Security Advisory: Samba Vulnerability


Security Advisory: Samba Vulnerability

What is Samba?

Samba is a facility used for network file sharing, mostly in SoHo environments. It is supported by DrayTek products for sharing of files on USB memory which you can plug into the router. It's not a very commonly used feature on DrayTek products, but can be useful, mostly in home environments.

CVE-2017-7494 Remote Code Execution

In June, a vulnerability was reported in the Samba protocol. The design of Samba has been found to have a flaw that could leave it vulnerable to remote code execution, whereby a malicious actor could upload a file and then cause it to be executed. This vulnerability has been allocated reference CVE-2017-7494. As the flaw is particular to the protocol itself, the issue will affect many different vendors - it's not specific to DrayTek. On DrayTek products, the opportunities for someone to exploit this are unlikely but still a possibility in the right circumstances if they have the right access. In all events, allowing unauthenticated Samba access on the WAN is never to be recommended, but if you had a bad actor on the LAN side and unauthenticated access (no password), they might try to exploit that.

DrayTek Products

DrayTek products running DrayOS are not affected by this vulnerability. DrayOS is our own proprietary operating systme used on most of our products and uses own own in-house code. For our Linux product which support Samba which could be affected, you should upgrade:

  • Vigor 3900 - Use firmware 1.3.1 or later
  • Vigor 2960 - Use firmware 1.3.1 or later
  • Vigor 2760 Original Linux Version (f/w 1.x.x) - Upgrade to DrayOS 3.x.x or later
    (Very early Vigor 2760's used Linux; since 2014 it has used DrayOS)

If you are not using Samba file sharing, then the issue will not affect you, or you can disable the Samba feature in the meantime.

As a reminder, even if you are not affected by this issue, it is always recommended that you keep your DrayTek router and other hardware up to date with the latest hardware and read vendor mailing lists (UK users can join here) as security improvements are regularly added and new exploits/vulnerabilities may surface.

Advice Regarding other Services / Products (non-DrayTek)

You should check equivalent statements/advisories from the providers of all of your other networking hardware vendors and then follow the advice of each of them regarding any necessary precautions or updates.

Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.