{"status":"success","advisory":{"_id":"683547215b16347a91c39ccc","kb_acknowledgements":null,"kb_affected_list":["StorageGRID (formerly StorageGRID Webscale)","StorageGRID Webscale NAS Bridge","StorageGRID9 (9.x and prior)"],"kb_bad_data":false,"kb_cve":["CVE-2017-12150","CVE-2017-12151","CVE-2017-12163"],"kb_exploitation":"Not public","kb_fixes":[{"product":"StorageGRID (formerly StorageGRID Webscale)","fixes":[{"link":"https://mysupport.netapp.com/NOW/download/software/storagegrid_webscale/11.0","cves":[]}],"instructions":"","wontfix":false,"eos_link":null},{"product":"StorageGRID Webscale NAS Bridge","fixes":[{"link":"https://mysupport.netapp.com/NOW/download/software/storagegrid_webscale/11.2/download.shtml","cves":[]}],"instructions":"","wontfix":false,"eos_link":null},{"product":"StorageGRID9 (9.x and prior)","fixes":[],"instructions":null,"wontfix":true,"eos_link":null}],"kb_impact":"Successful exploitation of these vulnerabilities may allow an attacker to read or alter document contents, hijack client connections, or trigger a crash or disclosure of random server memory.","kb_internal_notes":[{"burt":"","jira":"","product":"StorageGRID (formerly StorageGRID Webscale)"},{"burt":"","jira":"","product":"StorageGRID Webscale NAS Bridge"},{"burt":"","jira":"","product":"StorageGRID9 (9.x and prior)"}],"kb_investigating_list":[],"kb_num":"9010000","kb_ref":["https://www.us-cert.gov/ncas/current-activity/2017/09/20/Samba-Releases-Security-Updates","https://www.samba.org/samba/security/CVE-2017-12150.html","https://www.samba.org/samba/security/CVE-2017-12151.html","https://www.samba.org/samba/security/CVE-2017-12163.html"],"kb_rev_history":[{"comment":"Initial Public Release","date":"20170921","version":"1.0"},{"comment":"StorageGRID Webscale added to Software Versions and Fixes","date":"20180525","version":"2.0"},{"comment":"StorageGRID moved to Won't Fix status as the posted Workaround is the solution, Final status","date":"20180831","version":"3.0"}],"kb_revised_list":[],"kb_scoring":{"CVE-2017-12150":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N","CVE-2017-12151":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","CVE-2017-12163":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H"},"kb_scoring_calc":[{"cve_id":"CVE-2017-12150","range":"MEDIUM","score":5.4,"vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"cve_id":"CVE-2017-12151","range":"HIGH","score":7.4,"vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"cve_id":"CVE-2017-12163","range":"HIGH","score":7.1,"vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H"}],"kb_status":"Final","kb_summary":"StorageGRID and StorageGRID Webscale incorporate Samba. Multiple versions of Samba are susceptible to three vulnerabilities that could allow document contents to be read or altered, allow a client to indirectly read server memory, or allow the hijacking of client connections. This advisory will be updated as additional information becomes available.","kb_title":"September 2017 Samba Vulnerabilities in NetApp StorageGRID Products","kb_unaffected_list":["7-Mode Transition Tool","ATTO FibreBridge","Active IQ Unified Manager (formerly OnCommand Unified Manager) for Linux 7.3 and above","Active IQ Unified Manager (formerly OnCommand Unified Manager) for VMware vSphere 9.5 and above","Active IQ Unified Manager (formerly OnCommand Unified Manager) for Windows 7.3 and above","Brocade Fabric Operating System Firmware","Brocade Network Advisor Software","Clustered Data ONTAP","Clustered Data ONTAP Antivirus Connector","Data ONTAP operating in 7-Mode","E-Series SANtricity Management Plug-ins (VMware vCenter)","E-Series SANtricity OS Controller Software 11.x","E-Series