Community Forum

Resolved
0 votes
This thread is to track and register information in regards to the Badlock bug which is scheduled to release on April 12th 2016 at around 1700 UTC. As soon as we have a fix will will need extensive and concentrated testing. More details will follow.
Tuesday, April 12 2016, 02:26 PM
Like
1
Share this post:
Responses (27)
  • Accepted Answer

    Wednesday, June 29 2016, 02:31 PM - #Permalink
    Resolved
    0 votes
    Hi Tony,

    Thanks Peter... 40 rpms all installed cleanly. As well as samba updates - updated apps, lvm2, device-mapper, kernel and other misc rpms.
    Also resolved a version conflict between i686 and x84-64 versions of libldb had lived with waiting for this update...


    There were 26 upstream software package updates released on June 23 - full Red Hat list is here. With each package potentially producing multiple RPMs, it was a good sized update! This seems to be more common with Red Hat releases over the last year-ish or so. It's like a mini service pack will come through every couple of months.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, June 29 2016, 03:46 AM - #Permalink
    Resolved
    0 votes
    Thanks Peter... 40 rpms all installed cleanly. As well as samba updates - updated apps, lvm2, device-mapper, kernel and other misc rpms.
    Also resolved a version conflict between i686 and x84-64 versions of libldb had lived with waiting for this update...
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, June 29 2016, 02:04 AM - #Permalink
    Resolved
    0 votes
    Quick update -- the Samba "fix for the fix" is on the way to the ClearOS 7 mirrors. Here are the June 23 release notes from Red Hat:

    https://rhn.redhat.com/errata/RHBA-2016-1257.html
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, June 08 2016, 04:59 AM - #Permalink
    Resolved
    0 votes
    Thanks Peter

    Hopefully this will be resolved before too long :)
    The reply is currently minimized Show
  • Accepted Answer

    Monday, June 06 2016, 02:05 PM - #Permalink
    Resolved
    0 votes
    Hi Malcolm,

    Malcolm Warwick wrote:

    Thanks Peter

    Perhaps I'm not reading this right, but seems to imply this was fixed?
    https://rhn.redhat.com/errata/RHSA-2016-0612.html

    An update for samba4 and samba is now available for Red Hat Enterprise Linux 6
    and Red Hat Enterprise Linux 7, respectively.


    Cheers
    Malcolm


    There was indeed a quick fix for the Badlock issue, but that fix broke certain types of Samba environments. Red Hat has since released a "fix for the fix" in RHEL 6, but nothing has appeared for RHEL 7 yet. Red Hat does a great job at maintaining a stable platform -- it's not easy to do, and they pull it off for thousands of updates. However, this was one of the rare occasions where the fix was not up to par.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, June 04 2016, 03:28 AM - #Permalink
    Resolved
    0 votes
    Thanks Peter

    Perhaps I'm not reading this right, but seems to imply this was fixed?
    https://rhn.redhat.com/errata/RHSA-2016-0612.html

    An update for samba4 and samba is now available for Red Hat Enterprise Linux 6
    and Red Hat Enterprise Linux 7, respectively.


    Cheers
    Malcolm
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, June 02 2016, 10:08 PM - #Permalink
    Resolved
    0 votes
    Malcolm Warwick wrote:

    And is there a fix for 7 yet?


    Keep an eye on the RHEL 7 updates here - https://rhn.redhat.com/errata/rhel-server-7-errata.html No sign of an update yet.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, May 31 2016, 09:15 PM - #Permalink
    Resolved
    0 votes
    Thanks Peter.

    Just wondering what has been happening for the last 3 weeks since the 10th May when that was issued?

    And is there a fix for 7 yet?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, May 31 2016, 04:53 PM - #Permalink
    Resolved
    0 votes
    Hello all,

    Just a quick update on this topic. It looks like the issue was resolved upstream for Red Hat 6 - https://rhn.redhat.com/errata/RHBA-2016-0992.html. That Samba update is setting in the ClearOS 6 test repository and will be pushed to updates-testing on Wednesday (if all goes well with testing).
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, May 10 2016, 11:48 PM - #Permalink
    Resolved
    0 votes
    Well, a complete month now and we are back to "patch Tuesday" again and........ nothing more....
    Last activity on the mailing list Thu Apr 28... patience... patience...

    Meanwhile in the black-hat's den....
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, May 04 2016, 01:57 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Can you let us know what is happening on this? It is supposed to be a critical bug (not an issue for me in a domestic environment), but there have been no updates to samba in ClearOS 6.x since 16/03 - a month before the bug was disclosed.


