samba smb1 protocol vulnerability, which can disclose server memory information

Posted by barello at 2020-03-14

According to white hat fofa system statistics, there are currently 2.3 million Linux servers with SMB in the world, 90000 in the United States and 80000 in China. The country with the most SMB services is the United Arab Emirates, with 1.06 million. This vulnerability can cause server memory information disclosure, similar to a heart bleeding (cve-2014-0160) vulnerability. The impact is wide, white hat Hui reminds users to upgrade to the latest version in time to reduce risk.

Global distribution of samba protocol (distribution only, non vulnerability impact)

Vulnerability details:

==================================================================== == Subject: Server memory information leak over SMB1 == == CVE ID#: CVE-2017-12163 == == Versions: All versions of Samba. == == Summary: Client with write access to a share can cause == server memory contents to be written into a file == or printer. == ==================================================================== =========== Description =========== All versions of Samba are vulnerable to a server memory information leak bug over SMB1 if a client can write data to a share. Some SMB1 write requests were not correctly range checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client supplied data. The client cannot control the area of the server memory that is written to the file (or printer). ================== Patch Availability ================== A patch addressing this defect has been posted to Additionally, Samba 4.6.8, 4.5.14 and 4.4.16 have been issued as security releases to correct the defect. Patches against older Samba versions are available at Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== As this is an SMB1-only vulnerability, it can be avoided by setting the server to only use SMB2 via adding: server min protocol = SMB2_02 to the [global] section of your smb.conf and restarting smbd. ======= Credits ======= This problem was reported by Yihan Lian and Zhibin Hu, security researchers with Qihoo 360 GearTeam. Stefan Metzmacher of SerNet and the Samba Team and Jeremy Allison of Google and the Samba Team provided the fix.