September 2017 Samba Vulnerabilities in NetApp StorageGRID Products

Summary

StorageGRID and StorageGRID Webscale incorporate Samba. Multiple versions of Samba are susceptible to three vulnerabilities that could allow document contents to be read or altered, allow a client to indirectly read server memory, or allow the hijacking of client connections. This advisory will be updated as additional information becomes available.

Impact

Successful exploitation of these vulnerabilities may allow an attacker to read or alter document contents, hijack client connections, or trigger a crash or disclosure of random server memory.

Vulnerability Scoring Details

CVE Score Vector
CVE-2017-12150 5.4 (MEDIUM) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
CVE-2017-12151 7.4 (HIGH) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2017-12163 7.1 (HIGH) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Exploitation and Public Announcements

NetApp is not aware of public discussion regarding this vulnerability.

References

Affected Products

  • StorageGRID
  • StorageGRID Webscale

Products Not Affected

  • 7-Mode Transition Tool
  • ATTO FibreBridge
  • AltaVault OST Plug-in
  • AutoSupport, MySupport,support.netapp.com
  • Brocade Fabric Operating System Firmware
  • Brocade Network Advisor Software
  • Brocade Network Operating System Firmware
  • Cluster Network Switch (NetApp CN1610)
  • Clustered Data ONTAP
  • Clustered Data ONTAP Antivirus Connector
  • Data Migration Appliance DTA2800 (DTA Firmware)
  • Data Migration Appliance DTA2800 (DTA Manager)
  • Data Migration Appliance DTA2800 (DTA Remote CLI)
  • Data Migration Appliance DTA2800 (Space Reclamation Utility)
  • Data ONTAP Edge
  • Data ONTAP operating in 7-Mode
  • E-Series SANtricity Management Plug-ins (Microsoft SQL Server (SSMS))
  • E-Series SANtricity Management Plug-ins (Microsoft System Center (SCOM))
  • E-Series SANtricity Management Plug-ins (Oracle EM)
  • E-Series SANtricity Management Plug-ins (VMware SRA)
  • E-Series SANtricity Management Plug-ins (VMware VASA (Windows))
  • E-Series SANtricity Management Plug-ins (VMware vCenter (Linux))
  • E-Series SANtricity Management Plug-ins (VMware vCenter (Windows))
  • E-Series SANtricity OS Controller Software 11.30 and later
  • E-Series SANtricity OS Controller Software 8.x
  • E-Series SANtricity Storage Manager
  • E-Series SANtricity Web Services (REST API)
  • FAS/AFF System Firmware (BIOS)
  • FAS/V-Series Storage Replication Adapter for 7-Mode Data ONTAP
  • FAS/V-Series Storage Replication Adapter for Clustered Data ONTAP
  • Host Utilities - SAN for ESX
  • Host Utilities - SAN for Unix and Linux
  • Host Utilities - SAN for Windows
  • Management Network Switch (NetApp CN1601)
  • MetroCluster Tiebreaker for clustered Data ONTAP
  • Multipath I/O (Data ONTAP DSM for Windows MPIO)
  • NetApp AltaVault
  • NetApp Converged Systems Advisor
  • NetApp Host Agent
  • NetApp Manageability SDK
  • NetApp NFS Plug-in for VMware VAAI
  • NetApp Plug-in for Symantec NetBackup
  • NetApp SANtricity SMI-S Provider
  • NetApp SMI-S Provider
  • NetApp Service Level Manager
  • NetApp Storage Encryption
  • NetApp VASA Provider for Clustered Data ONTAP
  • ONTAP Select Deploy administration utility
  • OnCommand API Services
  • OnCommand Balance
  • OnCommand Cloud Manager
  • OnCommand Insight
  • OnCommand Performance Manager for Linux
  • OnCommand Performance Manager for VMware vSphere
  • OnCommand Plug-in for Microsoft
  • OnCommand Shift
  • OnCommand System Manager
  • OnCommand Unified Manager Core Package (5.x)
  • OnCommand Unified Manager for Linux for 7.1 and below
  • OnCommand Unified Manager for Linux for 7.2 and above
  • OnCommand Unified Manager for VMware vSphere for 7.1 and below
  • OnCommand Unified Manager for VMware vSphere for 7.2 and above
  • OnCommand Unified Manager for Windows for 7.1 and below
  • OnCommand Unified Manager for Windows for 7.2 and above
  • OnCommand Workflow Automation
  • Open Systems SnapVault Agent
  • Perfstat
  • RAID Controller CTS2600 Legacy Engenio
  • Single Mailbox Recovery
  • Snap Creator Framework
  • SnapCenter Server
  • SnapDrive for Unix
  • SnapDrive for Windows
  • SnapManager for Exchange
  • SnapManager for Hyper-V
  • SnapManager for MS SQL
  • SnapManager for Oracle
  • SnapManager for SAP
  • SnapManager for Sharepoint
  • SnapProtect
  • SolidFire Element OS
  • Storage Automation Store
  • Storage Services Connector
  • System Setup
  • Virtual Storage Console for VMware vSphere

