Otu esi edozi nsogbu SambaCry (CVE-2017-7494) na Sistemụ Linux
Samba abụrụla ọkọlọtọ maka ịnye ndị ahịa Windows faịlụ na mbipụta na sistemụ * nix. Ndị na-eji ụlọ eme ihe, azụmahịa ndị dị n'etiti, na nnukwu ụlọ ọrụ, ọ pụtara dị ka ihe ngwọta na gburugburu ebe sistemụ arụmọrụ dị iche iche na-ebikọ ọnụ.
Dị ka ọ na-eme n'ụzọ dị mwute na ngwá ọrụ ndị a na-ejikarị eme ihe, ọtụtụ nrụnye Samba nọ n'ihe ize ndụ nke mwakpo nke nwere ike irigbu adịghị ike a maara, nke a na-ewereghị dị ka ihe dị njọ ruo mgbe WannaCry ransomware wakporo akụkọ ahụ n'oge na-adịghị anya gara aga.
N'isiokwu a, anyị ga-akọwa ihe adịghị ike Samba a bụ yana otu esi echekwa usoro ndị ị na-ahụ maka ya. Dabere na ụdị nrụnye gị (site na ebe nchekwa ma ọ bụ site na isi mmalite), ị ga-achọ ụzọ dị iche iji mee ya.
Ọ bụrụ na ị na-eji Samba ugbu a na gburugburu ebe ọ bụla ma ọ bụ mara onye na-eme ya, gụọ n'ihu!
Ihe adịghị ike
Sistemu emechiela ma ọ bụ nke emechiri emechi nwere ike ịnweta adịghị ike nke koodu mkpochapụ. N'okwu dị mfe, nke a pụtara na onye nwere ike ịnweta òkè a na-ede ede nwere ike bulite otu koodu aka ike ma jiri ikikere mgbọrọgwụ mee ya na sava ahụ.
A kọwara okwu a na webụsaịtị Samba dị ka CVE-2017-7494 ma mara na ọ na-emetụta ụdị Samba 3.5 (wepụtara na mbido March 2010) wee gawa n'ihu. Na-akwadoghị, akpọwo ya SambaCry n'ihi myirịta ya na WannaCry: ha abụọ lekwasịrị anya na protocol SMB ma nwee ike ịnwụ - nke nwere ike ime ka ọ gbasaa site na sistemụ gaa na sistemụ.
Debian, Ubuntu, CentOS na Red Hat emeela ngwa ngwa iji chebe ndị ọrụ ya wee wepụta patches maka ụdị akwadoro ha. Na mgbakwunye, ewepụtakwala ihe nchekwa nchekwa maka ndị anaghị akwado.
Na-emelite Samba
Dịka e kwuru na mbụ, enwere ụzọ abụọ ị ga-esi soro dabere na usoro nrụnye gara aga:
Ọ bụrụ na ị wụnye Samba site na ebe nchekwa nkesa gị.
Ka anyị lee ihe ị ga-eme na nke a:
Gbaa mbọ hụ na edobere nke dabara ka ị nweta mmelite nchekwa kachasị ọhụrụ site na ịgbakwunye ahịrị ndị a na ndepụta isi mmalite gị (/etc/apt/sources.list):
deb http://security.debian.org stable/updates main deb-src http://security.debian.org/ stable/updates main
Na-esote, melite ndepụta ngwugwu dị:
# aptitude update
N'ikpeazụ, jide n'aka na ụdị ngwugwu samba dabara na ụdị ebe edozila adịghị ike ahụ (lee CVE-2017-7494):
# aptitude show samba
Iji malite, lelee ngwungwu ọhụrụ dị ma melite ngwungwu samba dị ka ndị a:
$ sudo apt-get update $ sudo apt-get install samba
Ụdị Samba ebe edozilarị CVE-2017-7494 bụ ndị a:
- 17.04: samba 2:4.5.8+dfsg-0ubuntu0.17.04.2
- 16.10: samba 2:4.4.5+dfsg-2ubuntu5.6
- 16.04 LTS: samba 2:4.3.11+dfsg-0ubuntu0.16.04.7
- 14.04 LTS: samba 2:4.3.11+dfsg-0ubuntu0.14.04.8
N'ikpeazụ, gbaa iwu na-esonụ iji chọpụta na igbe Ubuntu gị nwere ugbu a arụnyere ụdị Samba ziri ezi.
