Important Information about Samba Badlock Vulnerability
On 12th of April, badlock.org disclosed a series of vulnerabilities along with the previously announced Samba Badlock vulnerability (CVE-2016-2118).
Samba is an open-source interoperability software suite that provides file and print services to SMB/CIFS clients. In addition to Windows, Samba (version 4.1) also runs on Synology DSM.
Along with the most concerned Samba Badlock vulnerability (CVE-2016-2118), multiple related CVEs were revealed on badlock.org with different CVSS scores in terms of degrees of severity. After the initial investigation, we would like to provide the following updates for each vulnerability.
- CVE-2016-2118: This vulnerability, also known as Badlock, has been addressed by backporting the patch from open source Samba to Samba that runs on Synology DSM. The update is available for DSM 5.2 and DSM 6.0.
- CVE-2015-5370, CVE-2016-2110, CVE-2016-2112, CVE-2016-2114, CVE-2016-2115: Considering the lower level of severity and the complexity of the issue, these vulnerabilities will be fixed in the upcoming updates for DSM 5.2 and DSM 6.0.
- CVE-2016-2111, CVE-2016-2113: The patch is not necessary for Synology DSM as the functions of Domain Server are not supported.
Patches for addressing the Badlock vulnerability are available for DSM 5.2 and DSM 6.0. To fix this issue, please go to DSM > Control Panel > Update & Restore > DSM Update, and install DSM 5.2-5644 Update 8 if your are using DSM 5.2, or DSM 6.0-7321 Update 1 if you are using DSM 6.0. The patches to address the relevant vulnerabilities will be available in the upcoming updates.
Network Security Advice
SMB is a widely used file protocol in most business environments and also in the home. Restricting unnecessary access to this file service is an important step in increasing network security. To better secure your network, only necessary file services should be enabled for access while unnecessary ones should be denied. If you know the IP range or subnet that is required to access SMB, you may refer to the following instructions to set up firewall rules for the IP range or subnet:
To begin, please make sure that your firewall is enabled. In Control Panel > Security > Firewall, please make sure that Enable firewall has been checked. Here, we can create a new firewall profile or edit an existing profile. Please follow the instructions below on how to allow access from a specific range of IP’s while denying unnecessary access from the rest.
First, create a rule to allow an IP range or subnet access to SMB file service.
- Under Firewall Profile, please select Edit Rules.
- On the top left corner, click Create to create a new firewall rule.
- Under Ports, please find Select from a list of build-in applications and click Select to choose an application.
- Find and check Windows file server and click OK.
- Under Source IP, please select Specific IP and click Select on the right. You can also select All if you would like to select all IP’s.
- Here you may specify an IP range or subnet that you would like to allow access to SMB file service. In the example below, SMB access is only allowed for IP addresses between 192.168.1.90 and 192.168.1.99. Click OK once you have specified the IP address or subnet.
- Under Action, please select Allow to allow the specified IP addresses or subnet access to SMB.
- Once you’ve selected an action, you can click OK.
- You can now see that this setup will allow SMB access only for IP addresses from 192.168.1.90 to 192.168.1.99.
Now that the allowed IP’s have been set, you must now deny access to all other IP’s. Please follow the steps below to create a rule to deny unnecessary access to SMB file service.
- Please repeat steps 1-4 above.
- Under Source IP, select All to include all IP addresses.
- Under Action, please select Deny to block all IP addresses or subnet access to SMB. Click OK when done.
- After all the steps have been completed, you can see that all IP’s have been denied access to SMB file service, except for IP’s ranging from 192.168.1.90 to 192.168.1.99. Please note that the rule of allowed IP’s must be specified before blocking all IP's.