PZOS-2017-001: SAMBA Remote Code Execution

Issue Date: 2017/05/26
Updated Date: 2017/05/26
Title: SAMBA Remote Code Execution
Classification: High
Status: Closed
Affected Products: PZOS – All Supported Versions

Summary

The SAMBA component of the PZOS software contains a vulnerability in which a malicious client can have the SAMBA server execute unauthorized code that was uploaded.

Details

PZOS uses SAMBA to act as a Windows share. Recently a remote code execution vulnerability was discovered. A malicious client can upload a shared library into a writeable share that the SAMBA server will execute, thereby compromising the controller. To exploit the vulnerability, the attacker needs to be authenticated and have writeable access to a share.

The original security vulnerability announcement can be found here: https://www.samba.org/samba/security/CVE-2017-7494.html

Resolution

Panzura has created the 6.3.1.3 release which contains the fix for this vulnerability. The release notes are available here.