Vulnerability Scan

Procedure:

Verify the vulnerability has not already been properly reported at: https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Email the GPS (Global Product Security) team at: productsecurity@jci.com

Provide vulnerability analysis in this email and any relevant links
Provide customer details and contact information in this email
Provide software product and software versions in this email
CC the customer on the email

Inform the customer you have notified the appropriate team (GPS) and will be closing the Support ticket.

Our Global Product Security team will then be responsible for following up with this customer and resolving vulnerability.

<br>

Summary:

This is a procedure to remove unused Samba services to avoid potentially being detected by a vulnerability scan. Unless the server is an S-Series, these services are most likely not being used and may be disabled.

More Information:

Samba is a collection of services that allow for file sharing across a network with other Windows systems. However, the default Samba configuration may lead to being flagged as a vulnerability with some security scanners, such as “null session/password NetBIOS access.“

Steps:

All versions of Ubuntu:

To verify whether smbd (SMB file service) and/or nmbd (NetBIOS name resolution service) are currently running:
- admin@ER1234567890:~$ ps agux | grep mbd
- root 1225 0.0 0.0 20416 1176 ? Ss Jun26 35:24 nmbd -D
- root 25965 2.5 0.1 33284 6844 ? Ds 18:13 0:00 smbd -F
- root 25967 0.0 0.0 31480 2388 ? S 18:13 0:00 smbd -F
A third related service is samba-ad-dc, which allows a Linux workstation to function as a Active Directory domain controller.
Confirm the installed version of Ubuntu with:
- admin@ER1234567890:~$ sudo lsb_release -a
- No LSB modules are available.
- Distributor ID: Ubuntu
- Description: Ubuntu 16.04.4 LTS
- Release: 16.04
- Codename: xenial

Ubuntu v14.04:

System services are managed via initscripts:

/etc/init.d/samba (starts smbd, nmbd, and samba-ad-dc as a group)

/etc/init.d/smbd

/etc/init.d/nmbd

/etc/init.d/samba-ad-dc

First, STOP these services:
- sudo service smbd stop
- sudo service nmbd stop
- sudo service samba-ad-dc stop
Then, DISABLE these services. The command will respond with a message resembling “system start/stop links for XXXXX do not exist.“
- sudo update-rc.d samba disable
- sudo update-rc.d smbd disable
- sudo update-rc.d nmbd disable
- sudo update-rc.d samba-ad-dc disable

Ubuntu v16.04:

System services are managed via a combination of initscripts and Upstart.

First, STOP these services in the same manner as listed above in the “Ubuntu v14.04” section.
Then, DISABLE these services in the same manner as listed above in the “Ubuntu v14.04” section.
Finally, these services should be set to MANUAL for Upstart:
- sudo su
- echo manual > /etc/init/smbd.override
- echo manual > /etc/init/nmbd.override
- echo manual > /etc/init/samba-ad-dc.override

Ubuntu v18.04 or newer:

System services are managed via systemd.

First, STOP these services:
- sudo systemctl
- stop smbd sudo systemctl
- stop nmbd sudo systemctl
- stop samba-ad-dc
Then, DISABLE these services from automatic startup at boot:
- sudo systemctl disable smbd
- sudo systemctl disable nmbd
- sudo systemctl disable samba-ad-dc
For extra security, use the following commands to PREVENT these services from being manually started:
- sudo systemctl mask smbd
- sudo systemctl mask nmbd
- sudo systemctl mask samba-ad-dc