The document discusses the recently discovered remote code execution vulnerability (CVE-2017-7494) in Samba, an open source file and print sharing software, affecting versions 3.5.0 and onward. It highlights the availability of patches from the Samba project and various Linux distributions, emphasizes the need for adequate security against open source vulnerabilities in the context of GDPR compliance, and mentions the growing role of open source software in the automotive industry and cloud technology. Additionally, it notes a significant concern regarding GDPR deadlines, with many businesses not prioritizing compliance despite potential fines.

1. Open Source Insight:
Samba Vulnerability, Connected Car Risks,
and Are You Ready for GDPR?
By Fred Bals, Senior Content Writer & Editor

2. Threat of the week is the newly discovered remote code execution
vulnerability CVE-2017-7494. Chris Fearon, Research Director at Black
Duck, advises:
Samba is an open source SMB/CIFS implementation that allows
interoperability between Linux and Windows hosts via file and print
sharing. A remote code execution vulnerability has been
discovered in versions 3.5.0 onwards which may allow an attacker
to upload and execute code as the root user.
Threat of the Week

3. More on the Samba Vulnerability
Patches are already available from the Samba project, and from
most major Linux distributions.
• The Samba project have provided patches for versions 4.4 onwards, and a
workaround for older versions and installations that cannot be upgraded
(see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494).
• Red Hat have patched the vulnerability in RHEL 7, RHEL 6, and RHEL 5 ELS
(see https://rhn.redhat.com/errata/RHSA-2017-1270.html).
• The Debian project have patched the vulnerability in Debian 8, Debian 7, and in
the “unstable” branch
(see https://security-tracker.debian.org/tracker/CVE-2017-7494).

4. • How open source software will drive the
future of auto innovations
• 4 Risks in Connected Cars
• Google, IBM and Lyft launch open source
project Istio
• Last week: 'OpenVPN client is secure!' This
week: 'Unpatched bug in OpenVPN server'
• GDPR compliance by May 2018 deadline 'not a
priority' for two in five businesses, survey
finds
Open Source News

5. More Open Source News
• GDPR Deadline: Does “Appropriate Security”
Include Open Source Risk?
• Are You Ready for the EU GDPR? What Companies
Outside the European Union Need to Know
• Microsoft uses open source software to create
Windows
• Why Understanding And Control Should Be Key
Parts Of Your Cybersecurity Portfolio
• 7-Year-Old Samba Flaw Lets Hackers Access
Thousands of Linux PCs Remotely

6. via VentureBeat: Today’s cloud is powered
by open source software: 78 percent of
businesses run open source software in
some form. With the convergence of
automobiles and the cloud (supporting
autonomous systems and connectivity), it’s
quite clear this open source paradigm that
took over the cloud will take over the
automobile.
How open source software will drive
the future of auto innovations

7. via Black Duck blog (Mike Pittenger): “Car hacking”
is certainly a fun subject to talk about (and even
more fun to watch). But it’s also a serious topic as
the volume of code increases in modern
automobiles. The trend started in the 1977
Oldsmobile Toronado, in which a small amount of
code managed electronic spark timing. As the chart
shows, a high-end car today can include over 100
million lines of code. This software provides
convenience (driver assistance), entertainment
(infotainment systems), safety (blind spot detection,
collision avoidance), and vehicle management
benefits.
4 Risks in Connected Cars

8. Google, IBM and Lyft launch
open source project Istio
via ZDNet: Google, IBM, and Lyft on
Wednesday announced the first public release
of Istio, an open source service that gives
developers a vendor-neutral way to connect,
secure, manage and monitor networks of
different microservices on cloud platforms.
According to the companies, Istio was created
to address the inherent challenges that come
with integrating application-based
microservices in distributed systems, namely
compliance and security.

9. via The Register: French security outfit
Sysdream has gone public with a vulnerability in
the admin interface for OpenVPN's server. The
server's mistake is that it doesn't escape the
carriage return/line feed (CR/LF) character
combination. “Exploiting these vulnerabilities,
we were able to steal a session from a victim and
then access the application (OpenVPN-AS) with
his rights.” the post says, adding that there are
serious consequences if the victim is an
administrator account.”
Last week: 'OpenVPN client is secure!' This week:
'Unpatched bug in OpenVPN server'

10. GDPR compliance by May 2018 deadline 'not
a priority' for two in five businesses, survey
finds
via Out-Law.com: The General Data Protection Regulation
(GDPR) will apply from 25 May 2018 and place a raft of new
requirements on organisations over the way they process personal
data. Businesses face potential fines of up to 4% of their annual
global turnover, or €20 million, whichever is highest, if they fail to
comply with the new rules.
Despite this, however, 42% of IT decision makers at large
companies based in the UK, France, Germany and the US, surveyed
by Varonis Systems, said they do not view compliance with the
GDPR by 25 May 2018 "as a priority".

