[Pkg-samba-maint] Fwd: Samba 2:4.9.5+dfsg-5+deb10u1 still apparently vulnerable to CVE-2017-7494 ?!?
Jeremy Davis
jeremy at turnkeylinux.org
Fri Aug 27 01:34:44 BST 2021
Forwarding to Samba team and alternate security address in hope of response.
Thanks in advance.
-------- Forwarded Message --------
Subject: Samba 2:4.9.5+dfsg-5+deb10u1 still apparently vulnerable to
CVE-2017-7494 ?!?
Date: Wed, 25 Aug 2021 09:24:49 +1000
From: Jeremy Davis <jeremy at turnkeylinux.org>
Organization: Turnkey Linux
To: security at debian.org
CC: Alon Swartz <alon at turnkeylinux.org>
Hi team,
My name is Jeremy Davis and I work with TurnKey GNU/Linux[1][2], a
Debian derivative[3]. Essentially we provide a library of preconfigured
headless software appliances.
[1] https://www.turnkeylinux.org/
[2] https://en.wikipedia.org/wiki/TurnKey_Linux_Virtual_Appliance_Library
[3] https://wiki.debian.org/Derivatives/Census/TurnKeyLinux
As part of our business model, we sell servers via the AWS Marketplace,
One of those is our Domain Controller appliance[4][5].
[4] https://aws.amazon.com/marketplace/pp/prodview-2t3edixgltuqw
[5] https://www.turnkeylinux.org/domain-controller
The current release leverage's the Buster Samba packages. Namely it
includes:
python-samba 2:4.9.5+dfsg-5+deb10u1
samba 2:4.9.5+dfsg-5+deb10u1
samba-common 2:4.9.5+dfsg-5+deb10u1
samba-common-bin 2:4.9.5+dfsg-5+deb10u1
samba-dsdb-modules 2:4.9.5+dfsg-5+deb10u1
samba-libs 2:4.9.5+dfsg-5+deb10u1
samba-vfs-modules 2:4.9.5+dfsg-5+deb10u1
According to DSA-3860[6]; CVE-2017-7494[7] should be resolved in the
current 2:4.9.5+dfsg-5+deb10u1 package(s).
[6] https://www.debian.org/security/2017/dsa-3860
[7] https://security-tracker.debian.org/tracker/CVE-2017-7494
However, AWS MP "security scanner" reported that our Domain Controller
image is vulnerable to CVE-2017-7494! We have had issues with false
positives before, so I followed up with the AWSMP security team and they
claim that they have confirmed the vulnerability via metasploit:
> We can see you have the latest version but our scanner used metasploit to try and carry out an attack on the AMI. It could!
>
> Some details about the metasploit module : This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability. Metasploit module used : https://www.rapid7.com/db/modules/exploit/linux/samba/is_known_pipename/ It could do an attack was because it could connect to /lsarpc. LSARPC is really a set of calls, transmitted with RPC, to a system called the "Local Security Authority". This used in the Microsoft/Windows world to perform management tasks on domain security policies from a remote machine. The protocol is described in MS-LSAD.
If you have any further insight or info for how I might be able to
mitigate this at least and/or what more I can do to assist to get this
issue fully resolved please let me know.
Regards,
Jeremy Davis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20210827/b291e2e4/attachment.sig>
More information about the Pkg-samba-maint
mailing list