Security Bulletin: Samba vulnerability affects IBM SONAS (CVE-2017-2619)

Summary

IBM SONAS is shipped with Samba, for which a fix is available for security vulnerability.

Vulnerability Details

Samba is used in IBM SONAS to enable file management and authentication services for Microsoft Windows environments.

CVEID: CVE-2017-2619**
DESCRIPTION:** Samba could allow a remote authenticated attacker to launch a symlink attack, caused by a race condition A local attacker could exploit this vulnerability using SMB1 unix extensions to create a symbolic link from a temporary file to various files on the system, which could allow the attacker to view non-exported files.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123775 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM SONAS
The product is affected when running a code releases 1.5.0.0 to 1.5.2.7

Remediation/Fixes

A fix for these issues is in version 1.5.2.8 of IBM SONAS. Customers running an affected version of SONAS should upgrade to 1.5.2.8 or a later version, so that the fix gets applied.

Please contact IBM support for assistance in upgrading your system.

Workarounds and Mitigations

Mitigation(s): Ensure that all users who have access to the system are authenticated by another security system such as a firewall.