CVE-2017-7494
A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root.
Find out more about CVE-2017-7494 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 7.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux Extended Update Support 6.7 (samba) | RHSA-2017:1390 | 2017-06-05 |
| Red Hat Enterprise Linux Advanced Update Support 6.5 (samba) | RHSA-2017:1390 | 2017-06-05 |
| Red Hat Enterprise Linux Extended Update Support 7.2 (samba) | RHSA-2017:1390 | 2017-06-05 |
| Red Hat Enterprise Linux 7 (samba) | RHSA-2017:1270 | 2017-05-24 |
| Red Hat Enterprise Linux Server TUS (v. 6.5) (samba) | RHSA-2017:1390 | 2017-06-05 |
| Red Hat Enterprise Linux Extended Update Support 7.1 (samba) | RHSA-2017:1390 | 2017-06-05 |
| Red Hat Enterprise Linux Server (v. 5 ELS) (samba3x) | RHSA-2017:1272 | 2017-05-24 |
| Red Hat Enterprise Linux 6 (samba) | RHSA-2017:1270 | 2017-05-24 |
| Red Hat Enterprise Linux 6 (samba4) | RHSA-2017:1271 | 2017-05-24 |
| Red Hat Enterprise Linux Advanced Update Support 6.4 (samba) | RHSA-2017:1390 | 2017-06-05 |
| Red Hat Enterprise Linux Advanced Update Support 6.2 (samba) | RHSA-2017:1390 | 2017-06-05 |
| Red Hat Gluster 3.2 Samba on RHEL-7 (samba) | RHSA-2017:1273 | 2017-05-24 |
| Red Hat Gluster 3.2 Samba on RHEL-6 (samba) | RHSA-2017:1273 | 2017-05-24 |
| Red Hat Enterprise Linux Advanced Update Support 6.6 (samba) | RHSA-2017:1390 | 2017-06-05 |
| Red Hat Enterprise Linux Server TUS (v. 6.6) (samba) | RHSA-2017:1390 | 2017-06-05 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 5 | samba | Not affected |
Acknowledgements
Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges steelo as the original reporter.Mitigation
Any of the following:
1. SELinux is enabled by default and our default policy prevents loading of modules from outside of samba's module directories and therefore blocks the exploit
2. Mount the filesystem which is used by samba for its writable share using "noexec" option.
3. Add the parameter:
nt pipe support = no
to the [global] section of your smb.conf and restart smbd. This prevents clients from accessing any named pipe endpoints. Note this can disable some expected functionality for Windows clients.