Samba vulnerability calls to mind WannaCry fears to Linux/ UNIX

Researchers has released a warning that many Linux and UNIX systems contain a Samba vulnerability that could eventually lead to attacks similar to WannaCry or worse.

According to Samba security advisory, the vulnerability (CVE-2017-7494) affects version 3.5 and newer versions. The vulnerability is remotely exploitable and could allow a malicious client to upload a shared library to share and cause the server to load and execute it.Nick Bilogorskiy, senior director of threat operations at Cyphort said although there were no active exploits in Samba, the damage could be sheer consequences. " Because this vulnerability allows remote code execution, attackers will have full control over a compromised machine, and any payload is possible," Bilogorskiy told SearchSecurity. " For example, [an attacker could] drop a backdoor, steal data from the system, spy on the user, attack other systems or try to encrypt all data for a ransom."

Lane Thames, senior security researcher at Tripwire said the enterprises should act fast to patch this vulnerability and ensure that no unnecessary samba services are exposed to the internet.

The remediation for the vulnerability has been informed among the users. Rapid7 labs suggested that the organizations should review their firewalls rules to ensure that Samba network traffic is not allowed directly from the internet to their assets. Samba has also released a patch to remedy for the vulnerability. Samba also informed that adding an argument “ nt pipe support = no” to the global section of the Samba configuration file may mitigate the threat.

Thames further added " Enterprise server vendors are moving fast to push out patches to enterprise customers for this Samba vulnerability. However, [network-attached storage] vendors might not move so quickly on this and in some cases they might not even issue patches for this."

So what is the difference between WannaCry and Samba vulnerability is that both the issues affected the same protocol. Bilogorskiy has warned the Linux users that any Samba worm may hit Linux and UNIX servers, where most do not have auto-update enabled. In fact some of these UNIX systems work for years without any maintenance. Also, unlike workstations, most of them are always on, users never power them off. If the Samba vulnerability is directly connected to the internet the more the chances of online unpatched targets for a worm to infect.

Tag : Samba Breach-vulnerability
FAQ
Q
How to Preventing These and Other Container Exploits the Samba?
A
For continuous detection and prevention, most importantly, a distributed container firewall like NeuVector should be in place to detect these critical vulnerabilities and real-time exploits. By default, port 445, which is used in this exploit, should not be open to the public. Even for internal east-west traffic, NeuVector will block unnecessary network access and these attacks will be detected, alerted and blocked at every step in the kill chain.
Q
What is a need of Protecting an unpatched Samba server?
A
This following instructions will help provide your Samba server some protection against security vulnerabilities if you are unable to (or until you are able to) upgrade to the patched version. Even if you do upgrade you might like to thinkabout the suggestions here to provide you with additional levels of protection
Q
How to Upgrading Samba?
A
Of course the best solution is to upgrade Samba to a version where the bug has been fixed. If you wish to also use one of the additional measures above then that would certainly be a good idea.

Please check regularly on samba.org for updates and important announcements, use following link as given below "https://www.samba.org/"
Q
how to Using interface protection in Samba vulnerability calls to mind WannaCry fears?
A
By default Samba will accept connections on any network interface that it finds on your system. That means if you have a ISDN line or a PPP connection to the Internet then Samba will accept connections on those links. This may not be what you want.

You can change this behavior using options like the following:

interfaces = eth* lo
bind interfaces only = yes

that tells Samba to only listen for connections on interfaces with a name starting with 'eth' such as eth0, eth1, plus on the loopback interface called 'lo'. The name you will need to use depends on what OS you are using. In the above I used the common name for ethernet adapters on Linux.
Q
What is the Limiting the number of concurrent connections?
A
Samba is able to limit the number of concurrent connections when smbd is launched as a daemon (not from inetd). The 'max smbd processes' smb.conf option allows Administrators to define the maximum number of smbd processes running at any given point in time. Any further attempts from clients to connect to the server will be rejected.