This thread is to track and register information in regards to the Badlock bug which is scheduled to release on April 12th 2016 at around 1700 UTC. As soon as we have a fix will will need extensive and concentrated testing. More details will follow.
Share this post:
Responses (27)
-
Accepted Answer
We will NOT be producing a badlock patch for ClearOS 5. ClearOS 5 is EOL since last December. If you are running ClearOS 5 now is a good time to upgrade. If you have a qualifying license for ClearOS 6 or 7, the engineers at ClearCenter can upgrade your configuration settings to retain your directory, users, and many settings. It can take 2 business days typically to upgrade your configuration backup to a modern version. If they get an influx it can take a little longer.
Q: What can I do to protect my system running ClearOS 5 from Badlock while I wait or work on my update to a newer version of ClearOS?
A: The Badlock bug affects the protocol used by the CIFS protocol. To prevent compromise stop and disable your Samba stack:
service smb stop
service nmb stop
service winbind stop
chkconfig smb off
chkconfig nmb off
chkconfig winbind off
If you insist on running ClearOS 5 with the badlock bug, be advised that ClearOS, by default, firewalls these ports to the outside world and this bug will not have a Internet-based exploit on a properly configured ClearOS 5 machine. However, your LAN will be subject to compromised data should any local user or local virus or trojan decide to explore and exploit the bug. -
Accepted Answer
You can monitor the status of Bad Lock (CVE-2016-2118) here:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2118 -
Accepted Answer
ClearCenter's official response to Bad Lock will be listed here as the bug is resolved:
https://sfj48-fkj200.heiksthsd.cf/resources/documentation/clearos/content:en_us:announcements_cve_cve-2016-2118 -
Accepted Answer
If you are interested, you can watch the build process here:
http://koji.clearos.com/koji/clearos/index
Currently we have the main packages but not some of the dependencies to build the 7 version. -
Accepted Answer
-
Accepted Answer
Mike Edwards wrote:
So the samba updates this morning borked our ClearOS 6 Business PDC, causing machine trust accounts to fail. Is this a known issue? I can't get anyone on the phone and my support ticket has not been responded to yet.
There was an end user on the samba-technical mailing list reporting the same problem. I have no idea if it's a good one, but his solution was to change the following smb.conf parameters in the global section:
client signing = required
server signing = auto
Important note: you should not yet have seen the Badlock Samba updates on a ClearOS box! There are only two ways to get the update:
- Through the "clearos-updates-testing" repository. These updates were pushed through over the last 12 hours but the repo is disabled by default.
- Directly through the CentOS repository. The update was pushed out around 2 a.m. Eastern, but this repo (called "centos-unverified") is disabled by default.
As of the last few weeks, the default repository policies were changed in ClearOS. We shipped 6.7 and 7.2 with ClearOS pointing directly to the CentOS repos, but we have since pushed an update out so that ClearOS points to mirrors that we maintain. We keep these mirrors 1-7 days behind upstream CentOS just for this kind of reason -- an upstream update can occasionally cause a lot of grief. Perhaps your system did not have this ClearOS update installed and the old mirror policy was still in place?
Edit: 6.8 -> 6.7 -
Accepted Answer
Peter Baldwin wrote:
Mike Edwards wrote:
So the samba updates this morning borked our ClearOS 6 Business PDC, causing machine trust accounts to fail. Is this a known issue? I can't get anyone on the phone and my support ticket has not been responded to yet.
There was an end user on the samba-technical mailing list reporting the same problem. I have no idea if it's a good one, but his solution was to change the following smb.conf parameters in the global section:
client signing = required
server signing = auto
Important note: you should not yet have seen the Badlock Samba updates on a ClearOS box! There are only two ways to get the update:
- Through the "clearos-updates-testing" repository. These updates were pushed through over the last 12 hours but the repo is disabled by default.
- Directly through the CentOS repository. The update was pushed out around 2 a.m. Eastern, but this repo (called "centos-unverified") is disabled by default.
As of the last few weeks, the default repository policies were changed in ClearOS. We shipped 6.7 and 7.2 with ClearOS pointing directly to the CentOS repos, but we have since pushed an update out so that ClearOS points to mirrors that we maintain. We keep these mirrors 1-7 days behind upstream CentOS just for this kind of reason -- an upstream update can occasionally cause a lot of grief. Perhaps your system did not have this ClearOS update installed and the old mirror policy was still in place?
Edit: 6.8 -> 6.7
Thanks for the info! Both of those repos are indeed disabled so I wonder if we still got the update straight from CentOS.
Yeah, we found part of that solution and were able to get most folks logged in by adding "server signing = auto" but still had a few issues like some network shares not being mapped due to "no logon servers found". We did not add the "client signing = required" but maybe that will help.
I have since gotten a response to my ticket and sent some logs. We'll see what they say. I am spinning up a v7 PDC just in case I have to move to it.