SANtricity Storage Manager","E-Series SANtricity Web Services (REST API) for Web Services Proxy","FAS/AFF BIOS","Host Utilities - SAN for Linux","Host Utilities - SAN for Windows","MetroCluster Tiebreaker for clustered Data ONTAP","NetApp Cloud Backup (formerly AltaVault)","NetApp Cloud Backup OST Plug-in (formerly AltaVault OST Plug-in)","NetApp Converged Systems Advisor Agent","NetApp HCI Compute Node (Bootstrap OS)","NetApp Manageability SDK","NetApp NFS Plug-in for VMware VAAI","NetApp Plug-in for Symantec NetBackup","NetApp SANtricity SMI-S Provider","NetApp SMI-S Provider","NetApp Service Level Manager","NetApp SolidFire & HCI Storage Node (Element Software)","NetApp Storage Encryption","NetApp VASA Provider for Clustered Data ONTAP 7.2 and above","ONTAP Select Deploy administration utility","OnCommand API Services","OnCommand Cloud Manager","OnCommand Insight","OnCommand System Manager 9.x","OnCommand Unified Manager for 7-Mode (core package) ","OnCommand Workflow Automation","Open Systems SnapVault Agent","RAID Controller CTS2600 Legacy Engenio","Service Processor","Single Mailbox Recovery","Snap Creator Framework","SnapCenter","SnapDrive for Unix","SnapDrive for Windows","SnapManager for Exchange","SnapManager for Hyper-V","SnapManager for MS SQL","SnapManager for Oracle","SnapManager for SAP","SnapManager for Sharepoint","Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere 7.2 and above","Storage Services Connector","System Setup","Virtual Storage Console for VMware vSphere 7.2 and above"],"kb_workarounds":"CVE-BUNDLE-201709 SAMBA WORKAROUND FOR STORAGEGRID, STORAGEGRID WEBSCALE AND NAS BRIDGE
\r\n 
\r\nDate: Sep 21, 2017
\r\nVersion: 1.1
\r\n 
\r\nINTRODUCTION
\r\n 
\r\nThis article provides a workaround to CVE-BUNDLE-201709 for:
\r\n \r\n
    \r\n\t
  1. StorageGRID (SG) 9.0.4
    2. \r\n\t
  2. StorageGRID Webscale (SGWS) 10.2/10.3/10.4/11.0
    3. \r\n\t
  3. NAS Bridge 2.0.2/2.0.3
    4. \r\n
\r\n 
\r\nThe CVE-BUNDLE-201709 consists of CVE-2017-12150, CVE-2017-12151 and CVE-2017-12163.
\r\n 
\r\nNote: There is currently no workaround for CVE-2017-12151 on SG 9.0.4 and SGWS 10.2. Please check with Novell SLES for Samba patch release to address this issue. You may applied the Samba patch from Novell SLES using the NetApp KB article https://kb.netapp.com/support/s/article/ka31A00000010n5QAA/how-to-perform-a-samba-patching-procedure-for-storagegrid-and-storagegrid-webscale-with-sles-11-sp2-or-sp3-operating-system
\r\n 
\r\nPlease read the details of each CVE to assess the needs of your organization. For details, see https://cve.mitre.org/cve/cve.html
\r\n 
\r\nWHAT TYPE OF SERVER NEED MITIGATION?
\r\n \r\n\r\n\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\r\n
StorageGRID 9.0.4StorageGRID Webscale 10.2/10.3/10.4/11.0StorageGRID Webscale
\r\n\t\t\tNAS Bridge 2.0.2/2.0.3
\r\n\t\t\t
    \r\n\t\t\t\t
  • All Admin Nodes running AMS service
    • \r\n\t\t\t\t
  • All Gateway Nodes running FSG service
    • \r\n\t\t\t
\r\n\t\t\t		\r\n\t\t\t
    \r\n\t\t\t\t
  • All Admin Nodes
    • \r\n\t\t\t
\r\n\t\t\t		\r\n\t\t\t
    \r\n\t\t\t\t
  • All NAS Bridge instances
    • \r\n\t\t\t
\r\n\t\t\t
\r\n 
\r\nWORKAROUND PROCEDURE FOR STORAGEGRID WEBSCALE NAS BRIDGE 2.0.2 AND 2.0.3
\r\n 
\r\nThe workaround should to be applied to all instances of NAS Bridge in the grid even if no CIFS shares are configured.
\r\n 
\r\nCAUTION:\r\n\r\n\r\n 
\r\nPerform the following steps on all NAS Bridge instances:
\r\n \r\n
    \r\n\t
  1. Login to the NAS Bridge server as the pb user. The default password for the user pb can be found in the SGWS NAS Bridge Installation and Setup Guide, Section “Securing the CLI administrator account.”
