Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wormable Code-Execution Bug Lurked In Samba For 7 Years (arstechnica.com)

Posted by EditorDavid on from the not-so-shallow-bugs dept.

Long-time Slashdot reader williamyf was the first to share news of "a wormable bug [that] has remained undetected for seven years in Samba verions 3.5.0 onwards." Ars Technica reports: Researchers with security firm Rapid7...said they detected 110,000 devices exposed on the internet that appeared to run vulnerable versions of Samba. 92,500 of them appeared to run unsupported versions of Samba for which no patch was available... Those who are unable to patch immediately can work around the vulnerability by adding the line nt pipe support = no to their Samba configuration file and restart the network's SMB daemon. The change will prevent clients from fully accessing some network computers and may disable some expected functions for connected Windows machines.
The U.S. Department of Homeland Security's CERT group issued an anouncement urging sys-admins to update their systems, though SC Magazine cites a security researcher arguing this attack surface is much smaller than that of the Wannacry ransomware, partly because Samba is just "not as common as Windows architectures." But the original submission also points out that while the patch came in fast, "the 'Many eyes' took seven years to 'make the bug shallow'."

83 comments

  1. Wait, what?! by Anonymous Coward · · Score: -1

    I thought that all the people supposedly reviewing the code of open source software would ensure that bugs get fixed quickly. This is frequently used as an argument for using Linux. Please reconcile this argument with the reality that a serious bug lurked for seven years.

    1. Re:Wait, what?! by hummassa · · Score: 4, Insightful

      No need to reconcile, just imagine how many of those bugs lurk in closed systems like Windows, where no-one can see them.

      --
      It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
    2. Re:Wait, what?! by king+neckbeard · · Score: 4, Informative

      FOSS isn't a magic bullet, it's a development model. The advantages play out in statistical trends, and the differences in those trends can depend on many factors, including how 'open' development is. For example, WannaCry is somewhat comparable, and since it affected XP, the issue likely existed for at least 9 years, if not longer.

      --
      This is my signature. There are many like it, but this one is mine.
    3. Re:Wait, what?! by Anonymous Coward · · Score: 1

      Strawman argument. Open source allows the possibility. It does not guarantee it.

    4. Re:Wait, what?! by Anonymous Coward · · Score: 0

      That's racist!

    5. Re:Wait, what?! by Anonymous Coward · · Score: -1

      Samba is an open source implementation of a Microsoft protocol. When the foundation is complete shit, you can't expect much from a blind, clean room implementation.

      Besides, this isn't nearly as bad a vulnerability as WannaCry which has been in Microsoft's SMB for 16 years.

    6. Re:Wait, what?! by williamyf · · Score: 3, Insightful

      FOSS isn't a magic bullet, it's a development model. The advantages play out in statistical trends, and the differences in those trends can depend on many factors, including how 'open' development is. For example, WannaCry is somewhat comparable, and since it affected XP, the issue likely existed for at least 9 years, if not longer.

      Submitter here:

      I agree with you 100%. The point is that many people in the FOSS community think that the many eyes are indeed a magic bullet, and the only thing needed to weed out bugs, when, as you said, is not.

      If you see my post history, you will see that my long standing oppinion is that many eyes are not enough. One needs ENOUGH Qualified AND Motivated eyes, as well as test cases and structured QA.

      I came to that realization during the Metafile Fiasco of Dec. 2005.

      We had two codebases, one Closed (windows) and One Open (wine). Neither was able to realize the security implications of the code. It took a third party (sysinternals IIRC) to realize the security implications. Even with many eyes, no one in the wine team realized the security implications of the metafile behaviour. At the time some people said "That's because the wine team were copying the behaviour of windows"

      That is disingenuous, for if the wine team had realized the security implications, they would had bang on that drum like crazy, and made a config option of the form [metafile bug=0, 1, 2] 0=keep error for compatibility; 1=wineteam fix; 2= microsoftfix if and when released...

      So, to sum up. Many eyes are nice to have, but not a panacea. For good code (less bugs, less security issues), one needs not MANY eyes but, ENOUGH QUALIFIED AND MOTIVATED EYES (of course, if you have many eyes, you MAY get ENOUGH of the eyes you need, but it is not guaranteed). Also, for good code one needs good test cases and a good QA process.

      --
      *** Suerte a todos y Feliz dia!
    7. Re: Wait, what?! by Anonymous Coward · · Score: 0

      SMB is an IBM protocol. Even if the protocol is bad, there is no excuse for sloppy coding.

    8. Re: Wait, what?! by Anonymous Coward · · Score: 0

      No, it's not a strawman argument. The argument was made in Eric S. Raymond's essay The Cathedral and the Bazaar.

    9. Re: Wait, what?! by emil · · Score: 2

      Before you go any further with your criticism of SMB, you might want to disable NFSv4 functionality in any Linux kernels that you are running, as this version was heavily influenced by developments in SMB. Theo de Raadt has particularly harsh things to say about the v4 protocol, but it is in wide use and it solves a number of problems. https://en.m.wikipedia.org/wik...

