samba - May 2017 - noexec as CVE-2017-7494 mitigation

Release Announcements
---------------------

These are a security releases in order to address the following defect:

o  CVE-2017-7494 (Remote code execution from a writable share)

======Details
======
o  CVE-2017-7494:
   All versions of Samba from 3.5.0 onwards are vulnerable to a remote
   code execution vulnerability, allowing a malicious client to upload a
   shared library to a writable share, and then cause the server to load
   and execute it.


Changes:
--------

o  Volker Lendecke <vl at samba.org>
   * BUG 12780: CVE-2017-7494: Avoid remote code execution from a writable
     share.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's
Bugzilla
database (https://bugzilla.samba.org/).


======================================================================= Our
Code, Our Bugs, Our Responsibility.
== The Samba Team
=====================================================================


===============Download Details
===============
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6F33915B6568B7EA).  The source code can be downloaded
from:

        https://download.samba.org/pub/samba/stable/

The release notes are available online at:

        https://www.samba.org/samba/history/samba-4.6.4.html
        https://www.samba.org/samba/history/samba-4.5.10.html
        https://www.samba.org/samba/history/samba-4.4.14.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                        --Enjoy
                        The Samba Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20170524/e40ea771/signature.sig>

Patch seems to be missing from v4-6-test.


On Wed, May 24, 2017 at 3:21 AM, Karolin Seeger via samba-technical
<samba-technical at lists.samba.org> wrote:
> Release Announcements
> ---------------------
>
> These are a security releases in order to address the following defect:
>
> o  CVE-2017-7494 (Remote code execution from a writable share)
>
> ======> Details
> ======>
> o  CVE-2017-7494:
>    All versions of Samba from 3.5.0 onwards are vulnerable to a remote
>    code execution vulnerability, allowing a malicious client to upload a
>    shared library to a writable share, and then cause the server to load
>    and execute it.
>
>
> Changes:
> --------
>
> o  Volker Lendecke <vl at samba.org>
>    * BUG 12780: CVE-2017-7494: Avoid remote code execution from a writable
>      share.
>
>
> #######################################
> Reporting bugs & Development Discussion
> #######################################
>
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical IRC channel on irc.freenode.net.
>
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored.  All bug reports should
> be filed under the "Samba 4.1 and newer" product in the
project's Bugzilla
> database (https://bugzilla.samba.org/).
>
>
> =====================================================================>
== Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> =====================================================================>
>
>
> ===============> Download Details
> ===============>
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID 6F33915B6568B7EA).  The source code can be downloaded
> from:
>
>         https://download.samba.org/pub/samba/stable/
>
> The release notes are available online at:
>
>         https://www.samba.org/samba/history/samba-4.6.4.html
>         https://www.samba.org/samba/history/samba-4.5.10.html
>         https://www.samba.org/samba/history/samba-4.4.14.html
>
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
>
>                         --Enjoy
>                         The Samba Team

On Wed, May 24, 2017 at 09:21:14AM +0200, Karolin Seeger via samba-technical
wrote:
> Release Announcements
> ---------------------
> 
> These are a security releases in order to address the following defect:
> 
> o  CVE-2017-7494 (Remote code execution from a writable share)
> 
> ======> Details
> ======> 
> o  CVE-2017-7494:
>    All versions of Samba from 3.5.0 onwards are vulnerable to a remote
>    code execution vulnerability, allowing a malicious client to upload a
>    shared library to a writable share, and then cause the server to load
>    and execute it.
> 
> 
> Changes:
> --------
> 
> o  Volker Lendecke <vl at samba.org>
>    * BUG 12780: CVE-2017-7494: Avoid remote code execution from a writable
>      share.
> 
> 
> #######################################
> Reporting bugs & Development Discussion
> #######################################
> 
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical IRC channel on irc.freenode.net.
> 
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored.  All bug reports should
> be filed under the "Samba 4.1 and newer" product in the
project's Bugzilla
> database (https://bugzilla.samba.org/).
> 
> 
> =====================================================================>
== Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> =====================================================================
Thanks Karolin ! Here are some mitigation techniques from Red Hat in
case servers cannot be patched immediately:

-------------------------------------------------------------
https://bugzilla.redhat.com/show_bug.cgi?id=1450347#c3

Huzaifa S. Sidhpurwala 2017-05-15 04:02:57 EDT
Mitigation:

Any of the following:

1. SELinux is enabled by default and our default policy prevents loading of
modules from outside of samba's module directories and therefore blocks the
exploit

2. Mount the filessytem which is used by samba for its writeable share,
using "noexec" option.

3. Add the parameter:

    nt pipe support = no

    to the [global] section of your smb.conf and restart smbd. This prevents
clients from accessing any named pipe endpoints. Note this can disable some
expected functionality for Windows clients.
-------------------------------------------------------------

Jeremy.

Am 24.05.2017 um 17:50 schrieb Jeremy Allison via samba:
> Here are some mitigation techniques from Red Hat in
> case servers cannot be patched immediately:
> 2. Mount the filessytem which is used by samba for its writeable share,
> using "noexec" option.
I would have expected this to be standard security precaution on all 
pure file servers (which is probably the most common use of Samba).

Should the Samba-Wiki tell so, or shouldn't all Linux admins be sane 
enough do already do this?