timethrow Posted February 1, 2022 Share Posted February 1, 2022 (edited) Details about the Vulnerability here; https://www.samba.org/samba/security/CVE-2021-44142.html As this gets a score of 9.9, Can we expect an update to unRAID v6.9 to fix this (prior to v6.10's release)? Additionally, is there a way to bind Samba within unRAID to only 1 IP Address? I have 3 networks defined, the main (eth0) is LAN, and have 2 VLANs attached, and unRAID listens for Samba (and other services) on each of those networks, even though the 2 VLANs don't have an IP Assigned (it seems to allocate istelf an IP ending in .128 e.g. 19.168.10.128)? From a security perspective, it would be good to be able to restrict what IPs/Networks it listens on. Naturally for anyone who has Samba exposed to the Internet (why?!?), I would seriously consider firewalling it to a trusted network or range of IPs only, or better yet put it behind a VPN to minimise the potential attack surface. Edited February 1, 2022 by timethrow Add additional info 2 Quote Link to comment
itimpi Posted February 1, 2022 Share Posted February 1, 2022 I expect that it is likely that 6.10 will go to stable before a fix for a 6.9.x release would be rolled out. Therefore Probably not relevant as Unraid 6.10.0 rc2 is already on a later release of Samba (4.15) than that CVE says is the versions affected. Quote Link to comment
Meowcat285 Posted February 1, 2022 Share Posted February 1, 2022 I feel like this is a issue that needs a patch in the next few days, not next few weeks 1 Quote Link to comment
itimpi Posted February 1, 2022 Share Posted February 1, 2022 34 minutes ago, Meowcat285 said: I feel like this is a issue that needs a patch in the next few days, not next few weeks I just don’t see Limetech getting it out that quickly based on past experience. I would like to be proved wrong Quote Link to comment
03fc35ss Posted February 2, 2022 Share Posted February 2, 2022 (edited) Hopefully when 6.10 moves into stable it'll also be upgraded to include the patch. The announcement says 4.15.5 has the patch but 6.10.0rc2 is running version 4.15.0. As I understand it, this specifically affects devices that have enabled the vfs_fruit module. The vfs_fruit module provides enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver. The current workaround is to remove 'fruit' from 'vfs objects' lines in Samba configuration files (e.g., smb.conf). Specifically for Unraid, It is my understanding that the "Enhanced macOS interoperability" setting in SMB settings as seen here should be disabled: As this setting is reflected by the offending vfs objects in the smb-shares.conf: vfs objects = catia fruit streams_xattr I do not believe there is currently any PoC available so I can't test to confirm but I believe disabling the "Enhanced macOS interoperability" setting should mitigate this issue for now. Edited February 2, 2022 by 03fc35ss Quote Link to comment
dlandon Posted February 2, 2022 Share Posted February 2, 2022 Turning off the macOS interoperability removes the vfs_fruit on all shares. Quote Link to comment
M2Pilot Posted February 2, 2022 Share Posted February 2, 2022 Am I the only one troubled by the seemingly non-existent cadence for security patch releases on unRaid? Don't get me wrong - I love me some UnRaid and talk it up every chance I get. But I'm wondering whether I should be heaping quite so many praises Limetech's way. We are now 10 months since 6.9.2 stable was released. That's a long time. Lots of CVEs posted since then. CVE-2021-44142 (the one being talked about above) is only the latest high severity issue (a 9.9 out of 10). 6.9 was followed a month later by 6.9.1 (CVE-2021-23841, CVE-2021-23840) and then a month after that by 6.9.2 (CVE-2020-27840, CVE-2020-27840). That's the kind of cadence I can feel confident in. But after April 2021? Nothing. I would like to see what published policy Limetech has for security patching. I'm not aware of any (please correct me if this is wrong). Assuming no security patching policy exists, we should be pushing for one, and then help make sure they live up to it. 2 Quote Link to comment
MikeAH Posted February 2, 2022 Share Posted February 2, 2022 Just checked both my unraid servers (one I imaged fresh last year and one that I imaged like 6 years ago). They both had macOS Interoperability disabled by default, so hopefully this is the case for most of the default configurations of unraid. Not sure though and it's definitely worth checking if this removes the risk of the known vulnerability. Quote Link to comment
Pixel5 Posted February 4, 2022 Share Posted February 4, 2022 On 2/2/2022 at 2:33 PM, M2Pilot said: Am I the only one troubled by the seemingly non-existent cadence for security patch releases on unRaid? Don't get me wrong - I love me some UnRaid and talk it up every chance I get. But I'm wondering whether I should be heaping quite so many praises Limetech's way. We are now 10 months since 6.9.2 stable was released. none of that is really an issue though as long as you follow the basic security measures of not exposing your unraid server to the internet. there are millions of systems out there running on windows 98 or XP that didnt get patched in decades simply because they will never be exposed to the internet. Quote Link to comment
unRate Posted February 10, 2022 Share Posted February 10, 2022 On 2/1/2022 at 8:35 PM, Meowcat285 said: I feel like this is a issue that needs a patch in the next few days, not next few weeks Then you need to be using a proper Linux distro :) Quote Link to comment
timethrow Posted February 11, 2022 Author Share Posted February 11, 2022 10 hours ago, unRate said: Then you need to be using a proper Linux distro Slackware is a "proper" Linux distro, it just depends on how its maintained. I don't think its unreasonable to ask for security patches and fixes in a timely manor, especially for something that has a very high score, and is a core part of the product, even more so since Limetech/unRAID is supposed to be taking a more secure by default stance now. 1 Quote Link to comment
dlandon Posted February 15, 2022 Share Posted February 15, 2022 The way we try to address security issues is get Unraid releases out in a timely manner. Unfortunately, that hasn't been happening quickly enough lately. It is being delt with behind the scenes and discusssed internally. It's much better all around to release a new version of Unraid with all the latest security fixes, rather than going back and applying patches. Unraid was not designed to apply patches. For the moment there are several ways to alleviate your comcerns: Disable mac OS interoperability. Upgrade to one of the 6.10 rc's. They are using a later version of samba. I'm working with the beta rc3 and the samba is at version 4.15.3. 1 1 Quote Link to comment
unRate Posted March 13, 2022 Share Posted March 13, 2022 On 2/11/2022 at 9:24 AM, timethrow said: Slackware is a "proper" Linux distro, it just depends on how its maintained. I don't think its unreasonable to ask for security patches and fixes in a timely manor, especially for something that has a very high score, and is a core part of the product, even more so since Limetech/unRAID is supposed to be taking a more secure by default stance now. Slackware is a Linux distro indeed. But unless you run unraid on top of vanilla Slackware yourself, then unraid is considered an "Appliance" by Limetech. Which translates to "We don't have to do security patches, nor do we need users, DAC, just run everything as root" They are not going to patch this. It will be updated in the next RC at best. These CVE's are already 4 months old! What I meant by my initial comment about using a proper linux distro is that if you care one bit about security use something that gets regular updates. e.g., Proxmox, TrueNAS scale, vanilla Linux, etc. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.