QNAP joins Netgear in releasing fixes for the Samba vulnerability that could be used to attack network attached storage and other connected devices.
Samba is a widely used piece of software that (roughly speaking) allows Linux and similar systems to do Windows-style networking. This week, the Samba Team revealed the existence of a long-standing vulnerability “allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it”.
That's a serious situation, and a huge number of systems are affected because the bug goes as far back as version 3.5.0, which was released seven years ago.
If you run Linux servers or desktops, you're probably cluey enough to install the appropriate patch as described in the announcement, or at least check that it has been applied automatically.
The problem is that many devices such as NAS (network attached storage) units, routers, media players and even surveillance cameras include Samba as part of their software – although that's not to say that all devices in those categories incorporate Samba, or that it isn't used by other device types.
Manufacturers can be relatively slow to deliver updates – if they do so at all – and applying the updates is often a manual process.
Netgear and Synology have said they are aware of the issue and are working on updates. Netgear has already released an update for products running ReadyNAS OS V6. As temporary measures for other products, Netgear recommends disabling write access to non-trusted users, or removing USB storage devices from routers. Similar measures may be appropriate with other vendors' equipment.
UPDATED: NAS vendor QNAP has also released fixes for the Samba vulnerability affecting its NAS units. The fixes are for versions 4.2 and 4.3 of its QTS operating system. The company recommends users upgrade their NAS to the latest version available for that model, and then apply the fix for the Samba issue.
Many other vendors' products are likely to be affected, so it would be prudent to ask if any of your equipment is vulnerable and, if it is, when the vendor expects to release a patch or update, and what steps you should take in the meantime.