$ sudo apt-cache show samba
Ụdị Samba a machiri na EL 7 bụ samba-4.4.4-14.el7_3. Iji wụnye ya, mee
# yum makecache fast # yum update samba
Dịka ọ dị na mbụ, gbaa mbọ hụ na ị nwere ụdị Samba a machiri:
# yum info samba
Ụdị CentOS na RHEL ochie, nke a ka na-akwado nwekwara ndozi dịnụ. Lelee RHSA-2017-1270 ka ịmatakwu.
Mara: Usoro a na-eche na ị wubu Samba site na isi mmalite. A na-agba gị ume ka ị nwalee ya nke ukwuu na ebe a na-anwale TUPU ibuga ya na sava mmepụta.
Na mgbakwunye, hụ na ị kwadobere faịlụ smb.conf tupu ịmalite.
N'okwu a, anyị ga-achịkọta ma melite Samba site na isi iyi. Tupu anyị amalite, Otú ọ dị, anyị ga-ahụrịrị na etinyere ihe niile dabere na mbụ. Rịba ama na nke a nwere ike iwe ọtụtụ nkeji.
# aptitude install acl attr autoconf bison build-essential \
debhelper dnsutils docbook-xml docbook-xsl flex gdb krb5-user \
libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev \
libcap-dev libcups2-dev libgnutls28-dev libjson-perl \
libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \
libpopt-dev libreadline-dev perl perl-modules pkg-config \
python-all-dev python-dev python-dnspython python-crypto xsltproc \
zlib1g-dev libsystemd-dev libgpgme11-dev python-gpgme python-m2crypto
# yum install attr bind-utils docbook-style-xsl gcc gdb krb5-workstation \
libsemanage-python libxslt perl perl-ExtUtils-MakeMaker \
perl-Parse-Yapp perl-Test-Base pkgconfig policycoreutils-python \
python-crypto gnutls-devel libattr-devel keyutils-libs-devel \
libacl-devel libaio-devel libblkid-devel libxml2-devel openldap-devel \
pam-devel popt-devel python-devel readline-devel zlib-devel
Kwụsị ọrụ:
# systemctl stop smbd
Budata ma wepụta isi mmalite (na 4.6.4 bụ ụdị kachasị ọhụrụ n'oge edere):
# wget https://www.samba.org/samba/ftp/samba-latest.tar.gz # tar xzf samba-latest.tar.gz # cd samba-4.6.4
Maka ebumnuche ozi naanị, lelee nhọrọ nhazi dị maka ntọhapụ ugbu a na.
# ./configure --help
Ị nwere ike ịgụnye ụfọdụ nhọrọ weghachiri eweghachi site n'iwu dị n'elu ma ọ bụrụ na ejiri ha na ụlọ mbụ, ma ọ bụ ị nwere ike họrọ iji ndabara gaa:
# ./configure # make # make install
N'ikpeazụ, malitegharịa ọrụ ahụ.
# systemctl restart smbd
ma gosi na ị na-eji ụdị emelitere:
# smbstatus --version
nke kwesịrị ịlaghachi 4.6.4.
Ntụle n'ozuzu
Ọ bụrụ na ị na-eme ụdị nkesa enyereghị nkwado ma enweghị ike ịkwalite gaa na nso nso a n'ihi ihe ụfọdụ, ị nwere ike iburu aro ndị a n'uche:
- Ọ bụrụ na agbanyere SELinux, echekwara gị!
- Gbaa mbọ hụ na etinyere mbak Samba na nhọrọ noexec. Nke a ga-egbochi ogbugbu nke ọnụọgụ abụọ bi na sistemu faịlụ etinyegoro.
Tinye,
nt pipe support = no
gaa na ngalaba [global] nke faịlụ smb.conf gị wee malitegharịa ọrụ ahụ. Ị nwere ike iburu n'uche na nke a nwere ike gbanyụọ ụfọdụ ọrụ na ndị ahịa Windows, dịka ọrụ Samba siri dị.
Ihe dị mkpa: mara na nhọrọ \nt pipe support = mba ga-ewepụ ndepụta mbak sitere na ndị ahịa Windows. Dịka: Mgbe ị pịnyere\10.100.10.2 site na Windows Explorer na sava samba, ị ga-enweta ikike agọnarị ndị ahịa Windows. ga-eji aka dee òkè dị ka \10.100.10.2\share_name iji nweta òkè ahụ.
N'ime edemede a, anyị akọwala adịghị ike a maara dị ka SambaCry yana otu esi ebelata ya. Anyị na-atụ anya na ị ga-enwe ike iji ozi a iji chebe sistemu ndị ị na-ahụ maka ya.
Ọ bụrụ na ị nwere ajụjụ ọ bụla ma ọ bụ kwuo gbasara akụkọ a, nweere onwe gị iji ụdị dị n'okpuru ebe a iji mee ka anyị mara.