Security Alert for Badlock on File Sharing Using Microsoft Networking (Samba)

Summary

The Samba Team has announced several security vulnerabilities affecting Samba services. One of them is known as "Badlock" and is found in Distributed Computing Environment (DCE)/Remote Procedure Calls (RPC) protocols. It allows for exploitation of privilege vulnerabilities when there is a client connection authenticated against a server running Microsoft file sharing or Samba service. In addition to the Badlock (CVE-2016-2118) vulnerability, there are other related security flaws affecting Samba configured as a standalone server (CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2114, and CVE-2016-2115). These vulnerabilities allow for a downgrade of the authentication level of LDAP connections, execution of applications to sniff network traffic, improper validation of TLS/SSL certificates, unprotected client connection for IPC traffic, and more. Successful exploitation of these vulnerabilities could lead to denial-of-Service (DoS) and man-in-the-middle (MITM) attacks and further result in loss of control of associated services or impact the connectivity to the Samba service.

Recommendations

Update your system to QTS 4.2.0 and then apply Qfix (BadlockFix_4.2.0.1). This Qfix is only applicable to QTS 4.2.0.

1. Go to the download page of the QNAP website (http://www.qnap.com/download) and choose your NAS model. Read the release note before downloading the Qfix.

2. Log into your NAS as an administrator, go to “Control Panel” > “Firmware Update”, and choose the “Firmware Update” tab. Follow the on-screen instructions to install the Qfix.

For more detailed instructions on how to apply a Qfix, please see How to install a Qfix?

We strongly recommend that users update their firmware to the latest version. However, we will release a Qfix for other firmware versions at a later date.

Note: Please note that the Microsoft Networking service will restart after you install this Qfix. You do not need to reboot your NAS.

Network Security Advice

To enhance the security level of the Samba service on your QNAP NAS and to better protect against unwanted connections, please implement the following security practices:

1. Permit connectivity only from trusted addresses

Log into your NAS as an administrator, and then go to “Control Panel” > “Security” > “Security Level”. Select “Allow connections from the list only” to allow only permitted addresses to connect to the NAS, or select “Deny connections from the list” to block specific IP addresses regardless of the services or protocols used for connection.

2. Restrict connectivity to shared folders via Microsoft Networking

Log into your NAS as an administrator, and then go to “Control Panel” > “Privilege Settings” > “Shared Folders”. Select a shared folder and choose “Microsoft Networking host access” from the drop-down menu and specify the hosts or IP addresses that are allowed to connect to this shared folder to filter unwanted connections.

If you have any questions regarding this issue, please contact us at http://helpdesk.qnap.com/