    10. Re:Wait, what?! by Kjella · · Score: 0

      FOSS isn't a magic bullet, it's a development model. The advantages play out in statistical trends, and the differences in those trends can depend on many factors, including how 'open' development is. For example, WannaCry is somewhat comparable, and since it affected XP, the issue likely existed for at least 9 years, if not longer.

      Open as in a good way, or open in a bad way? I can see the whole "develop in secret, dump on community" model can have its faults. So can the "we're so short on developers anyone who takes any real interest will get commit privileges" model. I mean, it's one thing to believe that eventually someone will spot an existing bug, but the vast majority of bugs are caught in development as the code is written and - hopefully - reviewed. Security bugs often come from unclear or sloppy code, standards differ wildly between projects.

      And also how much is on by default, there's a huge difference in scope between what's in the default configuration and not, even if the severity for those infected is the same. Not that it's a useful benchmark if you have to enable things to make it work normally the way most users would expect, in that case you can pull the plug and the machine will be very safe. The real advantage though is that eventually you start getting reusable components that have stood the test of time. I've "reinvented the wheel" at different companies, simply because you can't just take code with you when you go. There is of course NIH problems and rotten projects in open source too, but it's less of a problem.

      --
      Live today, because you never know what tomorrow brings
    11. Re:Wait, what?! by Aighearach · · Score: 1

      No, no, and no. Nobody ever said, "With enough code in the world, eyeballs will look at it." Nope. That wasn't it.

      "With enough eyeballs, all bugs are shallow." OK, that one I've heard. Nothing there about, "If you write it, they will read it" or anything like that.

      If nobody is looking, there are no eyeballs, so no affect would be expected.

      But once the bug is discovered, now there are lots of eyeballs! And it gets fixed fast, nearly instantly. That's what happened here. It is true that DoD clown made a political anti-FLOSS statement that contains the same mistake as yours. But he was at work, for the government, he's supposed to do a mediocre job. You're posting on slashdot. You're supposed to be slightly less stupid.

      For the bugs to be fixed before being found, you don't want linux; in linux the eyeballs are mostly focused on writing new stuff, supporting new hardware, etc. If you want boring old code to get the eyeballs, you run *BSD where new stuff arrives in 10 years after 37 audits, and there might only be 9 eyeballs working on the whole thing, but they re-read old code as their sole hobby, and fix sloppy code even where they don't know of bugs.

    12. Re:Wait, what?! by thegarbz · · Score: 2

      The advantages play out in statistical trends

      Unfortunately the statistics do not help much. Many bugs that lurk for years are incredibly subtle. Many eyes gloss over the same bug over and over again. Short of a security audit by professionals who specialise in the stuff ensuring perfect security and no bad actors is incredibly difficult. How difficult? Well how many open source programs have been properly audited? I can name one: Truecrypt. It had a much smaller code base and still took nearly 2 years to audit. Reading other people's code is hard.

      Obvious bugs and stupid bugs typically don't last long in open source software. But really those types of bugs are often caught on code reviews in closed source software as well.

      What OSS does do well is provide timely fixes for serious vulnerabilities.

    13. Re:Wait, what?! by phantomfive · · Score: 1

      Samba existed before Microsoft implemented SMB.

      --
      "First they came for the slanderers and i said nothing."
    14. Re:Wait, what?! by Anonymous Coward · · Score: 0

      Also the statistics don't help closed source as they may not release meaningful numbers of when the bug first affected the software, when the bug was first discovered, and when was the bug patched. With open source, all these are out in the open. With closed source, it's up to the developer to disclose. If they chose not to disclose or fudge the numbers, no one knows.

    15. Re:Wait, what?! by king+neckbeard · · Score: 1

      Basically, more bazaar-style, less cathedral. The "short on developers" problem isn't so much a matter of open vs. closed as it it resource allocation. Just about any project is going to have problems if you lack adequate manpower, and while going FOSS might help somewhat, it's nowhere near a complete solution.

      --
      This is my signature. There are many like it, but this one is mine.
    16. Re:Wait, what?! by SirSlud · · Score: 1

      But he was at work, for the government, he's supposed to do a mediocre job. You're posting on slashdot. You're supposed to be slightly less stupid.

      Two statements which suggest your set of beliefs are built on shaky foundations.

      --
      "Old man yells at systemd"
    17. Re: Wait, what?! by king+neckbeard · · Score: 1

      His argument was, given enough eyes, all bugs are shallow. If the bug isn't shallow, you don't have enough eyes, and the number of eyes to constitute 'enough' may be incredibly high. The difference between the metaphorical cathedral and the metaphorical bazaar was specifically about how different FOSS projects can have drastically different numbers of eyes looking for bugs.

