Like a lot of the things that I write here, this is a question that came up in a ticket that I worked on recently. A customer recently received a message like this:
Samba is a freely available file- and printer-sharing application maintained and developed by the Samba Development Team. Samba allows users to share files and printers between operating systems on UNIX and Windows platforms. Samba is prone to a security-bypass vulnerability because it fails to properly enforce SMB signing when certain configuration options is enabled. Successfully exploiting this issue may allow attackers to bypass security restrictions and perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks. The following versions are vulnerable: Samba 3.0.25 through 4.4.15 Samba 4.5.x versions prior to 4.5.14 Samba 4.6.x versions prior to 4.6.8.
This doesn’t actually tell us a lot. I could ping one of the Samba developers and ask them if they are aware of this vulnerability, if we’ve ever patched it, and if not what the status of it is. That’s could be a lot of time waiting for a reply and taking time out of the developer’s day to answer a fairly straightforward customer service question. However, there is an easier way.
When a software vulnerability is detected, it is reported as a CVE (Common Vulnerabilities and Exposures) number for that specific application. In this case, I found the CVE number that best matched the description that I was given and I was able to show the customer that we had patched it and which patch it was in.
One famous example was the “Heartbleed Vulnerability” from a few years ago which is CVE-2014-0160. SUSE retains a list of all CVE’s that we review and patch here: https://www.suse.com/security/cve/. As you can see here: https://www.suse.com/security/cve/CVE-2014-0160/ Heartbleed was patched in all versions of SLE 11 and 12 as well as OpenSUSE 12, 13, Leap, and Tumbleweed.
For those concerned about their system’s security, CVE’s are a great way to make sure that newly found vulnerabilities have been patched in their OS of choice.
More information:
blog.theuse.net 