Thanks,
Mike -
Accepted Answer
client signing = required
server signing = auto
This worked in our installation for machines that simple couldn't connect after the update; however, we had one Windows Server 2012 installation and one Windows 8.1 x64 installation on which I had tried disconnecting from the domain and reconnecting, which failed. It did not resolve problems with these two machines. I was able to use System Restore on the Windows 8.1 machine to go back to an April 11 restore point and connect to the domain. I was then able to update this machine and all is well. Still searching for a solution for the Windows 2012 Server since there is no restore point option. This machine will connect to the domain and shows all other Windows machines on the network, but does not show either of our ClearOS installations. Our main V6.8 server or a V7 test machine. Continuing to research solutions and have an open support ticket. Welcome any ideas from forum members. -
Accepted Answer
-
Accepted Answer
Some users have reported errors with ClearOS 6 where their machines picked up an update from the CentOS repo instead of the ClearOS repo. This doesn't normally happen if your server has been regularly updating. Please read this whole post before proceeding with any of the steps. The symptom is that you may have will the following package on your system for ClearOS 6:
3.6.23-30.el6_7
Run this command:
rpm -qi samba
It should yield the following result for ClearOS 6 at this point the following:
Name : samba Relocations: (not relocatable)
Version : 3.6.23 Vendor: CentOS
Release : 25.el6_7 Build Date: Tue 15 Mar 2016 05:25:09 PM CDT
^^^ This is the right one ^^^
vvv This is the wrong one vvv
Name : samba Relocations: (not relocatable)
Version : 3.6.23 Vendor: CentOS
Release : 30.el6_7
If you have the 3.6.23-30 package at this point in time, you will likely have trust issues and an inability to access shares. There will be a proper version in our repos at a later time but at this time there seems to be upstream issues with the badlock patch...which is why we test before generally releasing to community and then we test using the community before going to other versions such as home, professional, and business.
Ok, so if this is what is happening to you then run the following:
yum downgrade libtalloc libtdb libtevent samba samba-client samba-common samba-winbind samba-winbin
d-clients tdb-tools
You should get a similar output. Please compare the versions so you don't go too far back:
=======================================================================================================================
Package Arch Version Repository Size
=======================================================================================================================
Downgrading:
libtalloc x86_64 2.0.8-1.v6 clearos 21 k
libtdb x86_64 1.2.12-1.v6 clearos 36 k
libtevent x86_64 0.9.18-3.el6 clearos 25 k
samba x86_64 3.6.23-25.el6_7 clearos-centos-updates 5.0 M
samba-client x86_64 3.6.23-25.el6_7 clearos-centos-updates 11 M
samba-common x86_64 3.6.23-25.el6_7 clearos-centos-updates 10 M
samba-winbind x86_64 3.6.23-25.el6_7 clearos-centos-updates 2.2 M
samba-winbind-clients x86_64 3.6.23-25.el6_7 clearos-centos-updates 2.0 M
tdb-tools x86_64 1.2.12-1.v6 clearos 24 k
Transaction Summary
=======================================================================================================================
Downgrade 9 Package(s)
After you have done this, you will need to recover a previous configuration backup that matches this code! If you have already removed a workstation from the domain and rejoined it to the version 30 domain, you will need to disjoin it AGAIN and rejoin it to the new domain. You may also have to reset the winadmin password. -
Accepted Answer
Dave Loper wrote:
Some users have reported errors with ClearOS 6 where their machines picked up an update from the CentOS repo instead of the ClearOS repo. This doesn't normally happen if your server has been regularly updating. Please read this whole post before proceeding with any of the steps. The symptom is that you may have will the following package on your system for ClearOS 6:
3.6.23-30.el6_7
Run this command:
rpm -qi samba
It should yield the following result for ClearOS 6 at this point the following:
Name : samba Relocations: (not relocatable)
Version : 3.6.23 Vendor: CentOS
Release : 25.el6_7 Build Date: Tue 15 Mar 2016 05:25:09 PM CDT
^^^ This is the right one ^^^
vvv This is the wrong one vvv
Name : samba Relocations: (not relocatable)
Version : 3.6.23 Vendor: CentOS
Release : 30.el6_7
If you have the 3.6.23-30 package at this point in time, you will likely have trust issues and an inability to access shares. There will be a proper version in our repos at a later time but at this time there seems to be upstream issues with the badlock patch...which is why we test before generally releasing to community and then we test using the community before going to other versions such as home, professional, and business.
