Slashdot Mirror

← Back to Stories (view on slashdot.org)

Newly Discovered Vulnerability Raises Fears Of Another WannaCry (reuters.com)

Posted by msmash on from the security-woes dept.

A newly found flaw in widely used networking software leaves tens of thousands of computers potentially vulnerable to an attack similar to that caused by WannaCry, which infected more than 300,000 computers worldwide, cybersecurity researchers said on Thursday. From a Reuters report: The U.S. Department of Homeland Security on Wednesday announced the vulnerability, which could be exploited to take control of an affected computer, and urged users and administrators to apply a patch. Rebekah Brown of Rapid7, a cybersecurity company, told Reuters that there were no signs yet of attackers exploiting the vulnerability in the 12 hours since its discovery was announced. But she said it had taken researchers only 15 minutes to develop malware that made use of the hole. "This one seems to be very, very easy to exploit," she said. Rapid7 said it had found more than 100,000 computers running vulnerable versions of the software, Samba, free networking software developed for Linux and Unix computers.

109 comments

  1. And the link to the CVA is? by grnbrg · · Score: 1

    Or something with more details?

    1. RE: And the link to the CVA is? by Anonymous Coward · · Score: 5, Informative

      https://www.samba.org/samba/security/CVE-2017-7494.html

      ===========
      Description
      ===========

      All versions of Samba from 3.5.0 onwards are vulnerable to a remote
      code execution vulnerability, allowing a malicious client to upload a
      shared library to a writable share, and then cause the server to load
      and execute it.
      ==========
      Workaround
      ==========

      Add the parameter:

      nt pipe support = no

      to the [global] section of your smb.conf and restart smbd. This
      prevents clients from accessing any named pipe endpoints. Note this
      can disable some expected functionality for Windows clients.

    2. Re:And the link to the CVA is? by courteaudotbiz · · Score: 4, Insightful

      You have to dig deep in the summary to get to know that Samba is the vulnerable piece of software, and the article has no technical detail. Would have been nice to get a real news title like "Critical vulnerability found in Samba on Linux", and yes, with a link the the CVE.

      It looks like the typical clickbait article. That's not what /. users want. We want some gravy, Crunch tech detail, specs, version numbers, and the most important thing, what version numbers are vulnerable and is it patched in the most recent releases.

    3. Re:And the link to the CVA is? by courteaudotbiz · · Score: 5, Informative

      For these critical info, a quick search on Google news got me this.

      Extract:

      All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches.... Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible.

    4. Re:And the link to the CVA is? by Anonymous Coward · · Score: 1

      https://www.samba.org/samba/security/CVE-2017-7494.html

      Every non-joke admin has already applied the security fixes since at least yesterday. And no, I am not kidding: all distros worth bothering with (plus samba upstream) released fixed versions yesterday.

      Of course, the clouded cloud ops-that-aren't likely have no idea they need to update their base images. And Linux users are not usually that much better than windows users at applying security updates, so, yes, a new Wannacry is quite possible.

      And on Linux it will use real crypto software if the crooks are not utterly incompetent, so your chance of retrieving the key is _zero_. Maybe you can find it in the filesystem, it is easier to use crytpo right in a typical Linux desktop/server, than it is to get rid of old contents of a file on the raw device :p

    5. Re: And the link to the CVA is? by bobmajdakjr · · Score: 1

      cheers to those with the stamina to dig that out. the summary posted was so dumb.

    6. Re:And the link to the CVA is? by Anonymous Coward · · Score: 0

      Sorry for "muh comp" question:

      Is this vulnerable by default on a Linux box? Like if I never configured Samba at all (I didn't), do I have to worry about any my VMs or my main box? Specifically Ubuntu and Fedora.

    7. Re:And the link to the CVA is? by courteaudotbiz · · Score: 4, Informative

      If you did a minimal install and installed all your stuff manually, never installed samba, you are safe. BUT just to make sure, issue the command: smbstatus

      If you get an output other than -bash: smbstatus: command not found, double validate if it is running.

      Using systemd:
      systemctl status smb
      If you get an output different than Unit smb.service could not be found., you can assume samba is installed. You either make sure it is disabled (systemctl disable smb), or you update it.

    8. Re: And the link to the CVA is? by courteaudotbiz · · Score: 2

      You mean the stamina to do a 5 seconds search on Google and post meaningful links in their submission? I don't call this "stamina", I call this non-laziness.

    9. Re: And the link to the CVA is? by vtcodger · · Score: 3, Informative

      FWIW, it looks like running lsof -i will tell unix users what ports are open. If port 445 is open, you might want to kill smbd while you sort things out. Purportedly adding "nt pipe support = no" to your smb.conf file and restarting smbd might allow some samba capability while still stopping the threat. See
      https://www.samba.org/samba/se...