    Keep an eye on Red Hat's bug report on the matter - https://bugzilla.redhat.com/show_bug.cgi?id=1326918

    There were also a bunch of Badlock regression fixes pushed through the Samba project just a few days ago. Here's the mailing list reference: https://lists.samba.org/archive/samba-technical/2016-April/113719.html
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, May 03 2016, 06:18 PM - #Permalink
    Resolved
    0 votes
    Can you let us know what is happening on this? It is supposed to be a critical bug (not an issue for me in a domestic environment), but there have been no updates to samba in ClearOS 6.x since 16/03 - a month before the bug was disclosed.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 19 2016, 06:33 PM - #Permalink
    Resolved
    0 votes
    According to this Red Hat bug report, a Samba update that addresses the "trust relationship failure" issue is coming.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, April 15 2016, 04:53 AM - #Permalink
    Resolved
    0 votes
    Shout out to Peter Baldwin. He turned the actual solution when I gave him all the data.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Friday, April 15 2016, 04:18 AM - #Permalink
    Resolved
    0 votes
    Mad props to Dave for getting our PDC back up and running--even though he was on very little sleep!
    The reply is currently minimized Show
  • Accepted Answer

    Friday, April 15 2016, 03:57 AM - #Permalink
    Resolved
    1 votes
    I'm glad that worked for you Herm, and thanks for reporting back here as well as in our private discussion.

    The line 'smb ports = 139' should ALWAYS be removed.

    This is a relic of the 'Simple File Sharing' methodology which was using the SMB protocol. There are a few relevant ports in the old methodology such as 137, 138, and 139. But with the introduction of Windows 2000 came the implementation of port 445 which allows for SMB over TCP/IP without NetBIOS. The problem here for Windows 10 and other patches from Windows is that these older protocols are prone to compromise and so Microsoft is slowly and gradually dropping support for SMB in favor of CIFS. Microsoft isn't alone. The Samba team would love it as well if everyone would update to the newer, more secure protocol.

    I've had a lot of support issues with Windows 10 and if this line exists, it is alway problematic because it disables port 445 on Samba.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, April 14 2016, 08:44 PM - #Permalink
    Resolved
    0 votes
    Dave Loper wrote:

    Some users have reported errors with ClearOS 6 where their machines picked up an update from the CentOS repo instead of the ClearOS repo. This doesn't normally happen if your server has been regularly updating. Please read this whole post before proceeding with any of the steps. The symptom is that you may have will the following package on your system for ClearOS 6:

    3.6.23-30.el6_7

    Run this command:

    rpm -qi samba

    It should yield the following result for ClearOS 6 at this point the following:

    Name : samba Relocations: (not relocatable)
    Version : 3.6.23 Vendor: CentOS
    Release : 25.el6_7 Build Date: Tue 15 Mar 2016 05:25:09 PM CDT

    ^^^ This is the right one ^^^

    vvv This is the wrong one vvv
    Name : samba Relocations: (not relocatable)
    Version : 3.6.23 Vendor: CentOS
    Release : 30.el6_7

    If you have the 3.6.23-30 package at this point in time, you will likely have trust issues and an inability to access shares. There will be a proper version in our repos at a later time but at this time there seems to be upstream issues with the badlock patch...which is why we test before generally releasing to community and then we test using the community before going to other versions such as home, professional, and business.

    Ok, so if this is what is happening to you then run the following:

    yum downgrade libtalloc libtdb libtevent samba samba-client samba-common samba-winbind samba-winbin
    d-clients tdb-tools


    You should get a similar output. Please compare the versions so you don't go too far back:

    =======================================================================================================================
    Package Arch Version Repository Size
    =======================================================================================================================
    Downgrading:
    libtalloc x86_64 2.0.8-1.v6 clearos 21 k
    libtdb x86_64 1.2.12-1.v6 clearos 36 k
    libtevent x86_64 0.9.18-3.el6 clearos 25 k
    samba x86_64 3.6.23-25.el6_7 clearos-centos-updates 5.0 M
    samba-client x86_64 3.6.23-25.el6_7 clearos-centos-updates 11 M
    samba-common x86_64 3.6.23-25.el6_7 clearos-centos-updates 10 M
    samba-winbind x86_64 3.6.23-25.el6_7 clearos-centos-updates 2.2 M
    samba-winbind-clients x86_64 3.6.23-25.el6_7 clearos-centos-updates 2.0 M
    tdb-tools x86_64 1.2.12-1.v6 clearos 24 k

    Transaction Summary
    =======================================================================================================================
    Downgrade 9 Package(s)


    After you have done this, you will need to recover a previous configuration backup that matches this code! If you have already removed a workstation from the domain and rejoined it to the version 30 domain, you will need to disjoin it AGAIN and rejoin it to the new domain. You may also have to reset the winadmin password.


