Author Topic: Need upgrade to Samba on LS-X3  (Read 711 times)

glescano

  • Calf
  • *
  • Posts: 1
Need upgrade to Samba on LS-X3
« on: June 07, 2018, 12:00:20 pm »
Anyone know if it's possible to upgrade Samba to a version 4.2.11 or higher?  My IT security found a Vulnerability with Samba.  But apparently there's no more firmware update for this.  I wanted to know what Buffalo think we should do about this.


Samba Badlock Vulnerability
Description
The version of Samba, a CIFS/SMB server for Linux and Unix, running on the remote host is affected by a flaw, known as Badlock, that exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) protocols due to improper authentication level negotiation over Remote Procedure Call (RPC) channels. A man-in-the-middle attacker who is able to able to intercept the traffic between a client and a server hosting a SAM database can exploit this flaw to force a downgrade of the authentication level, which allows the execution of arbitrary Samba network calls in the context of the intercepted user, such as viewing or modifying sensitive security data in the Active Directory (AD) database or disabling critical services.
Solution
Upgrade to Samba version 4.2.11 / 4.3.8 / 4.4.2 or later.

oxygen8

  • Buffalo
  • ***
  • Posts: 243
  • Giving you some breathing space.
Re: Need upgrade to Samba on LS-X3
« Reply #1 on: June 07, 2018, 02:47:35 pm »
compiling samba 4.8.2 on the nas is not so easy

i am stopping on
Code: [Select]
/mnt/array1/share/samba-4.8.2/wscript: error: Traceback (most recent call last):
  File "/mnt/array1/share/samba-4.8.2/third_party/waf/wafadmin/Utils.py", line 308, in load_module

but on FW 1.74 you have
Code: [Select]
smbd -V
Version 3.6.3-31a.osstech

Quote
Samba 3.6 (almost) fully supports SMB2 (verified).
from
https://www.pdq.com/blog/disable-smbv1-considerations-execution/