Lucene search

IBM3E525D00F327995803976B5325A76697A345A5C24A570868F0D0EEF2FA9F7BC3

HistoryOct 18, 2019 - 3:36 a.m.

Security Bulletin: Vulnerability in Open Source Samba affects IBM Netezza Host Management

2019-10-1803:36:34

www.ibm.com

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

JSON

Summary

Open Source Samba is used by IBM Netezza Host Mangement. IBM Netezza Host Management has provided mitigation for the applicable CVE.

Vulnerability Details

CVEID: CVE-2019-3880 DESCRIPTION: Samba could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted “winreg_SaveKey” request to create a new registry hive file outside a Samba share.
CVSS Base Score: 6.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159188> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM Netezza Host Management 5.2.1.0 - 5.4.24.0

Remediation/Fixes

None

Workarounds and Mitigations

Mitigation of the reported CVE CVE-2019-3880 on following platforms :

PureData System for Analytics N1001
IBM Netezza High Capacity Appliance C1000
IBM Netezza 1000
IBM Netezza 100

PureData System for Analytics N200x and N3001

Execute below steps using “root” user on both ha1/ha2 hosts

Step 1. Check if Samba module is installed in the host
[host]# rpm -qa | grep samba

Step 2. Check if Samba service is running
[host]# /etc/init.d/smb status

Step 3. If Samba service is running, stop the smb service
[host]# /etc/init.d/smb stop

Step 4. Backup the /etc/samba/smb.conf file
[host]# cp /etc/samba/smb.conf /etc/samba/smb.conf_backup

Step 5. Edit the /etc/samba/smb.conf and set parameter as below:

Either turn off SMB1 by setting the global parameter:

#============ Global Settings ==========

[global]
min protocol = SMB2

OR,

if SMB1 is required turn off unix extensions by setting the global parameter:

[global]
unix extensions = no

Step 6. Start the smb services using below command:
[host]# /etc/init.d/smb start

Note : If samba configuration file smb.conf is changed/modified in future, please verify if above settings is changed. If changed please make sure to mitigate this issue by following steps 2 to 6.

CPENameOperatorVersion
ibm puredata systemeqany

CPE	Name	Operator	Version
	ibm puredata system	eq	any

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

JSON

Related for 3E525D00F327995803976B5325A76697A345A5C24A570868F0D0EEF2FA9F7BC3