      Note: If this advice turns your system into a quivering ball of protoplasm, Don't blame me. I'm only the messenger.

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
    10. Re: And the link to the CVA is? by Anonymous Coward · · Score: 0

      At which point I wonder what benefit slashdot has if I need to find all of the critical information myself...

    11. Re: And the link to the CVA is? by Anonymous Coward · · Score: 0

      Its not lazyiness to expect the summary to include that data. Whats more efficient the author/submitter/editor including that info or EVERYONE READING SLASHDOT googles it?

      Jeeze louise.

    12. Re:And the link to the CVA is? by Jerry · · Score: 1

      "And Linux users are not usually that much better than windows users at applying security updates, so, yes, a new Wannacry is quite possible."

      Doubtful. All Ubuntu based distros had the patch pushed out yesterday. That would also include Mint and several others besides Kubuntu and KDE Neon (which is what I run).
      Linux users stupid enough to turn off their automatic updates (which is on by default) deserve what they get.

      --

      Running with Linux for over 20 years!

    13. Re: And the link to the CVA is? by CanadianMacFan · · Score: 1

      Stopping smbd and removing any Windows machines that you have connect to your server will better and relieve more stress in your life. /s

    14. Re: And the link to the CVA is? by Anonymous Coward · · Score: 0

      Slashdot is not a news site. It's a discussion forum. Everything here is old news, we're just here to chat about it. If you don't know, you had all day or days to look it up. And, yes, that is on you. We are not here to spoon feed anybody.

    15. Re:And the link to the CVA is? by Anonymous Coward · · Score: 0

      There are a fair number of pre-configured VM images for an appliance type setup that don't have updates enabled. It has been a while but I think the minimal install options for Debian and CentOS don't have automatic updates configured.

  2. More information: by grnbrg · · Score: 4, Informative

    https://gcn.com/articles/2017/...

    https://www.samba.org/samba/se...

    1. Re:More information: by Anonymous Coward · · Score: 0

      Thanks for answering your own question mate, much obliged.

  3. Bury the lede much? It's a SAMBA problem by CajunArson · · Score: 0

    This is a pretty important bug in SAMBA that, if you read the patch, all boils down to a major failure to validate user input by accepting directory paths with the "/" character in named pipes where they don't belong.

    Of course, you wouldn't know that after Slashdot got done with its editorial disinformation.

    --
    AntiFA: An abbreviation for Anti First Amendment.
    1. Re:Bury the lede much? It's a SAMBA problem by Anonymous Coward · · Score: 0

      I was told that no one hacks Linux because no one uses it, so that means either this "hack" is FAKE NEWS, or there's more Linux users than the Windows fanboys want to admit.

    2. Re:Bury the lede much? It's a SAMBA problem by mr_mischief · · Score: 4, Informative

      Actually, it's a completely optional daemon that runs on top of Linux to support Windows clients from Linux or let Linux be a client for Windows drive sharing. It's not part of the OS, it's not mandatory to run with the OS, it's not related to the running of an all-Linux network, and it's based on specifications from the Windows folks.

    3. Re:Bury the lede much? It's a SAMBA problem by ScentCone · · Score: 3, Informative

      Yup. But it IS very widely used. Though hopefully it's only very, very rarely exposed to the internet.

      --
      Don't disappoint your bird dog. Go to the range.
    4. Re:Bury the lede much? It's a SAMBA problem by sanf780 · · Score: 1
      Even if it is optional, many people share files between Linux and Windows. At work we are using RHEL6 and I sometimes share share files between the OS I use for work and the OS I use for drawing shiny little slides. Many average consumers that bought a home NAS use SMB protocol for sharing stuff. The issue is that for the average consumer, SMB just works.

      Maybe not today, though.

    5. Re:Bury the lede much? It's a SAMBA problem by Anonymous Coward · · Score: 1

      Though hopefully it's only very, very rarely exposed to the internet.

      It doesn't matter, all it takes is a compromised computer on the intranet whose ... *ahem* ... infection knows to scan for and exploit this vulnerability. Same as with WCry, really.

    6. Re:Bury the lede much? It's a SAMBA problem by cheesybagel · · Score: 1

      You could delete half the news item text and you wouldn't lose anything. The first paragraph is useless scare mongering. While the the second paragraph only has relevant information in the end. This is getting pretty pathetic. I thought Slashdot had better tech coverage than this. It's like I'm reading a frikin news for dummies site.

      How about just saying a vulnerability in Samba was found, describe the vulnerability, then the impact? kthx bye.

