Badlock (CVE-2016-2118) and TrueNAS and FreeNAS
Just a general heads-up and JFYI on the case of the “Badlock” security vulnerability in Samba, the tool used by FreeNAS and TrueNAS to provide SMB networking.
First, the press has been quick to clarify that this issue is nowhere near as severe as it was initially made out to be in the weeks leading up to the release of the fix from the Samba team yesterday, as some of the cited articles describe. While the issues reported are certainly important, and will be addressed, there is no significant danger to a TrueNAS 9.3/FreeNAS 9.3 (or 9.10) system operating in a secure environment.
Though the promised apocalypse did not arrive, the bug has also attracted enough attention from our customers that we need to fix it in a special Security Software Update (SSU) for both FreeNAS (9.3 and 9.10) and TrueNAS (9.3) that contains ONLY the fix for Badlock – no other tickets will be addressed in the forthcoming SSU.
We are planning to release this as a “rebootless update” – one which can be applied while the system is running and all it will do is restart the SMB service afterwards. Users should not have to reboot their systems or otherwise take down services in order to apply this SSU.
Because of the complexity of the fixes to Samba and the difficulty in back-porting them to Samba 4.1, we also decided to upgrade all TrueNAS/FreeNAS 9.3 users to Samba 4.3.6 – a newer and more capable version of Samba that is already in use by FreeNAS 9.10 – at the same time. FreeNAS 9.10 users will only see a fix for Badlock, not a Samba upgrade as well.
Once the changes have been fully vetted by the FreeNAS community as well as our QA and engineering teams, a security software update for TrueNAS 9.3 will also be released.
— Jordan Hubbard