KACE Product Support Question

Samba Vulnerability CVE-2015-0240

02/25/2015 2918 views

Just looking to see how serious of a vulnerability this is in how it relates to the K1000/K2000 Samba shares. Running this version of my K1000 ( 6.2.109329) and the Samba version is 3.6.12 which per the link above appears to be vulnerable to the Samba vulnerability. Serious enough for an out-of-band patch and/or will it be included in a future rollup?




1 Comment   [ + ] Show comment


  • This content is currently hidden from public view.
    Reason: Removed by member request For more information, visit our FAQ's.
  • Dell, can we have an answer on this please?

All Answers


Dell's Response:

Source https://support.software.dell.com/kb/149435



The K1000 and K2000 are susceptible to the Samba vulnerability outlined in CVE-2015-0240.  The K3000 is not vulnerable as it does not include a Samba server.

K1000 Mitigation

Samba may be disabled on the K1000. Samba is often used as a method of offering access to the K1000 agent installation.  However, such access may be made available using alternative locations and technologies to avoid a need for Samba access to the K1000.

On the K1000, the Samba share is primarily used for agent deployment when the built-in provisioning capability is used.  Other uses include:

  • Access to the agent bundles for various platforms that have been uploaded to the K1000 via a kbin.  A user will download these when they wish to deploy the agent in another way (e.g. load the Windows MSI into a GPO script for deployment using that method).
  • Upload of large software installers.  The Admin UI allows a file up to 2GB in size to be uploaded to set up a software installation (kscript, managed installation, software installer on the user portal).  If a software installer is larger than that, the K1000 uses the Samba share with the correct password specified by the user to upload the file to the K1000.
  • Transfer of K1 resources.  This feature is used to download/upload '.kpkg' configuration files to move configured objects from one K1000 to another.  For most users, .kpkg files are provided by Dell KACE Technical Support and/or training Koaches to assist in configuring more complex objects.  Transferrable objects consist of managed installs, notifications, Service Desk processes, ticket rules, and queues, reports, scripts, smart labels, and custom software inventory.

Since all of these activities described above (including agent provisioning) are typically short-term or one-time uses, we recommend that all customers keep the Samba share off except when engaged in one of the activities listed above.  To turn off the Samba share, authenticate to the  'admin' UI (or the 'system' UI if the K1000 is configured for multiple organizations) on the K1000 and navigate to the Control Panel page from the Settings menu on the left navigation bar.  Select the Security Settings page.   Scroll to the Samba settings and unselect  'Enable File Share' (or 'Enable Organization File Shares' on a multi-org K1000).  NOTE:  Changing this setting will cause the K1000 to reboot.

K2000 Mitigation

Samba may not be disabled on the K2000 without significant impact to functionality. However, as it is not recommended that the K2000 be Internet-facing, the risk of exploit is limited to those on your local network.

For security related recommendations related to the K2000, please visit http://www.kace.com/support/resources/kb/article/K2000-Appliance-Security-Recommended-Practices

This KB article will be updated with new information as it becomes available. Please check this article periodically for updates and links to forthcoming hotfixes.

Answered 03/30/2015 by: wafflesmcduff
Yellow Belt

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