    Solved our issue. Thank you for the excellent sleuthing. Can the following lines be safely removed from smb.conf, or do you recommend leaving them in place?
    client signing = required
    server signing = auto


    Also, should
    smb ports = 139
    be added back, if removed?
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, April 14 2016, 07:24 PM - #Permalink
    Resolved
    1 votes
    Some users have reported errors with ClearOS 6 where their machines picked up an update from the CentOS repo instead of the ClearOS repo. This doesn't normally happen if your server has been regularly updating. Please read this whole post before proceeding with any of the steps. The symptom is that you may have will the following package on your system for ClearOS 6:

    3.6.23-30.el6_7

    Run this command:

    rpm -qi samba

    It should yield the following result for ClearOS 6 at this point the following:

    Name : samba Relocations: (not relocatable)
    Version : 3.6.23 Vendor: CentOS
    Release : 25.el6_7 Build Date: Tue 15 Mar 2016 05:25:09 PM CDT

    ^^^ This is the right one ^^^

    vvv This is the wrong one vvv
    Name : samba Relocations: (not relocatable)
    Version : 3.6.23 Vendor: CentOS
    Release : 30.el6_7

    If you have the 3.6.23-30 package at this point in time, you will likely have trust issues and an inability to access shares. There will be a proper version in our repos at a later time but at this time there seems to be upstream issues with the badlock patch...which is why we test before generally releasing to community and then we test using the community before going to other versions such as home, professional, and business.

    Ok, so if this is what is happening to you then run the following:

    yum downgrade libtalloc libtdb libtevent samba samba-client samba-common samba-winbind samba-winbin
    d-clients tdb-tools


    You should get a similar output. Please compare the versions so you don't go too far back:

    =======================================================================================================================
    Package Arch Version Repository Size
    =======================================================================================================================
    Downgrading:
    libtalloc x86_64 2.0.8-1.v6 clearos 21 k
    libtdb x86_64 1.2.12-1.v6 clearos 36 k
    libtevent x86_64 0.9.18-3.el6 clearos 25 k
    samba x86_64 3.6.23-25.el6_7 clearos-centos-updates 5.0 M
    samba-client x86_64 3.6.23-25.el6_7 clearos-centos-updates 11 M
    samba-common x86_64 3.6.23-25.el6_7 clearos-centos-updates 10 M
    samba-winbind x86_64 3.6.23-25.el6_7 clearos-centos-updates 2.2 M
    samba-winbind-clients x86_64 3.6.23-25.el6_7 clearos-centos-updates 2.0 M
    tdb-tools x86_64 1.2.12-1.v6 clearos 24 k

    Transaction Summary
    =======================================================================================================================
    Downgrade 9 Package(s)


    After you have done this, you will need to recover a previous configuration backup that matches this code! If you have already removed a workstation from the domain and rejoined it to the version 30 domain, you will need to disjoin it AGAIN and rejoin it to the new domain. You may also have to reset the winadmin password.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, April 14 2016, 04:56 PM - #Permalink
    Resolved
    0 votes
    If the following command yields a result, you need to remove that line:

    [root@server1 ~]# grep "^smb port" /etc/samba/smb.conf
    smb ports = 139
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, April 14 2016, 03:07 PM - #Permalink
    Resolved
    0 votes
    client signing = required
    server signing = auto


    This worked in our installation for machines that simple couldn't connect after the update; however, we had one Windows Server 2012 installation and one Windows 8.1 x64 installation on which I had tried disconnecting from the domain and reconnecting, which failed. It did not resolve problems with these two machines. I was able to use System Restore on the Windows 8.1 machine to go back to an April 11 restore point and connect to the domain. I was then able to update this machine and all is well. Still searching for a solution for the Windows 2012 Server since there is no restore point option. This machine will connect to the domain and shows all other Windows machines on the network, but does not show either of our ClearOS installations. Our main V6.8 server or a V7 test machine. Continuing to research solutions and have an open support ticket. Welcome any ideas from forum members.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, April 13 2016, 07:04 PM - #Permalink
    Resolved
    0 votes
    Peter Baldwin wrote:

    Mike Edwards wrote:

    So the samba updates this morning borked our ClearOS 6 Business PDC, causing machine trust accounts to fail. Is this a known issue? I can't get anyone on the phone and my support ticket has not been responded to yet.


    There was an end user on the samba-technical mailing list reporting the same problem. I have no idea if it's a good one, but his solution was to change the following smb.conf parameters in the global section:


    client signing = required
    server signing = auto


    Important note: you should not yet have seen the Badlock Samba updates on a ClearOS box! There are only two ways to get the update:

    - Through the "clearos-updates-testing" repository. These updates were pushed through over the last 12 hours but the repo is disabled by default.
    - Directly through the CentOS repository. The update was pushed out around 2 a.m. Eastern, but this repo (called "centos-unverified") is disabled by default.