      --
      This is my signature. There are many like it, but this one is mine.
    18. Re:Wait, what?! by Anonymous Coward · · Score: 2, Informative

      No, to sum it up, you are a moron.

      The "many eyes" meme never was about that there would never be any bugs. it's only people like you, who suck on the corporate dick, who ever believed that - because that's what you wanted it to mean, because its obviously not true.

      The "many eyes" was about that the more people a bug get exposed to, the greater the probability that someone will come up with a fix. A statement that usually is proved every time a bad bug is found in OSS, because they tend to get fixed in a real hurry. Which is far more than can be said about catastrophic bugs in proprietary software.

      And remember, for each bad bugs found in OSS software, how many exists in proprietary software, perhaps not widely known but maybe already exploited?

      I'm afraid the the only one who's "disingenuous" here is you, wanker.

    19. Re: Wait, what?! by packrat0x · · Score: 1

      SMB is an IBM protocol. Even if the protocol is bad, there is no excuse for sloppy coding.

      Nope, it started as a DEC protocol.

      --
      227-3517
    20. Re:Wait, what?! by Aighearach · · Score: 1

      statements which suggest your set of beliefs are built on shaky foundations.

      Well if I posted them on slashdot, that's guaranteed.

      I would not get my physics constants from slashdot comments, either.

      I agree with what all the Courts say about Government workers; they're not expected or required to do a great job. "Good enough for government work" is not a high bar. It is a much lower bar than "good enough for an industry professional." But the lack of profit motive is supposed to balance out the quality difference. It often does.

    21. Re:Wait, what?! by dbIII · · Score: 1

      NASA is also government work.
      Building dams that could kill you when they collapse is also usually government work.
      You guys should get out more.

      I'm in private enterprise myself BTW so the usual kneejerk personal attacks to an inconvenient opinion are going to be a little bit trickier aren't they?

    22. Re:Wait, what?! by swillden · · Score: 1

      Well how many open source programs have been properly audited? I can name one: Truecrypt. It had a much smaller code base and still took nearly 2 years to audit.

      And I guarantee you that exploitable bugs remain in Truecrypt. Audits are great, fuzzing is great, good security development practices are great... but secure software is devilishly hard to build. Projects, open or closed, should do all of the above, and they should all encourage researchers to regularly analyze their work, because all of that reduces the number of security vulnerabilities, making the ones that remain ever more subtle and hard to find. But bugs *will* remain.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    23. Re:Wait, what?! by LostMyBeaver · · Score: 1

      Do you kiss your..... never mind.

      I suppose some people might say that the greatest problem with the open source is people like you... I know that I have been involved with multiple open source projects until people like you came around and I decided it's just not worth my effort. The guy above came off as a know-it-all. Fine. But he wasn't rude and he made some valid points. He is attempting to raise awareness as well as advocate merits of open source while suggesting people shouldn't just blindly expect the code to be perfect.

      Consider the Linux Kernel for example. The Linux Kernel is one gigantic, glorious and wonderful shit heap of code. It is riddled with security problems. There are probably 2000 functions that do the same thing spread out over the code base. The GPL has been awful for the kernel at times since developers writing drivers... which of course are always monolithic... must either reinvent wheel after wheel after wheel (rbtree.h and rbtree.c for example) since the GPL on that code means that they can't use that code for closed source drivers on other operating systems. The network stack as it stands right now has grown far too complex and can never be rewritten as the project would be too large. There needs to be a revisit to devfs and procfs to make it cleaner and more secure. Oh.... and if someone were to completely drop the unix file permissions model and implement something more intelligent, that would only require rewritting most file systems and probably... you know what... it's not even worth trying to map that scope.

      Linux gets fixed quick.

      But it has a development team which is paid for ... in a distributed fashion.

      And it has project management.

      And it has testers.

      And it has extensive quality control.

      Which works kinda ok...

      As for open vs. closed... I discovered about 50 minor to devastating zero-days in a specific Cisco product which most governments depend on this year. What's worse is, I wasn't looking for them. I stumbled on them while writing some code. I have not released them and I can't seem to figure out who to talk with at Cisco to get them sorted... unless I release them and screw all my customers by doing so. And I have deadlines to meet... and I just don't have the time to deal with it.

      Here's the kicker.... 3/4 of the hacks were because Cisco blindly uses open source products (they follow licenses) which if you don't apply patches weekly or more often are security disasters. Then, there's the issue that if they patch those products, then they have to write new code to work with the patches. Which they don't... so they don't patch the open source code. So they don't get the security fixes.

      That means, vulnerable versions of JBoss, OpenSSL, Java, MySQL and far more. Even if Cisco's tools were open sourced, it is perfectly clear to me that their QA team doesn't employ unit tests or automated testing. So those vulnerabilities are actually in poorly managed open source code within a commercial product.

      So.... thankfully you posted that as AC, you'd only embarrass yourself otherwise.