11. Data protection law expert Marc Dautlich of Pinsent Masons, the law
firm behind Out-Law.com, said: "An increasing number of
businesses, outside just the usual sectors, increasingly report – in
their annual accounts, and in other channels – on the importance of
their data assets. Similarly, an increasing number apparently fret
about cyber risk as a significant issue on their risk registers, as they
continue, or in some cases begin, their 'digital' projects."
"In this context, strategic thinkers in these businesses will be looking
at surveys like this one and ask themselves how they can most
effectively position their businesses to take most advantage of their
data assets, including, in some cases, how they can derive
competitive advantage by complying with GDPR," he said.
More on GDPR Compliance

12. GDPR Deadline: Does “Appropriate
Security” Include Open Source Risk?
via Black Duck blog (Fred Bals): Of note is the regulation’s Article
32: organizations will be required to “ensure a level of security
appropriate to the risk,” including establishing processes for
regularly assessing and testing security practices.
“Security appropriate to the risk” is a key phrase. Many
organizations don’t pay sufficient attention to the additional
security exposures created by vulnerable open source
components, and may not even be aware these exposures
exist. Yet today’s software is built on a core of open source, and
open source use is pervasive across every industry vertical.

13. 96% of the 1,000+ applications scanned in
Black Duck’s latest Open Source Security
and Risk Analysis (OSSRA) were found to
have open source in their code, with nearly
70% of those applications
having vulnerabilities in the open source
components used.
Would a failure to secure against a widely-
publicized open source vulnerability
disclosed years before become a violation of
the requirement for appropriate security if a
hack exploiting that vulnerability was used to
steal personal data? Very possibly. I for one,
GPDR & Open Source Risk

14. via CIO Review: Typically, a law is not applicable
beyond the borders of its nation of origin. For
example, the Health Insurance Portability
Accountability Act (HIPAA) and The Gramm-
Leach-Bliley Act (GLBA) are limited to the scope
of the United States. Likewise, the laws set forth
by the Canadian Privacy Commission do not
protect those outside of Canada. However, there
is soon to be an exception to the rule with the
enactment of the European Union General Data
Protection Regulation (EU GDPR).
Are You Ready for the EU GDPR? What
Companies Outside the European Union Need
to Know

15. Microsoft uses open source
software to create Windows
via ZDNet: Windows will almost certainly never be open
source, but virtually all Microsoft Windows engineers are now
using the open-source program Git to build Windows on.
In 2017, Microsoft open-sourced Git Virtual File System
(GVFS), under the MIT License. GVFS enabled Microsoft's
product teams to scale the Git client to deal with its
monstrously large source code repos.
Since then, Microsoft started porting all -- and I mean all -- the
Windows code to Git and GVFS. The work is now largely done
and Microsoft is enjoying the fruits of its open-source labor
in creating the largest Git repo on the planet.

16. via Forbes: Nowhere in tech is the old
adage of knowledge is power more
pertinent than in relation to security.
Threats thrive when companies have little
transparency into their own operations,
when intruders can move laterally from
one system, or one network, to another,
without being detected because the
business lacks controls and the ability to
see its technology in its entirety.
Why Understanding And Control Should
Be Key Parts Of
Your Cybersecurity Portfolio

17. 7-Year-Old Samba Flaw Lets Hackers
Access Thousands of Linux PCs
Remotely
via The Hacker News: A 7-year-old critical
remote code execution vulnerability has
been discovered in Samba networking
software that could allow a remote attacker
to take control of an affected Linux and Unix
machines.
Samba is open-source software (re-
implementation of SMB networking protocol)
that runs on the majority of operating
systems available today, including Windows,
Linux, UNIX, IBM System 390, and OpenVMS.

18. 7-Year-Old Samba Flaw Lets Hackers
Access Thousands of Linux PCs Remotely
Samba allows non-Windows operating systems, like GNU/Linux
or Mac OS X, to share network shared folders, files, and printers
with Windows operating system.
The newly discovered remote code execution vulnerability (CVE-
2017-7494) affects all versions newer than Samba 3.5.0 that was
released on March 1, 2010.
More details about the Samba vulnerability in this blog post by
Christopher Fearon - Research Director

19. Subscribe
Stay up to date on open source security and cybersecurity –
subscribe to our blog today.