AIX

 View Only
  • 1.  CVE-2016-2118: Samba Badlock Vulnerability, which samba version to be upgrade to fix the CVE-2016-2118 defect.

    Posted Thu September 08, 2022 07:40 AM

    CVE-2016-2118: Samba Badlock Vulnerability, which samba version to be upgrade to fix the CVE-2016-2118 defect.

    Currently running Samba for AIX 71. (7100-00-03-1115).
    SAMBA version:
       samba.base 3.3.12.0 COMMITTED Samba for AIX
       samba.license 3.3.12.0 COMMITTED Samba for AIX
       samba.man.en_US 3.3.12.0 COMMITTED Samba for AIX
       samba.base 3.3.12.0 COMMITTED Samba for AIX

    Which of samba version to be an upgrade to help to fix the CVE-2016-2118 defect?

    And i also navigate url: https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/samba/ and https://www.ibm.com/support/pages/aix-toolbox-open-source-software-downloads-alpha

    There are having samba-4.3.x-samba-4.10.x and 4.14.12 (7.1)

    Please advise.

    Best regards,
    Charin Kumjudpai.



    ------------------------------
    CHARIN KUMJUDPAI
    ------------------------------


  • 2.  RE: CVE-2016-2118: Samba Badlock Vulnerability, which samba version to be upgrade to fix the CVE-2016-2118 defect.

    Posted Thu September 08, 2022 10:45 AM
    Really? You’re running base 7.1 code from 2011, and you’re concerned about Samba?
    there are so many *requisites you have a mess on your hands..




  • 3.  RE: CVE-2016-2118: Samba Badlock Vulnerability, which samba version to be upgrade to fix the CVE-2016-2118 defect.

    Posted Fri September 09, 2022 02:33 AM

    My post for asked question from our customer  (in Lao country)./
    Tom, any comments with detail  as i sent email  to our customer.

    Your case objective:

                   Due to the CVE-2016-2118: Samba Badlock Vulnerability and looking IBM support to suggestion of which SAMBA version (4.2.11 / 4.3.8 / 4.4.2 or later) could be fix for CVE-2016-2118 defect.

             

    IBM local support would like response to you with the following answers.

     

    1. By searching in IBM Security Bulletin found.

                       The "Security Bulletin: Badlock Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2118)"

                       in URL: https://www.ibm.com/support/pages/security-bulletin-badlock-samba-vulnerability-issue-ibm-storwize-v7000-unified-cve-2016-2118

                      

                       In above url, the "Affected Products and Versions"

                       IBM Storwize V7000 Unified

                       The product is affected when running code releases 1.5.0.0 to 1.6.0.1

                      

    1. By searching in IBM support system found the case# TS009291788: Samab badblock was opened on 2022-05-09.

     

                       You can see the "Resolution Description: Samba is not supported.".

                      

                       Samba is not supported means.

                                          Samba is a product shipped as-is. In another way to say there is no any samba support from IBM

                      

                       Please find full detail in screen capture.

                                                   

     

     

    1. By searching in IBM support system found the old PMR (PMR# 43799,999,766: samba vulnerability issue) since 2016.

             

                       Here is the old PMR suggestion:

     

                                 I have just checked the issue of SAMBA vulnerability as follows.

    1. CVE-2015-5370  https://www.samba.org/samba/security/CVE-2015-5370.html

                                          Subject: Multiple errors in DCE-RPC code.

                                

    1. CVE-2016-2118 (a.k.a. BADLOCK) https://www.samba.org/samba/security/CVE-2016-2118.html

                                          Subject: SAMR and LSA man in the middle attacks possible.

                      

                       How to fix:

                                 To fix both CVEs, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as security releases to correct the defect.

     

    1. If you navigate the AIX Toolbox for Open Source Software website.

                       https://www.ibm.com/support/pages/aix-toolbox-open-source-software-downloads-alpha

                       There are having the samba version 4.14.12 (7.1) for RPM/SRPM packages to download.

     

    1. Conclusion.

                       Please consider to be upgrade samba to version 4.14.12 as available RPM/SRPM packages in IBM website.




    ------------------------------
    CHARIN KUMJUDPAI
    ------------------------------



  • 4.  RE: CVE-2016-2118: Samba Badlock Vulnerability, which samba version to be upgrade to fix the CVE-2016-2118 defect.

    Posted Sun September 11, 2022 09:57 PM





  • 5.  RE: CVE-2016-2118: Samba Badlock Vulnerability, which samba version to be upgrade to fix the CVE-2016-2118 defect.

    Posted Fri September 16, 2022 07:08 AM
    Samba 3.3.12 was released by community in 2010 it is very old. I am not sure if anyone is supporting it. 
    From where was it installed ?

    ------------------------------
    SANKET RATHI
    ------------------------------