    As of the last few weeks, the default repository policies were changed in ClearOS. We shipped 6.7 and 7.2 with ClearOS pointing directly to the CentOS repos, but we have since pushed an update out so that ClearOS points to mirrors that we maintain. We keep these mirrors 1-7 days behind upstream CentOS just for this kind of reason -- an upstream update can occasionally cause a lot of grief. Perhaps your system did not have this ClearOS update installed and the old mirror policy was still in place?

    Edit: 6.8 -> 6.7


    Thanks for the info! Both of those repos are indeed disabled so I wonder if we still got the update straight from CentOS.

    Yeah, we found part of that solution and were able to get most folks logged in by adding "server signing = auto" but still had a few issues like some network shares not being mapped due to "no logon servers found". We did not add the "client signing = required" but maybe that will help.

    I have since gotten a response to my ticket and sent some logs. We'll see what they say. I am spinning up a v7 PDC just in case I have to move to it.

    Thanks,
    Mike
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, April 13 2016, 06:50 PM - #Permalink
    Resolved
    0 votes
    Mike Edwards wrote:

    So the samba updates this morning borked our ClearOS 6 Business PDC, causing machine trust accounts to fail. Is this a known issue? I can't get anyone on the phone and my support ticket has not been responded to yet.


    There was an end user on the samba-technical mailing list reporting the same problem. I have no idea if it's a good one, but his solution was to change the following smb.conf parameters in the global section:


    client signing = required
    server signing = auto


    Important note: you should not yet have seen the Badlock Samba updates on a ClearOS box! There are only two ways to get the update:

    - Through the "clearos-updates-testing" repository. These updates were pushed through over the last 12 hours but the repo is disabled by default.
    - Directly through the CentOS repository. The update was pushed out around 2 a.m. Eastern, but this repo (called "centos-unverified") is disabled by default.

    As of the last few weeks, the default repository policies were changed in ClearOS. We shipped 6.7 and 7.2 with ClearOS pointing directly to the CentOS repos, but we have since pushed an update out so that ClearOS points to mirrors that we maintain. We keep these mirrors 1-7 days behind upstream CentOS just for this kind of reason -- an upstream update can occasionally cause a lot of grief. Perhaps your system did not have this ClearOS update installed and the old mirror policy was still in place?

    Edit: 6.8 -> 6.7
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, April 13 2016, 05:23 PM - #Permalink
    Resolved
    0 votes
    So the samba updates this morning borked our ClearOS 6 Business PDC, causing machine trust accounts to fail. Is this a known issue? I can't get anyone on the phone and my support ticket has not been responded to yet.

    Thanks,
    Mike
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 12 2016, 06:05 PM - #Permalink
    Resolved
    0 votes
    If you are interested, you can watch the build process here:

    http://koji.clearos.com/koji/clearos/index

    Currently we have the main packages but not some of the dependencies to build the 7 version.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 12 2016, 05:53 PM - #Permalink
    Resolved
    0 votes
    ClearCenter's official response to Bad Lock will be listed here as the bug is resolved:

    https://www.clearos.com/resources/documentation/clearos/content:en_us:announcements_cve_cve-2016-2118
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 12 2016, 05:14 PM - #Permalink
    Resolved
    0 votes
    You can monitor the status of Bad Lock (CVE-2016-2118) here:

    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2118
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 12 2016, 03:51 PM - #Permalink
    Resolved
    0 votes
    We will NOT be producing a badlock patch for ClearOS 5. ClearOS 5 is EOL since last December. If you are running ClearOS 5 now is a good time to upgrade. If you have a qualifying license for ClearOS 6 or 7, the engineers at ClearCenter can upgrade your configuration settings to retain your directory, users, and many settings. It can take 2 business days typically to upgrade your configuration backup to a modern version. If they get an influx it can take a little longer.

    Q: What can I do to protect my system running ClearOS 5 from Badlock while I wait or work on my update to a newer version of ClearOS?

    A: The Badlock bug affects the protocol used by the CIFS protocol. To prevent compromise stop and disable your Samba stack:

    service smb stop
    service nmb stop
    service winbind stop
    chkconfig smb off
    chkconfig nmb off
    chkconfig winbind off

    If you insist on running ClearOS 5 with the badlock bug, be advised that ClearOS, by default, firewalls these ports to the outside world and this bug will not have a Internet-based exploit on a properly configured ClearOS 5 machine. However, your LAN will be subject to compromised data should any local user or local virus or trojan decide to explore and exploit the bug.
    The reply is currently minimized Show
Your Reply