Yadda za a Gyara SambaCry Rauni (CVE-2017-7494) a cikin Linux Systems


Samba ya dade yana zama ma'auni don samar da fayil ɗin raba da kuma buga sabis ga abokan cinikin Windows akan tsarin *nix. Masu amfani da gida ke amfani da su, masu matsakaicin girman kasuwanci, da manyan kamfanoni iri ɗaya, ya yi fice a matsayin mafita a cikin mahallin da tsarin aiki daban-daban ke kasancewa tare.

Kamar yadda abin bakin ciki ke faruwa tare da kayan aikin da aka yi amfani da su sosai, yawancin shigarwar Samba suna fuskantar haɗarin harin da zai iya yin amfani da raunin da aka sani, wanda ba a yi la'akari da shi mai tsanani ba har sai harin ransomware na WannaCry ya buga labarai ba da daɗewa ba.

A cikin wannan labarin, za mu yi bayanin menene wannan rashin lafiyar Samba da yadda ake kare tsarin da kuke da alhakin ta. Dangane da nau'in shigarwar ku (daga ma'ajin ajiya ko daga tushe), kuna buƙatar ɗaukar wata hanya ta daban don yin ta.

Idan a halin yanzu kuna amfani da Samba a kowane yanayi ko kun san wanda yake yi, karanta a gaba!

Rashin lahani

Tsare-tsaren da ba a gama ba suna da rauni ga raunin aiwatar da lambar nesa. A cikin sauƙi, wannan yana nufin cewa mutumin da ke da damar yin amfani da rabon da za a iya rubutawa zai iya loda wani yanki na lambar sabani kuma ya aiwatar da shi tare da tushen izini a cikin sabar.

An kwatanta batun a cikin gidan yanar gizon Samba a matsayin CVE-2017-7494 kuma an san shi yana shafar nau'ikan Samba 3.5 (wanda aka saki a farkon Maris 2010) da kuma gaba. Ba a hukumance ba, an sanya masa suna SambaCry saboda kamanceceniya da WannaCry: duka biyun suna nufin ka'idar SMB kuma suna da yuwuwar tsutsotsi - wanda zai iya haifar da yaduwa daga tsari zuwa tsari.

Debian, Ubuntu, CentOS da Red Hat sun ɗauki matakan gaggawa don kare masu amfani da su kuma sun fitar da faci don nau'ikan da ke da tallafi. Bugu da ƙari, an kuma samar da matakan tsaro ga waɗanda ba su da tallafi.

Ana sabunta Samba

Kamar yadda aka ambata a baya, akwai hanyoyi guda biyu da za a bi dangane da hanyar shigar da ta gabata:

Idan kun shigar da Samba daga ma'ajiyar rarraba ku.

Bari mu ga abin da kuke buƙatar yi a wannan yanayin:

Tabbatar cewa an saita dacewa don samun sabbin sabuntawar tsaro ta ƙara waɗannan layukan zuwa jerin tushen ku (/etc/apt/sources.list):

deb http://security.debian.org stable/updates main
deb-src http://security.debian.org/ stable/updates main

Na gaba, sabunta jerin fakitin da ke akwai:

# aptitude update

A ƙarshe, tabbatar da sigar fakitin samba ya dace da sigar inda aka gyara raunin (duba CVE-2017-7494):

# aptitude show samba

Don farawa, bincika sabbin fakitin da ke akwai kuma sabunta fakitin samba kamar haka:

$ sudo apt-get update
$ sudo apt-get install samba

Sifofin Samba inda aka riga aka yi amfani da gyaran CVE-2017-7494 sune kamar haka:

  • 17.04: samba 2:4.5.8+dfsg-0ubuntu0.17.04.2
  • 16.10: samba 2:4.4.5+dfsg-2ubuntu5.6
  • 16.04 LTS: samba 2:4.3.11+dfsg-0ubuntu0.16.04.7
  • 14.04 LTS: samba 2:4.3.11+dfsg-0ubuntu0.14.04.8

A ƙarshe, gudanar da umarni mai zuwa don tabbatar da cewa akwatin Ubuntu yanzu yana da sigar Samba da aka shigar.

$ sudo apt-cache show samba

Sigar Samba mai faci a cikin EL 7 shine samba-4.4.4-14.el7_3. Don shigar da shi, yi

# yum makecache fast
# yum update samba

Kamar yadda ya gabata, tabbatar cewa yanzu kuna da sigar Samba da aka fake:

# yum info samba

Tsofaffi, har yanzu nau'ikan CentOS da RHEL suna da gyare-gyaren da aka samu suma. Duba RHSA-2017-1270 don neman ƙarin.

Lura: Hanya mai zuwa tana ɗauka cewa a baya kun gina Samba daga tushe. Ana ƙarfafa ku sosai don gwada shi sosai a cikin yanayin gwaji KAFIN a tura shi zuwa uwar garken samarwa.

Bugu da ƙari, tabbatar cewa kun yi tanadin fayil ɗin smb.conf kafin farawa.

A wannan yanayin, za mu tattara da sabunta Samba daga tushe kuma. Kafin mu fara, duk da haka, dole ne mu tabbatar da cewa an shigar da duk abin dogaro a baya. Lura cewa wannan na iya ɗaukar mintuna kaɗan.

# aptitude install acl attr autoconf bison build-essential \
    debhelper dnsutils docbook-xml docbook-xsl flex gdb krb5-user \
    libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev \
    libcap-dev libcups2-dev libgnutls28-dev libjson-perl \
    libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \
    libpopt-dev libreadline-dev perl perl-modules pkg-config \
    python-all-dev python-dev python-dnspython python-crypto xsltproc \
    zlib1g-dev libsystemd-dev libgpgme11-dev python-gpgme python-m2crypto
# yum install attr bind-utils docbook-style-xsl gcc gdb krb5-workstation \
    libsemanage-python libxslt perl perl-ExtUtils-MakeMaker \
    perl-Parse-Yapp perl-Test-Base pkgconfig policycoreutils-python \
    python-crypto gnutls-devel libattr-devel keyutils-libs-devel \
    libacl-devel libaio-devel libblkid-devel libxml2-devel openldap-devel \
    pam-devel popt-devel python-devel readline-devel zlib-devel

Dakatar da sabis:

# systemctl stop smbd

Zazzage kuma cire tushen (tare da 4.6.4 kasancewa sabuwar sigar a lokacin rubuta wannan):

# wget https://www.samba.org/samba/ftp/samba-latest.tar.gz 
# tar xzf samba-latest.tar.gz
# cd samba-4.6.4

Don dalilai masu ba da labari kawai, bincika zaɓuɓɓukan daidaitawa da ke akwai don sakin na yanzu tare da.

# ./configure --help

Kuna iya haɗa wasu zaɓuɓɓukan da aka dawo da su ta hanyar umarnin da ke sama idan an yi amfani da su a ginin da ya gabata, ko kuna iya zaɓar tafiya tare da tsoho:

# ./configure
# make
# make install

A ƙarshe, sake kunna sabis ɗin.

# systemctl restart smbd

kuma tabbatar da cewa kana gudanar da sabunta sigar:

# smbstatus --version

wanda ya kamata ya dawo 4.6.4.

Gabaɗaya La'akari

Idan kuna gudanar da sigar rarraba da ba ta da tallafi kuma ba za ku iya haɓaka zuwa na baya-bayan nan ba saboda wasu dalilai, kuna iya yin la'akari da shawarwari masu zuwa:

  • Idan an kunna SELinux, ana kiyaye ku!
  • Tabbatar cewa an sanya hannun jarin Samba tare da zaɓi na noexec. Wannan zai hana aiwatar da binaries mazauna kan tsarin fayil ɗin da aka ɗora.

Ƙara,

nt pipe support = no

zuwa sashin [duniya] na fayil ɗin smb.conf ɗin ku kuma sake kunna sabis ɗin. Kuna iya tuna cewa wannan \na iya kashe wasu ayyuka a cikin abokan cinikin Windows, kamar yadda aikin Samba yake.

Muhimmi: Ku sani cewa zaɓin \nt pipe support = no zai hana lissafin hannun jari daga abokan cinikin Windows. Misali: Lokacin da kuka buga \10.100.10.2 daga Windows Explorer akan sabar samba za ku sami izini. dole ne a saka hannun jari da hannu azaman\10.100.10.2\share_name don samun damar rabon.

A cikin wannan labarin, mun bayyana raunin da aka sani da SambaCry da yadda za a rage shi. Muna fatan za ku iya amfani da wannan bayanin don kare tsarin da kuke da alhakinsu.

Idan kuna da tambayoyi ko sharhi game da wannan labarin, jin daɗin amfani da fom ɗin da ke ƙasa don sanar da mu.