    2. \r\n
\r\n \r\n\r\n
    \r\n\t
  1. Run the following commands to add entries to the Samba configuration file.
    2. \r\n
\r\n \r\n\r\n\r\n$ mkdir -p /home/pb/override/samba.d/
\r\n \r\n\r\n$ echo "[global]" > /home/pb/override/samba.d/smb.conf
\r\n \r\n\r\n$ echo -e "\\n# Workaround for CVE-2017-12150. \\
\r\nRemove when Samba is patched.\\n# This will overwrite any \\
\r\npreceding client signing value." \\
\r\n>> /home/pb/override/samba.d/smb.conf
\r\n 
\r\n$ echo -e "client signing = required" \\
\r\n>> /home/pb/override/samba.d/smb.conf
\r\n 
\r\n$ echo -e "\\n# Workaround for CVE-2017-12151. \\
\r\nRemove when Samba is patched.\\n# This will overwrite any \\
\r\npreceding client max protocol value." \\
\r\n>> /home/pb/override/samba.d/smb.conf
\r\n 
\r\n$ echo "client max protocol = NT1" >> \\
\r\n/home/pb/override/samba.d/smb.conf
\r\n 
\r\nRun the following (two) commands only if the NAS Bridge version is 2.0.2:
\r\n$ echo -e "\\n# Workaround for CVE-2017-12163. \\
\r\nRemove when Samba is patched.\\n# This will overwrite any \\
\r\npreceding server min protocol value." \\
\r\n>> /home/pb/override/samba.d/smb.conf
\r\n 
\r\n$ echo "server min protocol = SMB2_10" >> \\
\r\n/home/pb/override/samba.d/smb.conf
\r\n \r\n
    \r\n\t
  1. If AD and/or CIFS shares are configured, restart the smbcs service:
    2. \r\n
\r\n$ sudo service smbcs restart
\r\n 
\r\nNote: If AD is configured, the new parameter will not be loaded until the smbcs service is restarted. This is true regardless if CIFS shares are configured.
\r\n \r\n
    \r\n\t
  1. If AD and/or CIFS chares are configured, check the settings were added into /etc/samba/smb.conf
    2. \r\n
\r\n$ testparm -v -s | egrep "client signing|\\
\r\nclient max protocol|server min protocol"
\r\n 
\r\nNote: Copy and paste the command from this article may not work as there may be hidden characters.
\r\n 
\r\nSample output from NAS Bridge 2.0.3:
\r\n-------------------------------------------------------------
\r\n$ testparm -v -s | egrep "client signing|\\
\r\n> client max protocol|server min protocol"
\r\nLoad smb config files from /etc/samba/smb.conf
\r\nrlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
\r\nLoaded services file OK.
\r\n'winbind separator = +' might cause problems with group membership.
\r\nServer role: ROLE_DOMAIN_MEMBER
\r\n        server min protocol = SMB2
\r\n        client max protocol = NT1
\r\n        client signing = required
\r\n-------------------------------------------------------------
\r\n 
\r\nWORKAROUND PROCEDURE FOR STORAGEGRID AND STORAGEGRID WEBSCALE ADMIN NODES
\r\n 
\r\nCAUTION:\r\n\r\n\r\n 
\r\nThe workaround should to be applied to all instances of Admin Node in the grid running the AMS service, even when no audit CIFS share is configured. This procedure is applicable to Admin Node from SG 9.0.4 and SGWS 10.2 – 11.0.
\r\n 
\r\nPerform the following steps on all Admin Node instances:
\r\n \r\n
    \r\n\t
  1. Login to the Admin Node as root (for SGWS 10.2/10.3 and SG 9.0.4) or as admin (for SGWS 10.4/11.0)
    2. \r\n\t
  2. Run this command if the directory /etc/samba/includes does not exist:
    3. \r\n
\r\n$ sudo mkdir -p /etc/samba/includes
\r\n \r\n
    \r\n\t
  1. Run the following commands to add entries to the Samba configuration file, smb.conf:\r\n\t\r\n\t
    2. \r\n
\r\n$ sudo echo -e "\\n# Workaround for CVE-2017-12150. \\
\r\nRemove when Samba is patched.\\n# This will overwrite any \\
\r\npreceding client signing value." \\
\r\n>> /etc/samba/includes/cifs-custom-config.inc
\r\n 
\r\n$ sudo echo "client signing = required" >> \\
\r\n/etc/samba/includes/cifs-custom-config.inc
\r\n \r\n\r\nThis step applies only to SGWS 10.3, 10.4 and 11.0.