    7. Re:Bury the lede much? It's a SAMBA problem by cheesybagel · · Score: 1

      It could be worse. It could be an SSH or SSL bug.

    8. Re:Bury the lede much? It's a SAMBA problem by Anonymous Coward · · Score: 0

      This could be quite significant for embedded devices such as multifunction printers.

    9. Re:Bury the lede much? It's a SAMBA problem by Anonymous Coward · · Score: 0

      Samba is *never* supposed to be exposed to the internet, the same way you are never supposed to expose windows SMB (any version) to the internet.

      And the border perimeter protection to avoid exposing them is the same, so in-depth wannacry defenses also protect samba (and vice-versa).

      However, as usual, you have to fear other vectors that bypass any perimter firewalling: phish, drive-by javascript, user stupidity.

      Many distros _do_ deploy per-host firewalling, but chances are anyone that installed samba has open smb ports for it to actually work :-)

    10. Re:Bury the lede much? It's a SAMBA problem by Jeremy+Allison+-+Sam · · Score: 5, Informative

      Yes, that is the core of the bug. However, I can offer some explanation into how it happened.

        There are 2 subsystems involved here.

      (1). Load a shared library module and execute it.

      This has many uses inside Samba.

      (2). Allow a client request on an RPC pipe to be routed to an external process or library.

      This allows Samba to be built without embedding all the named pipe services inside it, which makes it a smaller binary for embedded vendors.

      Unfortunately an old commit connected the two subsystems together, re-using the shared library module existing code to find and load the service the client was asking for. There was insufficient sanitization of the requesting name which caused the problem.

      The commit happened in 2009, before we had two-engineer design and review practices and the full regression test suite we now use.

      Eventually I want to remove the ability to load any shared modules containing more than one path component. This has to be done carefully however to avoid breaking existing configured systems that may depend on this.

    11. Re:Bury the lede much? It's a SAMBA problem by Anonymous Coward · · Score: 0

      Oh sure nobody puts their shitty never-updated NAS naked on the internet with no firewall.

      Yeah this is gonna be shitstorm.

    12. Re:Bury the lede much? It's a SAMBA problem by Anonymous Coward · · Score: 0

      "...The first paragraph is useless scare mongering. ..."
      My friend, this called "journalism". Facts are dry and boring, specially if a fix has already been deployed, but sexing up the "story" with some spin and framing, thats journalism baby!
      Journalism is based on "stories", herein lies the problem, important stuff may be obtuse and boring. Statistics may tell a better picture of reality.
      On a related note, Linux Mint 18 had dumped SAMBA, and also Ubuntu, a while ago, for other reasons (?).

    13. Re:Bury the lede much? It's a SAMBA problem by jedidiah · · Score: 1

      > Oh sure nobody puts their shitty never-updated NAS naked on the internet with no firewall.

      You would have to kind of have to go out of you way to do that actually. You can't just plug it into the home network. You have to go to where your router physically is and manually wire it up upstream of your firewall.

      I would likely get a routable IP address instead of a local non-routable one and possibly not talk to you own internal network very well.

      That's not likely to happen by accident.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    14. Re:Bury the lede much? It's a SAMBA problem by phantomfive · · Score: 1

      Is there anywhere that is posted the security practices you now use? That would be interesting to read about.

      --
      "First they came for the slanderers and i said nothing."
    15. Re:Bury the lede much? It's a SAMBA problem by drinkypoo · · Score: 1

      When I got DSL the first time, Pac Bell gave me a DSL router and five IP addresses. Naked, unfiltered IP addresses, because the DSL router did not do any firewalling (I'm not sure if it even could or not) and all internet-routable. The way I used this environment was to put one router on one IP and only use that one IP, but you can assume that most people who had more than one machine just got a hub or switch and plugged their machines into it.

      Today, this is probably fairly unusual. Most of us only get one IP due to shortages. IPv6, on the other hand, may bring that state of affairs back.

      Can this vuln be exploited via IPv6?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    16. Re:Bury the lede much? It's a SAMBA problem by thegarbz · · Score: 3, Informative

      Though hopefully it's only very, very rarely exposed to the internet

      Shodan only lists 485000 instances of samba exposing port 445 to the internet. ...

      Don't assume Linux admins are immune to stupid.

    17. Re:Bury the lede much? It's a SAMBA problem by Jeremy+Allison+-+Sam · · Score: 1

      > Can this vuln be exploited via IPv6?

      Yes.

    18. Re:Bury the lede much? It's a SAMBA problem by Jeremy+Allison+-+Sam · · Score: 2

      Coverity analysis, Codenomicon fuzzing, all changes peer-engineer review, no code changes without regression test coverage, no back-ports without a bug report.