Software Versions and Fixes

None.

This section will be updated as patches are released.

Workarounds

CVE-BUNDLE-201709 SAMBA WORKAROUND FOR STORAGEGRID, STORAGEGRID WEBSCALE AND NAS BRIDGE
 
Date: Sep 21, 2017
Version: 1.1
 
INTRODUCTION
 
This article provides a workaround to CVE-BUNDLE-201709 for:
 

  1. StorageGRID (SG) 9.0.4
  2. StorageGRID Webscale (SGWS) 10.2/10.3/10.4/11.0
  3. NAS Bridge 2.0.2/2.0.3
 
The CVE-BUNDLE-201709 consists of CVE-2017-12150, CVE-2017-12151 and CVE-2017-12163.
 
Note: There is currently no workaround for CVE-2017-12151 on SG 9.0.4 and SGWS 10.2. Please check with Novell SLES for Samba patch release to address this issue. You may applied the Samba patch from Novell SLES using the NetApp KB article https://kb.netapp.com/support/s/article/ka31A00000010n5QAA/how-to-perform-a-samba-patching-procedure-for-storagegrid-and-storagegrid-webscale-with-sles-11-sp2-or-sp3-operating-system
 
Please read the details of each CVE to assess the needs of your organization. For details, see https://cve.mitre.org/cve/cve.html
 
WHAT TYPE OF SERVER NEED MITIGATION?
 
StorageGRID 9.0.4 StorageGRID Webscale 10.2/10.3/10.4/11.0 StorageGRID Webscale
NAS Bridge 2.0.2/2.0.3
  • All Admin Nodes running AMS service
  • All Gateway Nodes running FSG service
  • All Admin Nodes
  • All NAS Bridge instances
 
WORKAROUND PROCEDURE FOR STORAGEGRID WEBSCALE NAS BRIDGE 2.0.2 AND 2.0.3
 
The workaround should to be applied to all instances of NAS Bridge in the grid even if no CIFS shares are configured.
 
CAUTION:
  • Before proceeding, make sure that your CIFS client is capable of SMBv2 protocol.
  • We recommend applying and testing the workaround on a development system before deploying it on a production system.
 
Perform the following steps on all NAS Bridge instances:
 
  1. Login to the NAS Bridge server as the pb user. The default password for the user pb can be found in the SGWS NAS Bridge Installation and Setup Guide, Section “Securing the CLI administrator account.”
 
  1. Run the following commands to add entries to the Samba configuration file.
 
  • If /home/pb/override/samba.d/smb.conf does not exist, run the following command:
$ mkdir -p /home/pb/override/samba.d/
 
  • If /home/pb/override/samba.d/smb.conf does not contain the [global] section in the file, run the following command:
$ echo "[global]" > /home/pb/override/samba.d/smb.conf
 
  • Run the following commands:
$ echo -e "\n# Workaround for CVE-2017-12150. \
Remove when Samba is patched.\n# This will overwrite any \
preceding client signing value." \
>> /home/pb/override/samba.d/smb.conf
 
