SambaCry Vulnerability
Summary
CVE-2017-749
All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
Unaffected Quantum Products
The following Quantum products are known to be unaffected by the Samba vulnerability.
- Scalar Key Manager
- Scalar Tape Libraries
- Lattus (C5, A10, S10, S20, S30)
- StorNext Software
- Vision
- Xcellis Application Director
Vulnerable Quantum Products
Versions of the following Quantum products are known to be vulnerable to Samba.
- DXi running version 1.4.3+
- Scalar LTFS
- StorNext Appliances with NAS licensed
- vmPRO
Impact
Malicious clients can upload and cause the smbd server to execute a shared library from a writable share.
Solution
Patches to Quantum software and firmware are in progress; please contact your Quantum service representative for the latest status on availability.
- For StorNext Appliances with NAS licensed to immediately workaround the issue, customers can add the nt pipe support SMB option until the next patch release is available. This prevents clients from accessing any named pipe endpoints. Note this can disable some expected functionality for Windows clients:
- To set this SMB option, log into the Console Command Line (see StorNext NAS Documentation Center at http://qsupport.quantum.com/kb/flare/Content/stornext/SNNAS_Docsite/NAS%20CLI%20Guide/NAS_CLI_AccessCCL.htm). Issue the following commands:
reg set cifs.config.global.nt_pipe_support = no
share change smb global log level = 1
share change smb global log level = 0
If you have configured NAS to run in a cluster, these commands only need to be issued from the master node for the cluster. - You can determine which node is the master node by running the nascluster show command from the Console CLI.
Master IP will be shown in output. Here’s sample output:NAS Cluster IP: 10.20.72.154/eth0, Master: Yes, SNFS Root: /stornext/home, Joined: Yes
Load balancing: leastconn
NFS-HA: Disabled
Master IP: 10.20.72.154
VIP: 10.20.67.29 active
Nodes: 3
1: 10.20.72.154 (Joined)
2: 10.20.71.234 (Joined)
3: 10.20.86.111 (Joined)
- To set this SMB option, log into the Console Command Line (see StorNext NAS Documentation Center at http://qsupport.quantum.com/kb/flare/Content/stornext/SNNAS_Docsite/NAS%20CLI%20Guide/NAS_CLI_AccessCCL.htm). Issue the following commands:
- For vmPRO to immediately workaround the issue, customers can add the nt pipe support SMB option. This prevents clients from accessing any named pipe endpoints. Note this can disable some expected functionality for Windows clients:
- To set this SMB option, log into the panshell and issue the following commands:
reg set cifs.config.global.nt_pipe_support = no - From panshell restart smbd service
system restart services
- To set this SMB option, log into the panshell and issue the following commands:
- For DXi to immediately workaround the issue, customers can open a Service Request with Quantum to have Service add the nt pipe support SMB option. This prevents clients from accessing any named pipe endpoints. Note this can disable some expected functionality for Windows clients.
References
- https://www.samba.org/samba/security/CVE-2017-7494.html
- https://access.redhat.com/security/cve/CVE-2017-7494
Contact Information
In US, call 800-284-5101. In Europe, call toll free +800-7826-8888 or direct +49 6131 324 185. You will need your system serial number. For additional contact information, go to http://www.quantum.com/serviceandsupport/get-help/index.aspx#contact-support