    24. Re:Wait, what?! by bn-7bc · · Score: 2

      Hmm, well if unix premisions are not enugh, giva ACLs a try, if that is not enugh there is alwaysSElinux (but that might be overkill). As for the kernel, procfs and the network stack, I'll take your word for it as I'm not a programmer. I don't think anyone clamis Linux, ot any other os for that matter, is perfect, there are all areas where things can be done betterin any project.

    25. Re:Wait, what?! by Anonymous Coward · · Score: 0

      I suppose some people might say that the greatest problem with the open source is people like you... I know that I have been involved with multiple open source projects until people like you came around and I decided it's just not worth my effort.

      Yeah, those poor little snowflakes. Won't someone think of the special snowflakes who would have suddenly become such assets, if everyone just accepted them being absolute fucking idiots.

      He is attempting to raise awareness as well as advocate merits of open source while suggesting people shouldn't just blindly expect the code to be perfect.

      He is no such thing. He's a bloody concern-troll, who's spreading misinformation or plain lies.

      The GPL has been awful for the kernel at times since developers writing drivers... which of course are always monolithic... must either reinvent wheel after wheel after wheel (rbtree.h and rbtree.c for example) since the GPL on that code means that they can't use that code for closed source drivers on other operating systems.

      WTF? That statement is not even internally consistent. People having to "reinvent the wheel" for their own closed source projects on other operating systems is bad for the Linux kernel? Holy shit, that's some downside to the GPL. Of course the Linux and GNU projects are all about writing code other people can use in their own systems for free while contributing fuck all back. How stupid of me.

      But it has a development team which is paid for ... in a distributed fashion.

      Partially true. There are still a significant spare time contributors. However, who exactly pays the bills are completely beside the point. This is about closed vs open source, not who pays the bills.

      And it has project management.

      I wasn't aware that open source projects were forbidden from managing themselves..,

      And it has testers.

      So? Again, is this something which you're only allowed to do if you are a closed source company? Actually, you'd have been more relevant if you had written, "And they actually have testers", since that seems to be the latest vouge in closed source; firing your testers and spend the money on blackjack and hookers.

      And it has extensive quality control.

      Again, being open source, this is forbidden? WTF? What planet are you even from?

      Cisco product which most governments depend on this year. What's worse is, I wasn't looking for them. I stumbled on them while writing some code. I have not released them and I can't seem to figure out who to talk with at Cisco to get them sorted... unless I release them and screw all my customers by doing so. And I have deadlines to meet... and I just don't have the time to deal with it.

      And this is a falling with OSS rather than fucking CISCO because why? "Herpa-derp, I can't figure out who to talk to at CISCO, so let's blame those OSS-hippies instead!" Yeah, right.

      Here's the kicker.... 3/4 of the hacks were because Cisco blindly uses open source products (they follow licenses) which if you don't apply patches weekly or more often are security disasters. Then, there's the issue that if they patch those products, then they have to write new code to work with the patches. Which they don't... so they don't patch the open source code. So they don't get the security fixes.

      And how is this an OSS problem? If CISCO includes OSS components in their products, it's their problem. It's their product, it's their responsibility to keep this working in a satisfactory manner. Again, you seem to implicate that if they only stayed away from those OSS-hippies everything would be fine and dandy. There is no basis for any such claim.

      Basically, you seem to have a whole host of gripes, mainly with CISCO, and then you proceed to blame them on OSS. I wonder who it is who actually embarrassed himself, looking through your post.

    26. Re: Wait, what?! by Anonymous Coward · · Score: 0

      Spot on.

    27. Re:Wait, what?! by Anonymous Coward · · Score: 0

      I've worked in the Ministry of Foreign Affairs before, in a country where you have to pass a selective exam to work there. I've also worked in academia and a little in the private sector. The government bar was the highest on several dimensions, largely because external folks are waiting to pounce on everything you say, and your bosses are people who do not enjoy appearing like fools in public. And deadlines are tight, and hit every single day. "Negotiations are starting in 1.5 hours and our negotiators at the UN need to know X, as a result of the negotiations last night that went until 3AM."

      Now, there was a significant difference between the foreign policy folks (who would work 70 hours a week, in particular if a crisis was happening...otherwise, 50 hours was fine, and this doesn't include traveling) and the administrative folks.

      My biggest lesson from working in government? Governments are not homogeneous entities. Much like countries, corporations, or any other large group.

  2. "May eyes makes all bugs shallow" is BULL by Anonymous Coward · · Score: 0

    Go ahead. Dig into OpenSSL code and tell us if there are any more bugs lurking in there.

    Let's put it this way: Somewhere in OpenSSL code, there has to be a pony.

  3. NT Pipe Support? by Dwedit · · Score: 3, Interesting

    What exactly is NT Pipe Support supposed to even do? Why would you need it on a file server?

