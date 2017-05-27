Wormable Code-Execution Bug Lurked In Samba For 7 Years (arstechnica.com) 21
Long-time Slashdot reader williamyf was the first to share news of "a wormable bug [that] has remained undetected for seven years in Samba verions 3.5.0 onwards." Ars Technica reports: Researchers with security firm Rapid7...said they detected 110,000 devices exposed on the internet that appeared to run vulnerable versions of Samba. 92,500 of them appeared to run unsupported versions of Samba for which no patch was available... Those who are unable to patch immediately can work around the vulnerability by adding the line nt pipe support = no to their Samba configuration file and restart the network's SMB daemon. The change will prevent clients from fully accessing some network computers and may disable some expected functions for connected Windows machines.
The U.S. Department of Homeland Security's CERT group issued an anouncement urging sys-admins to update their systems, though SC Magazine cites a security researcher arguing this attack surface is much smaller than that of the Wannacry ransomware, partly because Samba is just "not as common as Windows architectures." But the original submission also points out that while the patch came in fast, "the 'Many eyes' took seven years to 'make the bug shallow'."
FOSS isn't a magic bullet, it's a development model. The advantages play out in statistical trends, and the differences in those trends can depend on many factors, including how 'open' development is. For example, WannaCry is somewhat comparable, and since it affected XP, the issue likely existed for at least 9 years, if not longer.
Submitter here:
I agree with you 100%. The point is that many people in the FOSS community think that the many eyes are indeed a magic bullet, and the only thing needed to weed out bugs, when, as you said, is not.
If you see my post history, you will see that my long standing oppinion is that many eyes are not enough. One needs ENOUGH Qualified AND Motivated eyes, as well as test cases and structured QA.
I came to that realization during the Metafile Fiasco of Dec. 2005.
We had two codebases, one Closed (window
Strawman argument. Open source allows the possibility. It does not guarantee it.
Until you have any idea what he's talking about (Score:2)
That's the biggest and possibly stupidest straw man on the internet. Read the syntax before after to have a clue about context, or even look up the difference between deep and shallow problems. He didn't say "given enough eyeballs, there are no bugs". In fact, he said there ARE bugs, and he talked about methods of fixing the bugs that are found. Again, he didn't say "given enough eyeballs, there are no bugs". He said the bug would be shallow to someone.
Traditionally the proprietary model is that one pr
NT Pipe Support? (Score:4, Interesting)
What exactly is NT Pipe Support supposed to even do? Why would you need it on a file server?
Submitter here.
From the SUMARY: "The change will prevent clients from fully accessing some network computers and may disable some expected functions for connected Windows machines."
So, it seems that your connected Windows machines use the expected functions that the setting disables.
Go figure.
Good though to know one of the error messages that may arise after turning of the setting.
Samba connected to the Internet? (Score:2)
I think you'd find the risk can be mitigated significantly by simply not allowing Samba to connect to the Internet, I can't think of any reason why you'd do that anyway. It's designed for local resource sharing, not Internet transfers.
No he was not the first (Score:2)
This is a classic slashdot dupe.
https://it.slashdot.org/story/... [slashdot.org]
Maybe Apple was right (Score:2)
Several years ago, Apple stopped including SAMBA in OS X, and instead developed their own SMB protocol stack from scratch.
At the time, it seemed like an odd move for an OS that already contained many F/OSS Projects.
But maybe they knew something that made them feel like it wasn't a salvageable Project...