Get a Quote (408) 943-4100

Commercial Support

TrueNAS.com Software Systems Company Community Security iX Portal Download

Docs Navigation

TrueNAS CORE TrueNAS Enterprise TrueNAS SCALE TrueCommand Help Me Choose FreeNAS

Systems Overview M-Series X-Series R-Series Mini Series

Blog In the News TrueNAS Store iXsystems Careers

TrueNAS GitHub Community Forum Discord TrueNAS Merch Store

Application Asigra TrueNAS Solution Backup Big Data Cloud Multimedia Virtualization

Industry Education Finance Government Healthcare High-Tech Media & Entertainment

Support Documentation TrueNAS Security Blog Case Studies White Papers Solution Briefs iX Portal Plugins & Apps ZFS

Download TrueNAS CORE

Download TrueNAS SCALE

Get TrueNAS Enterprise

Samba

Services CVE

CVE-2019-14907 : Samba Log Level

2020-01-21

Versions Affected : All verisons prior to FreeNAS/TrueNAS 11.2-U8

Description

All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with “log level = 3” (or above) then the string obtained from the client, after a failed character conversion, is printed.

Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless).

Workaround

No workaround is available, but dynamically linked binaries are not affected.

Mitigation

Upgrade to FreeNAS/TrueNAS 11.2-U8 or later

CVE-2019-14907 only affects TrueNAS 11.2 users with a non-default (higher than normal) log level. TrueNAS 11.3-RELEASE has Samba 4.10.12, which is not vulnerable to CVE-2019-14907

Commit

Further information

NIST CVE-2019-14907 Entry