$ echo -e "client signing = required" \
>> /home/pb/override/samba.d/smb.conf
 
$ echo -e "\n# Workaround for CVE-2017-12151. \
Remove when Samba is patched.\n# This will overwrite any \
preceding client max protocol value." \
>> /home/pb/override/samba.d/smb.conf
 
$ echo "client max protocol = NT1" >> \
/home/pb/override/samba.d/smb.conf
 
Run the following (two) commands only if the NAS Bridge version is 2.0.2:
$ echo -e "\n# Workaround for CVE-2017-12163. \
Remove when Samba is patched.\n# This will overwrite any \
preceding server min protocol value." \
>> /home/pb/override/samba.d/smb.conf
 
$ echo "server min protocol = SMB2_10" >> \
/home/pb/override/samba.d/smb.conf
 
  1. If AD and/or CIFS shares are configured, restart the smbcs service:
$ sudo service smbcs restart
 
Note: If AD is configured, the new parameter will not be loaded until the smbcs service is restarted. This is true regardless if CIFS shares are configured.
 
  1. If AD and/or CIFS chares are configured, check the settings were added into /etc/samba/smb.conf
$ testparm -v -s | egrep "client signing|\
client max protocol|server min protocol"
 
Note: Copy and paste the command from this article may not work as there may be hidden characters.
 
Sample output from NAS Bridge 2.0.3:
-------------------------------------------------------------
$ testparm -v -s | egrep "client signing|\
> client max protocol|server min protocol"
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
        server min protocol = SMB2
        client max protocol = NT1
        client signing = required
-------------------------------------------------------------
 
WORKAROUND PROCEDURE FOR STORAGEGRID AND STORAGEGRID WEBSCALE ADMIN NODES
 
CAUTION:
  • Before proceeding, make sure that your CIFS client is capable of SMBv2 protocol.
  • You may need to remount the CIFS shares as they may be a change in SMB protocol after the configuration change.
  • We recommend applying and testing the workaround on a development system before deploying it on a production system.
 
The workaround should to be applied to all instances of Admin Node in the grid running the AMS service, even when no audit CIFS share is configured. This procedure is applicable to Admin Node from SG 9.0.4 and SGWS 10.2 – 11.0.
 
Perform the following steps on all Admin Node instances:
 
  1. Login to the Admin Node as root (for SGWS 10.2/10.3 and SG 9.0.4) or as admin (for SGWS 10.4/11.0)
  2. Run this command if the directory /etc/samba/includes does not exist:
$ sudo mkdir -p /etc/samba/includes
 
  1. Run the following commands to add entries to the Samba configuration file, smb.conf:
    • Workaround for CVE-2017-12150
$ sudo echo -e "\n# Workaround for CVE-2017-12150. \
Remove when Samba is patched.\n# This will overwrite any \
preceding client signing value." \
>> /etc/samba/includes/cifs-custom-config.inc
 
$ sudo echo "client signing = required" >> \
/etc/samba/includes/cifs-custom-config.inc
 
  • Workaround for CVE-2017-12151
This step applies only to SGWS 10.3, 10.4 and 11.0.
 
$ sudo echo -e "\n# Workaround for CVE-2017-12151. \
Remove when Samba is patched.\n# This will overwrite any \
preceding client max protocol value." \
>> /etc/samba/includes/cifs-custom-config.inc
 
$ sudo echo "client max protocol = NT1" >> \
/etc/samba/includes/cifs-custom-config.inc
 
  • Workaround for CVE-2017-12163
$ sudo echo -e "\n# Workaround for CVE-2017-12163. \
Remove when Samba is patched.\n# This will overwrite any \
preceding (server) min and max protocol value." \
>> /etc/samba/includes/cifs-custom-config.inc
 
  • For SGWS 10.3, 10.4 and 11.0:
$ sudo echo "server min protocol = SMB2_02" >> \
/etc/samba/includes/cifs-custom-config.inc
 
$ sudo echo "server max protocol = SMB3" >> \
/etc/samba/includes/cifs-custom-config.inc
 
  • For SGWS 10.2 and SG 9.0.4:
$ sudo echo "min protocol = SMB2" >> \
/etc/samba/includes/cifs-custom-config.inc
 
