[Pkg-samba-maint] Fwd: Samba 2:4.9.5+dfsg-5+deb10u1 still apparently vulnerable to CVE-2017-7494 ?!?

Jeremy Davis jeremy at turnkeylinux.org
Fri Aug 27 01:34:44 BST 2021 

Forwarding to Samba team and alternate security address in hope of response.

Thanks in advance.

-------- Forwarded Message --------
Subject: Samba 2:4.9.5+dfsg-5+deb10u1 still apparently vulnerable to 
CVE-2017-7494 ?!?
Date: Wed, 25 Aug 2021 09:24:49 +1000
From: Jeremy Davis <jeremy at turnkeylinux.org>
Organization: Turnkey Linux
To: security at debian.org
CC: Alon Swartz <alon at turnkeylinux.org>

Hi team,

My name is Jeremy Davis and I work with TurnKey GNU/Linux[1][2], a 
Debian derivative[3]. Essentially we provide a library of preconfigured 
headless software appliances.

[1] https://www.turnkeylinux.org/
[2] https://en.wikipedia.org/wiki/TurnKey_Linux_Virtual_Appliance_Library
[3] https://wiki.debian.org/Derivatives/Census/TurnKeyLinux

As part of our business model, we sell servers via the AWS Marketplace, 
One of those is our Domain Controller appliance[4][5].

[4] https://aws.amazon.com/marketplace/pp/prodview-2t3edixgltuqw
[5] https://www.turnkeylinux.org/domain-controller

The current release leverage's the Buster Samba packages. Namely it 
includes:

python-samba 2:4.9.5+dfsg-5+deb10u1
samba 2:4.9.5+dfsg-5+deb10u1
samba-common 2:4.9.5+dfsg-5+deb10u1
samba-common-bin 2:4.9.5+dfsg-5+deb10u1
samba-dsdb-modules 2:4.9.5+dfsg-5+deb10u1
samba-libs 2:4.9.5+dfsg-5+deb10u1
samba-vfs-modules 2:4.9.5+dfsg-5+deb10u1

According to DSA-3860[6]; CVE-2017-7494[7] should be resolved in the 
current 2:4.9.5+dfsg-5+deb10u1 package(s).

[6] https://www.debian.org/security/2017/dsa-3860
[7] https://security-tracker.debian.org/tracker/CVE-2017-7494

However, AWS MP "security scanner" reported that our Domain Controller 
image is vulnerable to CVE-2017-7494! We have had issues with false 
positives before, so I followed up with the AWSMP security team and they 
claim that they have confirmed the vulnerability via metasploit:

> We can see you have the latest version but our scanner used metasploit to try and carry out an attack on the AMI. It could!
> 
> Some details about the metasploit module : This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability. Metasploit module used : https://www.rapid7.com/db/modules/exploit/linux/samba/is_known_pipename/ It could do an attack was because it could connect to /lsarpc. LSARPC is really a set of calls, transmitted with RPC, to a system called the "Local Security Authority". This used in the Microsoft/Windows world to perform management tasks on domain security policies from a remote machine. The protocol is described in MS-LSAD.

If you have any further insight or info for how I might be able to 
mitigate this at least and/or what more I can do to assist to get this 
issue fully resolved please let me know.

Regards,
Jeremy Davis

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20210827/b291e2e4/attachment.sig>

More information about the Pkg-samba-maint mailing list