    1. Re:NT Pipe Support? by halfgaar · · Score: 2

      I tried disabling it, and immediately got calls from people that 'a trust relationship can't be established with the central logon server' or some such thing when they tried to log in.

    2. Re:NT Pipe Support? by Sperbels · · Score: 3, Informative

      It's a setting that turns on/off the ability to make anonymous connections to the windows IPC named pipes service.

    3. Re:NT Pipe Support? by Anonymous Coward · · Score: 0

      https://en.wikipedia.org/wiki/Named_pipe#In_Windows

    4. Re:NT Pipe Support? by williamyf · · Score: 3, Informative

      Submitter here.

      From the SUMARY: "The change will prevent clients from fully accessing some network computers and may disable some expected functions for connected Windows machines."

      So, it seems that your connected Windows machines use the expected functions that the setting disables.

      Go figure.

      Good though to know one of the error messages that may arise after turning of the setting.

      --
      *** Suerte a todos y Feliz dia!
    5. Re:NT Pipe Support? by thegarbz · · Score: 4, Informative

      From the manual:

      nt pipe support

      This global option is used by developers to allow or disallow Windows NT/2000/XP clients the ability to make connections to NT-specific SMB IPC$ pipes. As a user, you should never need to override the default:

        [global]
              nt pipe support = yes

    6. Re:NT Pipe Support? by Aighearach · · Score: 2

      Instead of that setting, you can also mount the filesystem for the samba shares using the noexec option. Not sure if that also impacts windows access, though.

      Some SELinux configurations, such as on RHEL/Centos will prevent this too. "SELinux is enabled by default and our default policy prevents loading of modules from outside of samba's module directories and therefore blocks the exploit." For people more affected by it, copying the SELinux configuration might be the best short term option, though it is a lot more work than changing the mount options.

    7. Re: NT Pipe Support? by Anonymous Coward · · Score: 0

      You need it when you use a domain with login profiles. On a normal NAS for home use you should be able to disable it without many issues (file locking won't work anymore!)

  4. Samba connected to the Internet? by green1 · · Score: 4, Insightful

    I think you'd find the risk can be mitigated significantly by simply not allowing Samba to connect to the Internet, I can't think of any reason why you'd do that anyway. It's designed for local resource sharing, not Internet transfers.

    1. Re:Samba connected to the Internet? by TheRaven64 · · Score: 4, Informative

      Unfortunately, it just takes one compromised machine entering your network for that to be an issue. If someone leaves it enabled on their laptop at some open WiFi access point, gets infected, and then connects to your corporate network, then a worm can propagate. Fortunately, there probably aren't enough machines running Samba (macOS switched to Apple's own CIFS implementation since Samba went GPLv3) for it to be easy to propagate (though if someone combined it with the recent Windows SMB vulnerability, then you'd have an interesting worm).

      --
      I am TheRaven on Soylent News
    2. Re:Samba connected to the Internet? by thegarbz · · Score: 2

      I can't think of any reason why you'd do that anyway

      stupidity?

    3. Re:Samba connected to the Internet? by Anonymous Coward · · Score: 0

      This is why no computers should ever be connected to the internet.

      If samba should not be connected to the Internet because it is somehow "unsafe" then so is all other software and should not be connected to the internet either (including firewalls). There are bugs in all software. Connecting a machine to the internet is a calculated risk. Samba is perfectly fine to expose to the internet... just don't put secret or important files on it, same as any other service.

  5. And you think NO ONE knew this? by Anonymous Coward · · Score: 0

    WRONG!

    1. Re: And you think NO ONE knew this? by Anonymous Coward · · Score: 0

      A 7 year old bug was FOUND in Samba.

      Sad.

  6. No he was not the first by klingens · · Score: 1, Informative

    This is a classic slashdot dupe.
    https://it.slashdot.org/story/...

  7. Maybe Apple was right by TheFakeTimCook · · Score: -1

    Several years ago, Apple stopped including SAMBA in OS X, and instead developed their own SMB protocol stack from scratch.

    At the time, it seemed like an odd move for an OS that already contained many F/OSS Projects.

    But maybe they knew something that made them feel like it wasn't a salvageable Project...

    1. Re:Maybe Apple was right by Anonymous Coward · · Score: 4, Informative

      Wrong. Apple switched because Samba changed its license to GPLv3.

    2. Re:Maybe Apple was right by Anonymous Coward · · Score: 0

      Given Apples track record with other OSS projects its more likeley Apple just could not interact well with the upstream project. Im thinking in particular of the KHTML/WebKit fiasco

    3. Re:Maybe Apple was right by TheFakeTimCook · · Score: 1

      Given Apples track record with other OSS projects its more likeley Apple just could not interact well with the upstream project. Im thinking in particular of the KHTML/WebKit fiasco

      The "fiasco" that resulted in nearly every single browser switching to WebKit? That one, right?

      Tells me that the real problem was with the KHTML Projext, not WebKit.