$ sudo echo "max protocol = SMB2" >> \
/etc/samba/includes/cifs-custom-config.inc
 
  1. Confirmed that only 1 entry exist per samba parameter-value pair changed using testparm. Check that the value of the parameter is as configured above.
    • For SGWS 10.3, 10.4 and 11.0:
$ sudo testparm -s -v | egrep "client \
signing|client max protocol|server min protocol|server max protocol"
 
Sample output for SGWS 10.3, 10.4 or 11.0 Admin Node:
-------------------------------------------------------------
# sudo testparm -s -v | egrep "client \
> signing|client max protocol|server min protocol|server max protocol"
Load smb config files from /etc/samba/smb.conf
Can't find include file /etc/samba/includes/cifs-filesystem.inc
Can't find include file /etc/samba/includes/cifs-interfaces.inc
Processing section "[audit-export]"
Processing section "[audit-export]"
Loaded services file OK.
WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).
 
Server role: ROLE_DOMAIN_MEMBER
 
        server max protocol = SMB3
        server min protocol = SMB2_02
        client max protocol = NT1
        client signing = required
-------------------------------------------------------------
IMPORTANT: If any parameter-value pair is missing, stop and contact Support for assistance.
 
  • For SGWS 10.2 and SG 9.0.4:
$ sudo testparm -s -v | egrep "client \
signing|min protocol|max protocol"
 
Sample output for SGWS 10.2 or SG 9.0.4 Admin node:
-------------------------------------------------------------
# sudo testparm -s -v | egrep "client \
> signing|min protocol|max protocol"
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Can't find include file /etc/samba/includes/cifs-filesystem.inc
Can't find include file /etc/samba/includes/cifs-interfaces.inc
Processing section "[audit-export]"
Loaded services file OK.
WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).
Server role: ROLE_DOMAIN_MEMBER
        max protocol = SMB2
        min protocol = SMB2
        client signing = required
-------------------------------------------------------------
IMPORTANT: If any parameter-value pair is missing, stop and contact Support for assistance.
 
  1. Reload Samba services:
    • For SGWS 10.3/10.4/11.0 system:
$ sudo service smbd status && sudo service smbd \
reload && sudo killall -HUP smbd
 
$ sudo service winbind status && sudo service \
winbind force-reload
 
  • For SGWS 10.2 and SG 9.0.4 system:
# service smb status && service smb \
reload && killall -HUP smbd
 
# service winbind status && service \
winbind reload && killall -HUP winbind
 
Note: If Winbind is not running, the following output is expected:
[FAIL] winbind is not running ... failed!
 
Note: Copy and paste the command from this article may not work as there may be hidden characters.
 
WORKAROUND PROCEDURE FOR STORAGEGRID GATEWAY NODE RUNNING THE FSG SERVICE
 
CAUTION:
  • Before proceeding, make sure that your CIFS client is capable of SMBv2 protocol.
  • You may need to remount the CIFS shares as they may be a change in SMB protocol after the configuration change.
  • We recommend applying and testing the workaround on a development system before deploying it on a production system.
 
The workaround should be applied on all StorageGRID 9.0.4 Gateway Nodes running the FSG service even if no CIFS shares are configured. The Samba service is running regardless. This procedure should not cause a FSG failover on a High-Available Gateway Cluster (HAGC) group.
 
Perform the following steps on all Gateway Nodes running the FSG service, one FSG replication group at a time:
 
  1. Login to the Active Primary FSG Gateway Node as the root user. This is node that handle the client ingests for the FSG replication group.
  2. Run this command if the directory /etc/samba/includes/ does not exist:
# mkdir -p /etc/samba/includes
 
  1. Run the following commands to add entries to the Samba configuration file, smb.conf:
# echo -e "\n# Workaround for CVE-2017-12150. \
Remove when Samba is patched.\n# This will overwrite any \
preceding client signing value." \
>> /etc/samba/includes/cifs-custom-config.inc
 
# echo "client signing = required" >> \
/etc/samba/includes/cifs-custom-config.inc
 
# echo -e "\n# Workaround for CVE-2017-12163. \
Remove when Samba is patched.\n# This will overwrite any \
preceding server min and max protocol value." \
>> /etc/samba/includes/cifs-custom-config.inc
 
# echo "min protocol = SMB2" >> \
/etc/samba/includes/cifs-custom-config.inc
 
# echo "max protocol = SMB2" >> \
/etc/samba/includes/cifs-custom-config.inc
 
Note: Copy and paste the command from this article may not work as there may be hidden characters.
 
