NETGEAR ReadyNAS

[Zappes]

As I am a bit worried about the recent critical Samba vulnerability (CVE-2012-1182 "root" credential remote code execution) I'd like to know which version of Samba will be included in 4.1.9 and specifically if that vulnerability will be fixed.

Right now my only fix for that problem is mounting my NAS shares on another Linux box with a current Samba version, re-exposing all shares using that box and denying all other workstations access to the NAS using firewall rules on the router. This obviously is a very bad solution and I'd really like to get rid of that workaround as soon as possible...

[mdgm]

I think the current beta has 3.5.12 for the service. Will likely be updated to latest 3.5.x before going final I would think but the ReadyNAS devs could comment on that.

[matthew1471]

You can find out what version you are using by selecting Status->Logs and downloading all the log files by clicking "Download All Logs". Then open up the ZIP file and inside should be smbd.log.

Here is what mine has:

4.1.9 (T6)
==
[2012/04/11 18:52:09, 0] smbd/server.c:1141(main)
smbd version 3.5.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2010

4.1.9 (T2)
==
[2012/04/11 19:11:21, 0] smbd/server.c:main(942)
smbd version 3.0.37 started.
Copyright Andrew Tridgell and the Samba Team 1992-2009

[Zappes]

Thanks for the info. I don't really feel like using the beta on my box, so I couldn't install it myself in order to have a look at the versions. I hope we get 3.5.14 in the final release - but I guess that's something the devs will make sure to include as that vulnerability really is quite critical.

[sp00led]

I searched and found this thread after reading about the SAMBA vulnerability. Has anyone tried manually updating smb on their readynas? I only have a production server so I'm hesitant to.

The latest firmware available has me running 3.5.11 and that's very concerning.

[mdgm]

The 3200 is a x86 model. Latest production firmware for that is currently 4.2.19.

4.2.20 T42 beta contains 3.5.12 (see http://www.readynas.com/forum/viewtopic.php?f=51&t=57193). I know a later beta contains 3.5.13. We'll need to wait and see what's included in 4.2.20.

I would not suggest trying to manually update samba as that is unsupported.

[mdgm]

Zappes 4.1.9-T9 includes the update that addresses the samba vulnerability: http://www.readynas.com/forum/viewtopic.php?f=17&t=59222

[Zappes]

Will 4.1.9 also address the recent OpenSSL vulnerability? That one wouldn't be as important for me as SSH access to my NAS is restricted to a few trusted clients, anyway, but it would be nice to know.

Is T9 in a state where one could risk to use it in a SoHo environment? I'm not asking for legally binding certification of that version, off course, just for a hint regarding the maturity of the current beta release.