Samba Vulnerability CVE-2017-7494. Posted by Jimmy Graham in Security Labs on May 26, 2017 1:32 PM. Are providing patches for older versions of Samba if they are used in a supported version of the OS. The Samba Team may also release patches for older versions of Samba. Re: SambaCry vulnerability (CVE-2017-7494) Post by TrevorH ยป Sat May 27, 2017 4:26 pm If you have the fixed version installed then rpm -qi samba shows you build and install dates.
It's unclear to me to what extent Netgear is still testing and patching older kit, so here is how to tell if yours is actually affected if its not listed at, under 'Security Advisory for CVE-2017-7494, Samba Remote Code Execution': 1) Only Samba versions 3.5 to (release date March 1, 2010, but that doesn't necessarily mean any firmware released past that date has Samba version 3.5 or newer) anything before 4.4+ patched, are affected. Note that Samba versions 4.6.4, 4.5.10, and 4.4.14 are the security patched versions, and therefore unaffected. 2) Log into your router at 192.168.1.1 (unsure how to acess other devices, e.g. NAS), and note the installed firmware version. 3) Download the GPL firmware version listed for your installed firmware version from. It's a tarball, and I used 7-Zip on Windows to expland the file. I had to copy the tarball to my desktop, open it in 7-Zip, expand it in 7-Zip.
Mac OS X/MacOS have this ability built-in, and obviously if you're using Linux. 4) Click on the (first?) GPL text file listed from within the expanded tarball from within 7-Zip. It sounds complicated, but it's not. Search or look for a 'samba' entry, mine being 'GPL Source Code samba samba-3.0.2'; I'm not vulnerable, my version being previous to the 3.5 release (the text file might be unformatted). Incidentally, the other GPL text file has some interesting tidbits as well, e.g.
And on mine, it's formatted, and it's easy to find a few things like the Linux kernel version (mine being 2.6.15, and that it's obviously modified). Poke around everything as you like. The above should be broadly applicable to any devices from other OEMs (who built your devices) as well, if you can access the GPL firmware for your kit from them.