Security advisory for the CVE-2017-7494 vulnerability

Welcome note and must-know for QNAP Forum members.
Locked
User avatar
QNAPJason
QNAP Staff
Posts: 5399
Joined: Thu May 21, 2009 2:14 pm
Location: Taipei

Security advisory for the CVE-2017-7494 vulnerability

Post by QNAPJason » Fri May 26, 2017 8:03 pm

(1). If you have a [b]QTS 4.3.x[/b], please install this patch.
[Patches]
a.TS-x69 Pro, x69L, x69U series
https://download.qnap.com/Storage/Qfix/ ... _3.4.6.zip

b. Other NAS x86_64 series
https://download.qnap.com/Storage/Qfix/ ... _4.2.8.zip

c. ARM Marvell Kirkwood: (X12 / X19 / X20 / X21 series)
https://download.qnap.com/Storage/Qfix/ ... .3_x19.zip

d. ARM Annapurna Labs, V71 :(X31+ / X31P / X31X / X31XU / X28 / TAS-X68 series)
https://download.qnap.com/Storage/Qfix/ ... arm_al.zip

e. ARM Comcerto 2000 EVM (armv7l): (X31 / 31U series)
https://download.qnap.com/Storage/Qfix/ ... arm_ms.zip


(2). If you have a [b]QTS 4.2.6[/b], on legacy systems please install this patch.
[Patches]
f. TS-110 / 210 / 410 / 410U:
https://download.qnap.com/Storage/Qfix/ ... .2_x19.zip

g. TS-269H:
https://download.qnap.com/Storage/Qfix/ ... 2.6.39.zip

h. TS-X39 / X59 / 509 / 809 / 809U:
https://download.qnap.com/Storage/Qfix/ ... _3.4.6.zip

[Fixes]
- Addresses CVE-2017-7494 and prevents malicious clients from exploiting the Samba vulnerability

The guide can also be downloaded from https://download.qnap.com/Storage/Qfix/ ... SbySSH.pdf

1. Download and run putty.exe (the SSH and Telnet client itself) from [url=http://www.chiark.greenend.org.uk/~sgta ... nload.html]http://www.chiark.greenend.org.uk/~sgta ... nload.html[/url]

2. Enter the NAS IP address in “Host Name (or IP address)” and click Open

3. If a dialog prompt pops up, click Yes

4. Enter admin as the username and type in the password
(the password will not be displayed as you enter it)

5. Now you are at the NAS command prompt and can enter commands

6. Enter the following command: (all on a single line)
==================================================
cp /etc/config/smb.conf /etc/config/smb.conf.copy;sed -i '/^nt pipe support/d' /etc/config/smb.conf;sed -i '/\[global\]/ant pipe support = no' /etc/config/smb.conf;/etc/init.d/smb.sh restart
==================================================

7. After executing the command, shared folders will not appear when accessing the NAS using the NAS IP address in Windows File Explorer. The following error message will be displayed.

8. To access shared folders using File Explorer, you must use the full folder path. For example: \\<IP address>\public.

9. After applying the workaround, if you see the following error message when using the full folder path (e.g. \\<IP address>\public), restarting your computer will resolve the problem.

10. If you want to reverse these settings, run these commands: (all on a single line)
==================================================
mv /etc/config/smb.conf.copy /etc/config/smb.conf;sed -i '/^nt pipe support/d' /etc/config/smb.conf;/etc/init.d/smb.sh restart
==================================================
Top
Locked

Return to “Announcements”