Ok, so if this is what is happening to you then run the following:
yum downgrade libtalloc libtdb libtevent samba samba-client samba-common samba-winbind samba-winbin
d-clients tdb-tools
You should get a similar output. Please compare the versions so you don't go too far back:
=======================================================================================================================
Package Arch Version Repository Size
=======================================================================================================================
Downgrading:
libtalloc x86_64 2.0.8-1.v6 clearos 21 k
libtdb x86_64 1.2.12-1.v6 clearos 36 k
libtevent x86_64 0.9.18-3.el6 clearos 25 k
samba x86_64 3.6.23-25.el6_7 clearos-centos-updates 5.0 M
samba-client x86_64 3.6.23-25.el6_7 clearos-centos-updates 11 M
samba-common x86_64 3.6.23-25.el6_7 clearos-centos-updates 10 M
samba-winbind x86_64 3.6.23-25.el6_7 clearos-centos-updates 2.2 M
samba-winbind-clients x86_64 3.6.23-25.el6_7 clearos-centos-updates 2.0 M
tdb-tools x86_64 1.2.12-1.v6 clearos 24 k
Transaction Summary
=======================================================================================================================
Downgrade 9 Package(s)
After you have done this, you will need to recover a previous configuration backup that matches this code! If you have already removed a workstation from the domain and rejoined it to the version 30 domain, you will need to disjoin it AGAIN and rejoin it to the new domain. You may also have to reset the winadmin password.
Solved our issue. Thank you for the excellent sleuthing. Can the following lines be safely removed from smb.conf, or do you recommend leaving them in place?
client signing = required
server signing = auto
Also, shouldsmb ports = 139
be added back, if removed? -
Accepted Answer
I'm glad that worked for you Herm, and thanks for reporting back here as well as in our private discussion.
The line 'smb ports = 139' should ALWAYS be removed.
This is a relic of the 'Simple File Sharing' methodology which was using the SMB protocol. There are a few relevant ports in the old methodology such as 137, 138, and 139. But with the introduction of Windows 2000 came the implementation of port 445 which allows for SMB over TCP/IP without NetBIOS. The problem here for Windows 10 and other patches from Windows is that these older protocols are prone to compromise and so Microsoft is slowly and gradually dropping support for SMB in favor of CIFS. Microsoft isn't alone. The Samba team would love it as well if everyone would update to the newer, more secure protocol.
I've had a lot of support issues with Windows 10 and if this line exists, it is alway problematic because it disables port 445 on Samba. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
According to this Red Hat bug report, a Samba update that addresses the "trust relationship failure" issue is coming. -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
Can you let us know what is happening on this? It is supposed to be a critical bug (not an issue for me in a domestic environment), but there have been no updates to samba in ClearOS 6.x since 16/03 - a month before the bug was disclosed.
Keep an eye on Red Hat's bug report on the matter - https://bugzilla.redhat.com/show_bug.cgi?id=1326918
There were also a bunch of Badlock regression fixes pushed through the Samba project just a few days ago. Here's the mailing list reference: https://lists.samba.org/archive/samba-technical/2016-April/113719.html -
Accepted Answer
-
Accepted Answer
Hello all,
Just a quick update on this topic. It looks like the issue was resolved upstream for Red Hat 6 - https://rhn.redhat.com/errata/RHBA-2016-0992.html. That Samba update is setting in the ClearOS 6 test repository and will be pushed to updates-testing on Wednesday (if all goes well with testing). -
Accepted Answer
-
Accepted Answer
Malcolm Warwick wrote:
And is there a fix for 7 yet?
Keep an eye on the RHEL 7 updates here - https://rhn.redhat.com/errata/rhel-server-7-errata.html No sign of an update yet. -
Accepted Answer
Thanks Peter
Perhaps I'm not reading this right, but seems to imply this was fixed?
https://rhn.redhat.com/errata/RHSA-2016-0612.html
An update for samba4 and samba is now available for Red Hat Enterprise Linux 6
and Red Hat Enterprise Linux 7, respectively.
Cheers
Malcolm -
Accepted Answer
Hi Malcolm,
Malcolm Warwick wrote:
Thanks Peter
Perhaps I'm not reading this right, but seems to imply this was fixed?
https://rhn.redhat.com/errata/RHSA-2016-0612.html
An update for samba4 and samba is now available for Red Hat Enterprise Linux 6
and Red Hat Enterprise Linux 7, respectively.
Cheers
Malcolm
There was indeed a quick fix for the Badlock issue, but that fix broke certain types of Samba environments. Red Hat has since released a "fix for the fix" in RHEL 6, but nothing has appeared for RHEL 7 yet. Red Hat does a great job at maintaining a stable platform -- it's not easy to do, and they pull it off for thousands of updates. However, this was one of the rare occasions where the fix was not up to par. -
Accepted Answer
-
Accepted Answer
Quick update -- the Samba "fix for the fix" is on the way to the ClearOS 7 mirrors. Here are the June 23 release notes from Red Hat:
https://rhn.redhat.com/errata/RHBA-2016-1257.html -
Accepted Answer
-
Accepted Answer
Hi Tony,
Thanks Peter... 40 rpms all installed cleanly. As well as samba updates - updated apps, lvm2, device-mapper, kernel and other misc rpms.
Also resolved a version conflict between i686 and x84-64 versions of libldb had lived with waiting for this update...
There were 26 upstream software package updates released on June 23 - full Red Hat list is here. With each package potentially producing multiple RPMs, it was a good sized update! This seems to be more common with Red Hat releases over the last year-ish or so. It's like a mini service pack will come through every couple of months.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »