-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
SMB share is writable via NFS protocol and therefore susceptible to CVE 2021-20316
- Thread starter gwaitsi
- Start date
I upgraded to 12.0-8 and once it rebooted, I am getting a number of the below error messages.
- Joined
- Nov 12, 2015
- Messages
- 1,471
There is no fix to this right now. However we've seen many of our customers successfully move to using SMB on the Linux clients now as well. Not only did they get better performance, but it avoids this and other potential corruption issues from running mixed-mode. SMB on Linux is very well supported in 2022 :)
stillka
Explorer
- Joined
- Nov 15, 2014
- Messages
- 55
more info here:
=================================
Workaround and mitigating factors
=================================
Do not enable SMB1 (please note SMB1 is disabled by default in Samba
from version 4.11.0 and onwards). This prevents the creation of
symbolic links via SMB1. If SMB1 must be enabled for backwards
compatibility then add the parameter:
unix extensions = no
to the [global] section of your smb.conf and restart smbd. This
prevents SMB1 clients from creating symlinks on the exported file
system.
However, if the same region of the file system is also exported using
NFS, NFS clients can create symlinks that potentially can also hit the
race condition. For non-patched versions of Samba we recommend only
exporting areas of the file system by either SMB2 or NFS, not both.
=================================
Workaround and mitigating factors
=================================
Do not enable SMB1 (please note SMB1 is disabled by default in Samba
from version 4.11.0 and onwards). This prevents the creation of
symbolic links via SMB1. If SMB1 must be enabled for backwards
compatibility then add the parameter:
unix extensions = no
to the [global] section of your smb.conf and restart smbd. This
prevents SMB1 clients from creating symlinks on the exported file
system.
However, if the same region of the file system is also exported using
NFS, NFS clients can create symlinks that potentially can also hit the
race condition. For non-patched versions of Samba we recommend only
exporting areas of the file system by either SMB2 or NFS, not both.
- Joined
- Mar 6, 2014
- Messages
- 9,554
Does vmware need write access to the ISO share?
sophware
Dabbler
- Joined
- Oct 16, 2020
- Messages
- 37
Read-only is appropriate.
- Joined
- Mar 6, 2014
- Messages
- 9,554
Then you should be able to mitigate by converting the NFS export to RO.
- Joined
- Mar 6, 2014
- Messages
- 9,554
Here's a LWN article explaining it (the samba side of things): https://lwn.net/SubscriberLink/884052/15bc73887e122c39/
From the NFS-perspective would be a race in Samba on creation of malicious symlink.
From the NFS-perspective would be a race in Samba on creation of malicious symlink.
- Joined
- Mar 6, 2014
- Messages
- 9,554
Maybe an issue with how the alert was implemented. It was a temporary issue (having the alert) pending release of TrueNAS 13, which has been released. If you're concerned about the issue upgrade to 13. This issue will not be fixed in 12.