\r\n 
\r\n$ sudo echo -e "\\n# Workaround for CVE-2017-12151. \\
\r\nRemove when Samba is patched.\\n# This will overwrite any \\
\r\npreceding client max protocol value." \\
\r\n>> /etc/samba/includes/cifs-custom-config.inc
\r\n 
\r\n$ sudo echo "client max protocol = NT1" >> \\
\r\n/etc/samba/includes/cifs-custom-config.inc
\r\n \r\n\r\n$ sudo echo -e "\\n# Workaround for CVE-2017-12163. \\
\r\nRemove when Samba is patched.\\n# This will overwrite any \\
\r\npreceding (server) min and max protocol value." \\
\r\n>> /etc/samba/includes/cifs-custom-config.inc
\r\n \r\n\r\n$ sudo echo "server min protocol = SMB2_02" >> \\
\r\n/etc/samba/includes/cifs-custom-config.inc
\r\n 
\r\n$ sudo echo "server max protocol = SMB3" >> \\
\r\n/etc/samba/includes/cifs-custom-config.inc
\r\n \r\n\r\n$ sudo echo "min protocol = SMB2" >> \\
\r\n/etc/samba/includes/cifs-custom-config.inc
\r\n 
\r\n$ sudo echo "max protocol = SMB2" >> \\
\r\n/etc/samba/includes/cifs-custom-config.inc
\r\n \r\n
    \r\n\t
  1. Confirmed that only 1 entry exist per samba parameter-value pair changed using testparm. Check that the value of the parameter is as configured above.\r\n\t\r\n\t
    2. \r\n
\r\n$ sudo testparm -s -v | egrep "client \\
\r\nsigning|client max protocol|server min protocol|server max protocol"
\r\n 
\r\nSample output for SGWS 10.3, 10.4 or 11.0 Admin Node:
\r\n-------------------------------------------------------------
\r\n# sudo testparm -s -v | egrep "client \\
\r\n> signing|client max protocol|server min protocol|server max protocol"
\r\nLoad smb config files from /etc/samba/smb.conf
\r\nCan't find include file /etc/samba/includes/cifs-filesystem.inc
\r\nCan't find include file /etc/samba/includes/cifs-interfaces.inc
\r\nProcessing section "[audit-export]"
\r\nProcessing section "[audit-export]"
\r\nLoaded services file OK.
\r\nWARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
\r\n(by default Samba will discover the correct DC to contact automatically).
\r\n 
\r\nServer role: ROLE_DOMAIN_MEMBER
\r\n 
\r\n        server max protocol = SMB3
\r\n        server min protocol = SMB2_02
\r\n        client max protocol = NT1
\r\n        client signing = required
\r\n-------------------------------------------------------------
\r\nIMPORTANT: If any parameter-value pair is missing, stop and contact Support for assistance.
\r\n \r\n\r\n$ sudo testparm -s -v | egrep "client \\
\r\nsigning|min protocol|max protocol"
\r\n 
\r\nSample output for SGWS 10.2 or SG 9.0.4 Admin node:
\r\n-------------------------------------------------------------
\r\n# sudo testparm -s -v | egrep "client \\
\r\n> signing|min protocol|max protocol"
\r\nLoad smb config files from /etc/samba/smb.conf
\r\nrlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
\r\nCan't find include file /etc/samba/includes/cifs-filesystem.inc
\r\nCan't find include file /etc/samba/includes/cifs-interfaces.inc
\r\nProcessing section "[audit-export]"
\r\nLoaded services file OK.
\r\nWARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
\r\n(by default Samba will discover the correct DC to contact automatically).
\r\nServer role: ROLE_DOMAIN_MEMBER
\r\n        max protocol = SMB2
\r\n        min protocol = SMB2
\r\n        client signing = required
\r\n-------------------------------------------------------------
\r\nIMPORTANT: If any parameter-value pair is missing, stop and contact Support for assistance.
\r\n \r\n
    \r\n\t
  1. Reload Samba services:\r\n\t\r\n\t
    2. \r\n
\r\n$ sudo service smbd status && sudo service smbd \\
\r\nreload && sudo killall -HUP smbd
\r\n 
\r\n$ sudo service winbind status && sudo service \\
\r\nwinbind force-reload
\r\n \r\n\r\n# service smb status && service smb \\
\r\nreload && killall -HUP smbd
\r\n 
\r\n# service winbind status && service \\
\r\nwinbind reload && killall -HUP winbind
\r\n 
\r\nNote: If Winbind is not running, the following output is expected:
\r\n[FAIL] winbind is not running ... failed!
\r\n 
\r\nNote: Copy and paste the command from this article may not work as there may be hidden characters.
\r\n 
\r\nWORKAROUND PROCEDURE FOR STORAGEGRID GATEWAY NODE RUNNING THE FSG SERVICE
\r\n 
\r\nCAUTION:\r\n\r\n\r\n 
\r\nThe workaround should be applied on all StorageGRID 9.0.4 Gateway Nodes running the FSG service even if no CIFS shares are configured. The Samba service is running regardless. This procedure should not cause a FSG failover on a High-Available Gateway Cluster (HAGC) group.
