From c01efd669e32eab394ad0287a32ebc6beaf961d7 Mon Sep 17 00:00:00 2001 From: Bert Van Vreckem Date: Sat, 22 Jun 2019 17:47:29 +0200 Subject: [PATCH] Fix #42 by only applying mitigation on vulnerable Samba versions --- README.md | 6 ++++-- tasks/main.yml | 11 +++++++++++ templates/smb.conf.j2 | 4 ++-- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3c8b2d5..78071bc 100644 --- a/README.md +++ b/README.md @@ -19,9 +19,11 @@ The following are not considered concerns of this role, and you should configure ## CVE-2017-7494 -A recently discovered remote code execution vulnerability may affect your Samba server installation. If SELinux is enabled on your system, it is **NOT** vulnerable. Version 2.3.1 of this role has a fix for the vulnerability. Upgrade your system if necessary. +A remote code execution vulnerability may affect your Samba server installation. Samba versions 3.5.0 and before 4.6.4 are affected. If SELinux is enabled on your system, it is **NOT** vulnerable. -You can disable the fix if necessary, by setting the role variable `samba_mitigate_cve_2017_7494` to `false`. +This role will check if the installed version of Samba is affected by the vulnerability and apply the proposed workaround: adding `nt pipe support = no` to the `[global]` section of the configuration. Remark that this disables share browsing by Windows clients. + +You can explicitly disable the fix if necessary, by setting the role variable `samba_mitigate_cve_2017_7494` to `false`. More info: diff --git a/tasks/main.yml b/tasks/main.yml index 1fbccc6..48ac4fd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -23,6 +23,17 @@ when: samba_vfs_packages is defined tags: samba +- name: Register Samba version + shell: "smbd --version | sed 's/Version //'" + register: samba_version + changed_when: false + tags: samba + +# - name: "Installed Samba version:" +# debug: +# msg: "{{ samba_version }}" +# tags: samba + - name: Install SELinux package package: name: "{{ item }}" diff --git a/templates/smb.conf.j2 b/templates/smb.conf.j2 index 5b6bc7a..2cb9c70 100644 --- a/templates/smb.conf.j2 +++ b/templates/smb.conf.j2 @@ -72,8 +72,8 @@ {% endif %} {% endif %} -{% if samba_mitigate_cve_2017_7494 %} - # Fix for CVE-2017-7494 +{% if samba_mitigate_cve_2017_7494 and samba_version.stdout >= "3.5.0" and samba_version.stdout < "4.6.4" %} + # Fix for CVE-2017-7494 in Samba versions from 3.5.0 and before 4.6.4 # https://access.redhat.com/security/cve/cve-2017-7494 nt pipe support = no {% endif %}