  1. Confirmed that only 1 entry exist per samba parameter-value pair using testparm. All three (3) parameters (client signing, min protocol and max protocol) should exist only once with the value configured.
 
# testparm -s -v | egrep "client \
signing|min protocol|max protocol"
 
IMPORTANT: If you have not initialized any CIFS shares on the FSG replication group, repeat Steps 2-4 on each of the Gateway Nodes in the same replication group.
 
Sample output:
-------------------------------------------------------------
# testparm -s -v | egrep "client \
> signing|min protocol|max protocol"
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Can't find include file /etc/samba/includes/cifs-filesystem.inc
Can't find include file /etc/samba/includes/cifs-interfaces.inc
Processing section "[audit-export]"
Loaded services file OK.
WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).
Server role: ROLE_DOMAIN_MEMBER
        max protocol = SMB2
        min protocol = SMB2
        client signing = required
-------------------------------------------------------------
IMPORTANT: If any parameter-value pair is missing, stop and contact Support for assistance.
 
  1. Push configuration changes to peer FSG nodes and reload the Samba service:
    • For FSG replication group with one or more CIFS shares configured:
      • Use config_cifs.rb script and select the push-config command to distribute the Samba configuration change to all nodes in the replication group. Make sure you answer “Yes” to the prompt “Sync custom configuration? [yes/No]:” Exit config_cifs.rb before proceeding to the next step.
 
Note: Do not perform any functions other than push-config. You may perform other config_cifs.rb functions after completing this procedure in a separate config_cifs.rb sessions.
 
  • Reload the smb and winbind services on the Active Primary Gateway Node using the following commands:
 
# service smb status && sudo service \
smb reload && killall -HUP smbd
# service winbind status && sudo service \
winbind reload && killall -HUP winbind
 
Note: If Winbind is not running, the following output is expected:
[FAIL] winbind is not running ... failed!
  • For a FSG replication group that has not been setup with any CIFS shares, run the following commands on each Gateway Nodes running the FSG service in the same replication group:
# service smb status && sudo service smb \
reload && killall -HUP smbd
# service winbind status && sudo service \
winbind reload && killall -HUP winbind
 
Note: If Winbind is not running, the following output is expected:
[FAIL] winbind is not running ... failed!
 
 
 

Obtaining Software Fixes

Software fixes will be made available through the NetApp Support website in the Software Download section.

https://mysupport.netapp.com/NOW/cgi-bin/software/

Customers who do not have access to the Support website should contact Technical Support at the number below to obtain the patches.

Contact Information

Check http://mysupport.netapp.com for further updates.
For questions, contact NetApp at:

Technical Support
mysupport.netapp.com
1 888 4 NETAPP (1 888 463 8277) (U.S. and Canada)
+00 800 44 638277 (EMEA/Europe)
+800 800 80 800 (Asia/Pacific)

Status of This Notice

Interim.

NetApp will continue to update this advisory as additional information becomes available.

This advisory should be considered the single source of current, up-to-date, authorized and accurate information from NetApp.

This advisory is posted at the following link:
https://security.netapp.com/advisory/NTAP-20170921-0001

Revision History

Revision # Date Comments
1.0 20170921 Initial Public Release

This document is provided solely for informational purposes. All information is based upon NetApp’s current knowledge and understanding of the hardware and software products tested by NetApp, and the methodology and assumptions used by NetApp. NetApp is not responsible for any errors or omissions that may be contained herein, and no warranty, representation, or other legal commitment or obligation is being provided by NetApp. © 2017 NetApp, Inc. All rights reserved. No portions of this document may be reproduced without prior written consent of NetApp, Inc.