    4. Re:Maybe Apple was right by TheFakeTimCook · · Score: 1

      Wrong. Apple switched because Samba changed its license to GPLv3.

      So, if that's the real reason, that means that most Slashdotters would agree with Apple's decision to go their own way, right?

  8. Until you have any idea what he's talking about by raymorris · · Score: 2, Interesting

    That's the biggest and possibly stupidest straw man on the internet. Read the syntax before after to have a clue about context, or even look up the difference between deep and shallow problems. He didn't say "given enough eyeballs, there are no bugs". In fact, he said there ARE bugs, and he talked about methods of fixing the bugs that are found. Again, he didn't say "given enough eyeballs, there are no bugs". He said the bug would be shallow to someone.

    Traditionally the proprietary model is that one programmer owns a module. The same same programmer who wrote the module (and the bug) is supposed to find and fix his own mistake. That model assumes that the person who misunderstood the effects of the ode when he wrote it will magically understand it correctly later. The person who didn't get it right the first time is expected to find their own mistake and magically know the best thing to do instead, the best way to fix it.
      Which *is* kinda stupid.

    The difference with Linux development model was, Linus said "Somebody finds the problem, and somebody else understands it". Nobody needs to bang their head against the wall for two days trying to figure out a deep bug, to understand why it's wrong, then how it should be rewritten to make it right.

    Instead, when shellshock was discovered hundreds of developers looked at the code. Some saw part of the problem, and suggested partial solutions. Florian Mueller's eyes were also on it and he immediately saw what needed to be done. Within 24 hours the community had discussed it and agreed on Florian's solution. Compare Microsoft IE bugs like the vary header bug which was known for 10 years before it was fixed properly; a half-ass bandaid came out seven years after Microsoft publicly ackowledged the bug, but the programmer it was assigned to didn't see a good way to fix it.

    Here's the full quote from ESR in context:
    --
    [Linux avoided] f any serious bug proved intractable. Linus was behaving as though he believed something like this:
    8. Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone.
    Or, less formally, "Given enough eyeballs, all bugs are shallow.'' I dub this: "Linus's Law''.
    My original formulation was that every problem "will be transparent to somebody''. Linus demurred that the person who understands and fixes the problem is not necessarily or even usually the person who first characterizes it. "Somebody finds the problem,'' he says, "and somebody else understands it."
    ----

    1. Re:Until you have any idea what he's talking about by williamyf · · Score: 1

      Is the quote from V1 of TCATB that I read in 1996? or the quote of the current version (3.x I believe)?

      Anyhow. "almost every problem will be characterized quickly". Well, this is one of the ones who forces you to use almost instead of always.

      Again. FOSS is cool. and many eyes are nice. But many eyes are not a panacea or a silver bullet.

      --
      *** Suerte a todos y Feliz dia!
  9. Linux in firmware for NAS and other Dohickeys by williamyf · · Score: 2

    Submitter here.

    I've been following this with a lot of attention. (here is The Register's take on the matter, by the way: https://www.theregister.co.uk/... )

    And I, as many other commenters, think that the real problem is not on linux servers or Workstations with supporrted distros, for which patches already exist, but rather, on many Abandoned Distros, many cheapo NAS boxes, home Routers, IoT stuff and other dohickeys that use Linux on their firmware behind the scenes. I've a synology DS1515+ in my lab at home, and the bug was squashed on may 25, but the fix has not yet propagated to my NAS via automatic updates, but at least there is a fix (and no, SMB is not open to the Internet).

    Now, think of those cheapo NAS boxes that do not see a firmware update in years, or those routers with a USB port in the back to slap a USB HDD and "share files effortlessly", or Distros like one of my old time favourites Damn Small Linux. Those are likely So Out of Luck...

    No, I do not think this will be a SaMBaPOCALIPE, but I will be bad for some people.

    --
    *** Suerte a todos y Feliz dia!
    1. Re:Linux in firmware for NAS and other Dohickeys by Anonymous Coward · · Score: 0

      I tried sharing files on my home Cisco router and it doesn't even support user ID's ...

    2. Re:Linux in firmware for NAS and other Dohickeys by goombah99 · · Score: 1

      How can I test my NAS? I have no way to look at it's internals. But maybe there is an external way to do this (e.g. run the worm?)

      --
      Some drink at the fountain of knowledge. Others just gargle.
    3. Re:Linux in firmware for NAS and other Dohickeys by F.Ultra · · Score: 1

      Still an attacker needs access to a account on your samba share with write access because he needs to first upload a library with his payload and then tell samba to execute it.

    4. Re:Linux in firmware for NAS and other Dohickeys by thegarbz · · Score: 1

      Nothing really is out of luck. These machines should not be exposed to the wider internet. People who are stuck in a situation where this affects them should look in general at their network management rather than this specific bug.

