Is my Ubuntu vulnerable to SambaCry?

security package-management samba

First of all you should have a samba server running to be vulnerable to this bug which you don't have.

This vulnerability already has been patched, its CVE-ID is: "CVE-2017-7494":

Samba since version 3.5.0 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

So what you should do is a system upgrade if you didn't have done it already, then you are safe to go.

Check your apt's "history logs" to see if your Ubuntu recently received any upgrade for samba or its libraries .

grep -B10 samba- /var/log/apt/history.log

to make sure you've got last updates use:

sudo apt update
sudo apt upgrade

Also use:

apt changelog samba

or aptitude changelog samba if you are running an older version Ubuntu to get a list of last changes in this package, and if you pay attention you will see:

samba (2:4.3.11+dfsg-0ubuntu0.16.04.7) xenial-security; urgency=medium

  * SECURITY UPDATE: remote code execution from a writable share
  - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
    slash inside in source3/rpc_server/srv_pipe.c.
  - CVE-2017-7494

Pay attention to the version: "2:4.3.11+dfsg-0ubuntu0.16.04.7", Then use:

$ dpkg -l samba* | awk "( !(/none/) && /^ii/ )"
ii samba-libs:amd64  2:4.3.11+dfsg-0ubuntu0.16.04.7 amd64  Samba core libraries

to see if you have patched version installed or not.

Extra steps

If you're really paranoia, grab a copy of source code, e.g:

apt source --download samba-libs

it will download the corresponding source code and all patches, extracts the source and apply the patches.

then go to:

head /path-to-extract/samba-4.3.11+dfsg/debian/changelog

You'll see the same stuff, as apt changelog samba. you can even look for patch itself:

cat /home/ravexina/samba-4.3.11+dfsg/debian/patches/CVE-2017-7494.patch

+   if (strchr(pipename, '/')) {
+       DEBUG(1, ("Refusing open on pipe %s\n", pipename));
+       return false;
+   }
+

or even compile and install it, if you wish.

If you're carious, you can see a proof of concept for cve-2017-7494 here.


The Ubuntu Security Notice associated with the CVE has a list of affected Ubuntu releases and package versions where the patch was applied. From USN-3296-1:

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:

samba 2:4.5.8+dfsg-0ubuntu0.17.04.2

Ubuntu 16.10:

samba 2:4.4.5+dfsg-2ubuntu5.6

Ubuntu 16.04 LTS:

samba 2:4.3.11+dfsg-0ubuntu0.16.04.7

Ubuntu 14.04 LTS:

samba 2:4.3.11+dfsg-0ubuntu0.14.04.8

In addition, USN-3296-2 states that 12.04 ESM users also have a patched version available:

Ubuntu 12.04 LTS:

samba 2:3.6.25-0ubuntu0.12.04.11

Related

Ubuntu 14.04 on Mac gets too hot
How do I install joomla 1.7 on a lamp server?
How to specify ec2 instance types for different services?
How do I disable Dunst and go back to notify-osd?
Is Ubuntu's archive signing key available via HTTPS somewhere?
Will Ubuntu work with reproducible builds?
How to stop turning off sequence when power manager says that battery is too low and want to power down?
How do I hide/disable close buttons for GNOME windows?
Ubuntu does not recognize existing Windows partitions in a GPT disk
Install BSNL evdo card in Ubuntu 12.10
folder content doesn't get refreshed automatically in ubuntu 14.04
How to set MS Word 2010 as default application for all docx and other types?