far too long, and have a pretty good idea of the level of WD staff presence here; there are some, but their presence is rare, sporadic, and does not seem to be managed in any meaningful way. I’m pretty certain that no-one at WD reads every post on every thread. Or even scans the thread titles.

Moderators do sometimes refer threads upwards, which usually results in a contact direct to the user with the query, rather than responding on the forum. My experience of these direct contacts has been fairly poor.


#23

Thanks for the tip. The N300-series are actually more expensive than the WD Reds, and harder to find in Canada. I managed to find a 4TB on sale though, so I think I’ll be ordering it plus a DS116.