      NASes and similar should be internal to the network.
      Routers which are exposing samba to the wider internet ... well let me say I'm not concerned about the samba bug but rather the entire device itself. Those "share files effortlessly" on the WAN side should never be doing it via samba, and (I hope) the vast majority of them do it via some web interface instead. One which likely has more holes in it that this exploit.

    5. Re:Linux in firmware for NAS and other Dohickeys by williamyf · · Score: 2

      Submitter here:

      Even if machines or NASes are internal to the network, someone may send you a boobytrapped email or webpage, and infect the suceptible machines from INSIDE the network, sort of like one of the modes of contagion from the WCry worm

      --
      *** Suerte a todos y Feliz dia!
    6. Re:Linux in firmware for NAS and other Dohickeys by williamyf · · Score: 1

      Submiter here:

      You can use metasploit, which already has incorporated this bug.

      From the article on "El'Reg"

      "Re: Samba bug, the metasploit one-liner to trigger is just: simple.create_pipe("/path/to/target.so")"

      --
      *** Suerte a todos y Feliz dia!
    7. Re:Linux in firmware for NAS and other Dohickeys by goombah99 · · Score: 1

      I just contacted TP-Link the maker of Archer routers. They claim that they use Linux but they do not use SAMBA. I'm skeptical. Is there something other than SAMBA for doing SMB communications on Linux?

      --
      Some drink at the fountain of knowledge. Others just gargle.
    8. Re:Linux in firmware for NAS and other Dohickeys by thegarbz · · Score: 1

      If you can write an email to either automatically do or manually convince a user to upload a specially crafted payload to a writable share, no amount of patching it going to render that network safe.

      This is orders of magnitude harder to do from outside the network as you require knowledge of the network setup itself. Then you need to craft an attack specific to that network, and then you need to get the user to fall for that attack. Too hard, just get a user to type in his bank details into a phishing site and call it a day.

      By not connecting the network to the outside world this attack becomes so many orders of magnitude harder as to almost be rendered irrelevant. It is very different from Wannacry which was not only self-replicating, but didn't rely on network configuration itself. i.e. the presence of the service was enough for the attack to work. For Sambacry you need to know details about the setup which are defined by the user, not by the programmer. Without a view into the network it's similar to having a password infront of the exploit.

      Unless you get users to execute arbitrary code at which point I say again: what's the point of the attack if you own the user.

    9. Re:Linux in firmware for NAS and other Dohickeys by xvan · · Score: 1

      Assuming you earned limited access to a private network, you can use this bug to escalate privileges.

    10. Re:Linux in firmware for NAS and other Dohickeys by Anonymous Coward · · Score: 0

      There is a chance that they are performing file sharing over http/https. Look into documentation on how to use the file sharing features of your router. If it has you browsing the files via a web interface there is a good chance SMB is not involved, if they instruct you on how to map a share you should be more concerned.

    11. Re:Linux in firmware for NAS and other Dohickeys by thegarbz · · Score: 1

      Which brings me back to my original comment: Bug mostly defeated by network design which reduces its severity by orders of magnitude.

    12. Re:Linux in firmware for NAS and other Dohickeys by goombah99 · · Score: 1

      it's an smb connection for sure. They are claiming they don't use SAMBA for that. I doubt them.

      --
      Some drink at the fountain of knowledge. Others just gargle.
  10. Exactly. by Anonymous Coward · · Score: -1

    Back when I did use FOSS, I didn't have the inclination, the time nor the skills to examine the hundreds of thousands (millions?) of lines of code written in a myriad of languages.

    It's just not possible for an individual who also needs to get things done.

  11. SELinux by Anonymous Coward · · Score: 1

    Note that SELinux stops this vulnerability in default configuration.

    1. Re:SELinux by Anonymous Coward · · Score: 1

      ayy lmao
      and introduces how many others?

  12. that's not what it means! by serviscope_minor · · Score: 1

    That's not what the quote about many eyes means!

    It doesn't mean that bugs are magically found in open source software. It means that when bugs are found, the cause is generally located quickly because it makes the bugs appear shallow (easy to fix) not deep.

    --
    SJW n. One who posts facts.
  13. How can I test for this on my router? by goombah99 · · Score: 1

    I have an Archer router which mounts a USB disk and servers it by SMB connection. I'm not skillful enough to know how to look at the router's intimate details. But I would like to know if it's suceptible to this bug. Is there a way one can test this from outside the device?

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:How can I test for this on my router? by Anonymous Coward · · Score: 0

      Use one of the many online nmap services to scan your own IP for open ports

  14. SambaCry by Anonymous Coward · · Score: 1

    Check this link for a description of SambaCry

    https://unix.stackexchange.com/questions/367138/wannacry-on-linux-systems-how-do-you-protect-yourself/367148

  15. Hight time to move SMB/CIFS into systemd! by Anonymous Coward · · Score: 0, Funny

    Why the heck is this not integrated into the main part of the OS yet? As long as these neck beards keep writing stupid old-school code we will have these problems!