\r\n 
\r\nPerform the following steps on all Gateway Nodes running the FSG service, one FSG replication group at a time:
\r\n \r\n
    \r\n\t
  1. Login to the Active Primary FSG Gateway Node as the root user. This is node that handle the client ingests for the FSG replication group.
    2. \r\n\t
  2. Run this command if the directory /etc/samba/includes/ does not exist:
    3. \r\n
\r\n# mkdir -p /etc/samba/includes
\r\n \r\n
    \r\n\t
  1. Run the following commands to add entries to the Samba configuration file, smb.conf:
    2. \r\n
\r\n# echo -e "\\n# Workaround for CVE-2017-12150. \\
\r\nRemove when Samba is patched.\\n# This will overwrite any \\
\r\npreceding client signing value." \\
\r\n>> /etc/samba/includes/cifs-custom-config.inc
\r\n 
\r\n# echo "client signing = required" >> \\
\r\n/etc/samba/includes/cifs-custom-config.inc
\r\n 
\r\n# echo -e "\\n# Workaround for CVE-2017-12163. \\
\r\nRemove when Samba is patched.\\n# This will overwrite any \\
\r\npreceding server min and max protocol value." \\
\r\n>> /etc/samba/includes/cifs-custom-config.inc
\r\n 
\r\n# echo "min protocol = SMB2" >> \\
\r\n/etc/samba/includes/cifs-custom-config.inc
\r\n 
\r\n# echo "max protocol = SMB2" >> \\
\r\n/etc/samba/includes/cifs-custom-config.inc
\r\n 
\r\nNote: Copy and paste the command from this article may not work as there may be hidden characters.
\r\n \r\n
    \r\n\t
  1. Confirmed that only 1 entry exist per samba parameter-value pair using testparm. All three (3) parameters (client signing, min protocol and max protocol) should exist only once with the value configured.
    2. \r\n
\r\n 
\r\n# testparm -s -v | egrep "client \\
\r\nsigning|min protocol|max protocol"
\r\n 
\r\nIMPORTANT: If you have not initialized any CIFS shares on the FSG replication group, repeat Steps 2-4 on each of the Gateway Nodes in the same replication group.
\r\n 
\r\nSample output:
\r\n-------------------------------------------------------------
\r\n# testparm -s -v | egrep "client \\
\r\n> signing|min protocol|max protocol"
\r\nLoad smb config files from /etc/samba/smb.conf
\r\nrlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
\r\nCan't find include file /etc/samba/includes/cifs-filesystem.inc
\r\nCan't find include file /etc/samba/includes/cifs-interfaces.inc
\r\nProcessing section "[audit-export]"
\r\nLoaded services file OK.
\r\nWARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
\r\n(by default Samba will discover the correct DC to contact automatically).
\r\nServer role: ROLE_DOMAIN_MEMBER
\r\n        max protocol = SMB2
\r\n        min protocol = SMB2
\r\n        client signing = required
\r\n-------------------------------------------------------------
\r\nIMPORTANT: If any parameter-value pair is missing, stop and contact Support for assistance.
\r\n \r\n
    \r\n\t
  1. Push configuration changes to peer FSG nodes and reload the Samba service:\r\n\t\r\n\t
    2. \r\n
\r\n 
\r\nNote: Do not perform any functions other than push-config. You may perform other config_cifs.rb functions after completing this procedure in a separate config_cifs.rb sessions.
\r\n \r\n\r\n 
\r\n# service smb status && sudo service \\
\r\nsmb reload && killall -HUP smbd
\r\n# service winbind status && sudo service \\
\r\nwinbind reload && killall -HUP winbind
\r\n 
\r\nNote: If Winbind is not running, the following output is expected:
\r\n[FAIL] winbind is not running ... failed!\r\n\r\n\r\n# service smb status && sudo service smb \\
\r\nreload && killall -HUP smbd
\r\n# service winbind status && sudo service \\
\r\nwinbind reload && killall -HUP winbind
\r\n 
\r\nNote: If Winbind is not running, the following output is expected:
\r\n[FAIL] winbind is not running ... failed!
\r\n 
\r\n 
\r\n ","ntap_advisory_id":"NTAP-20170921-0001","adv_id":"ntap-20170921-0001","published_date":"2017-09-21T00:00:00","updated_date":"2018-08-31T00:00:00","inserted_date":"2025-05-27T05:01:21.809000","modified_date":null}}