  16. How many years would the bug persist if only... by peter+hoffman · · Score: 2

    But the original submission also points out that while the patch came in fast, "the 'Many eyes' took seven years to 'make the bug shallow'." How many years would the bug persist if only a few eyes were looking at the code?

    1. Re:How many years would the bug persist if only... by Anonymous Coward · · Score: 0

      42

  17. I don't get it. by xvan · · Score: 1

    Why would anybody expose a Samba server to the internet?

    1. Re:I don't get it. by goombah99 · · Score: 1

      you usually don't. But once this thing gets trojaned onto one computer on an intranet, it worms the whole thing.

      --
      Some drink at the fountain of knowledge. Others just gargle.
  18. And worms aside by Sycraft-fu · · Score: 1

    It can let an attacker move laterally in your network. The "But it is behind a firewall I don't have to worry," is not good security. Someone gets in to your network they are behind the firewall and can make use of it. So they do something like get on to a user's workstation because said user is a dope who will click anything. Ahh but you aren't worried, after all said user doesn't have access to any important data, isn't a local admin and is running Windows. All the important Linux stuff is safe. ...however this vulnerability is still live. So they use that system they are on to scan your Linux shit, find this, and exploit it to move in to those systems. Now suddenly they've infected a bunch of your systems, more important ones, and at a higher privilege. From there they can hop around further. For example maybe you or one of your other admins is lazy and uses SSH keys to auth, and just stores the private key in your home directory for convenience. They get root on a system, find this key, and now can SSH to any Linux system on your network.

    Pretty quick everything is owned thoroughly. The fact that vulnerable stuff was behind your firewall meant little, because they found another way in.

  19. older version it was a semicolon or comma. Debuggi by raymorris · · Score: 1

    The original had it as one sentence with a semicolon or comma as I recall. So you just had to read the entire syntax to understand he was talking about the process after a bug is discovered. The current version has a period, dividing it into two sentences.

  20. Autocorrect fail: Sentence, not syntax by raymorris · · Score: 1

    My phone wants to say "syntax" everywhere. That should be "sentence". As I recall, in the original text one had to quote just the first four words of the sentence in order to pretend it's not about what happens after a bug is discovered. And ignore the first two words "all bugs" (clearly saying there ARE bugs), plus ignore "are shallow" (the bugs are shallow to fix, not non-existent). So you'd have to a) pull four words out of context and b) ignore the plain meaning of those four words.

  21. My example finding a bug in the kernel by raymorris · · Score: 4, Insightful

    The words Linus used at the time to clarify the debugging process were:
    "Somebody finds the problem, and somebody else understands it."

    Here's my own personal example. I discovered that there was a bug in the storage stack, which caused writes to eventually fail under certain conditions. I had no idea where in the code the problem might be; didn't know which source file to start looking in. I posted the problem to the appropriate mailing list (LVM-DEVEL). Somebody on that list immediately recognised that a different group, a different mailing list actually owned the problem, md-devel.

    I posted the problem on md-devel. Somebody quickly replied that the problem would most likely to be found in a certain source file, and told me how to start debugging it. I did as he suggested and an hour later got to the end of my ability again, so I posted the results. Neil Brown, Linux RAID maintainer, looked at my results and knew exactly what must have caused it. He emailed me a fix for the within a few minutes. After I tested the fix, Neil committed it to the kernel repo.

    It would have been impossible for me to fully characterise the problem myself, much less fix it. Neil Brown knew the code inside and out but never saw the bug until I pointed it out. With three or four sets of eyes on it from different perspectives, we found and fixed a tricly bug without any of us spending days trying to figure things out. What I found made the issue transparent to Neil, though it was totally opaque to me.

    1. Re:My example finding a bug in the kernel by Anonymous Coward · · Score: 0

      Comments like this are super important. FOSS is nothing without its users to report problems; devs can't fix what they don't know about.

  22. The "Many Eyes" Thing is BS by SwashbucklingCowboy · · Score: 0

    Two things here:

    1. It's more applicable to once a bug is known than to finding new bugs.

    2. Even then it still fails though, as there was a bug in BSD readdir for nearly 25 years. Samba developers had coded around the bug rather than try to fix it. See http://www.osnews.com/story/19...

  23. Not as common as Windows Architectures? by blackpaw · · Score: 1

    because Samba is just "not as common as Windows architectures.

    There are a *lot* of NAS devices out there running linux with default SMB shares. Updates take some time for them to be prepared - if they are at all. Even longer for them to be installed by users - if they are at all.

    Worse, there are probably even more MFD's (Copy/Scan/Print/Fax) devices in every business, corporate, enterprise etc. And they almost all run embedded linux with Samba and default shares, for document storage, scans, secure print etc. And they will almost never be updated - Canon, Ricoh, Xerox, Sharp, Toshiba etc.