      Pretty basic stuff for professional code quality these days.

      For this one, the only way to catch it would have been the peer-engineer review and fuzzing steps, and we weren't doing them back in 2009.

    19. Re:Bury the lede much? It's a SAMBA problem by drinkypoo · · Score: 1

      To my mind that is where the likely danger lies today, because people may be bridging a while block of routeable addresses into their home. But maybe I'm way off-base here. Besides, one can't just dismiss the problem by saying that they're firewalled. If someone brings in a USB stick and sticks it in the Windows machine that one is using samba to support in the first place, then who knows what will happen on your network. It's not like you can trust the local net.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    20. Re:Bury the lede much? It's a SAMBA problem by grahamsz · · Score: 1

      Maybe.

      I no longer have an IPv6 capable ISP to test with, but when I was on comcast I was impressed that I could ssh directly into a machine running at home behind my router. There are almost certainly people who've enabled ipv6 without realizing that.

      However comcast were issuing a /64 to every user, so that gave me 18,446,744,073,709,551,616 addresses for my house. Good luck getting nmap to find open samba servers in that kind of an address space.

    21. Re:Bury the lede much? It's a SAMBA problem by a_claudiu · · Score: 1

      Does Shodan make the difference between a Linux and a Windows machine wich are both using port 445?

    22. Re:Bury the lede much? It's a SAMBA problem by giggles778 · · Score: 1

      when maintainers let us know what's up with a flaw on slashdot. i love the linux community for stuff like this. thank you for commenting here with answers :)

    23. Re:Bury the lede much? It's a SAMBA problem by thegarbz · · Score: 1

      Yes.

      You can also filter by versions which is where the article got the 100000 with versions that are exploitable.

    24. Re:Bury the lede much? It's a SAMBA problem by mr_mischief · · Score: 1

      Those SMB shares should never be open to the Internet. There are plenty of ways to get into a local network and then scan for this sort of thing, though. Layers of security are always important.

    25. Re: Bury the lede much? It's a SAMBA problem by buchanmilne · · Score: 1

      "or let Linux be a client for Windows drive sharing"

      No, smbd isn't required for this, and nmbd is optional of you have working dns, winnind only required to map NT SIDs to Linux UIDs if the client is joined to a domain without RFC2307 schema.

      So, no daemon required for that, mount.cifs from cifs-utils may be all you meed.

    26. Re: Bury the lede much? It's a SAMBA problem by mr_mischief · · Score: 1

      The nmbd client is part of the Samba project. Many installers ask if you "need SMB support" and install both. The Samba project is indeed for both being a server and a client. I'm so, so sorry I offended you because only one part of the project has the gaping security hole.

    27. Re: Bury the lede much? It's a SAMBA problem by mr_mischief · · Score: 1

      Sorry, cifs-utils is also part of the Samba project.

  4. Re:I'm going to laugh my ass off... by bigwheel · · Score: 1

    "I''m going to laugh my ass off when a vulnerability like this is found on Linux and you smug bastards get exploited en masse. It's just a matter of time, and I can't wait until it happens. Yay!"

    Meanwhile, we commend you on your dedication to Microsoft.

  5. So dangerous by Anonymous Coward · · Score: 1

    I had to read till halfway through the last sentence to find out what software was actually effected.

    Keep up the clickbait

  6. Re:I'm going to laugh my ass off... by Anonymous Coward · · Score: 0

    you guys have such a firm grasp on what is going with computer security. amazing stuff.

  7. Re:I'm going to laugh my ass off... by phantomfive · · Score: 4, Informative

    This one is on Linux, but it's not as bad as the headline makes it seem. You need write access to a shared drive over Samba for it to be effective. Wannacry iirc could attack clients, not just servers, and write access wasn't necessary.

    I'll be honest, if you're giving remote anonymous write access to your Samba share on the open internet, you should probably stop doing that. Figure out another way to achieve that goal.

    --
    "First they came for the slanderers and i said nothing."
  8. Re:I'm going to laugh my ass off... by Anonymous Coward · · Score: 1

    If you have a SAMBA share on the open internet you should stop doing that. There are much better ways to accomplish file sharing.

  9. Put SAMBA in the headline by chispito · · Score: 2

    If it's a SAMBA vuln, put the word "SAMBA" in your headline or, at the very least, in first line of the summary.

    --
    The Daddy casts sleep on the Baby. The Baby resists!
    1. Re:Put SAMBA in the headline by Jeremy+Allison+-+Sam · · Score: 1

      Yeah, but Slashdot has always disliked Samba since time immemorial.

      I think it's because early Samba Team member Tim Potter (tpot) used to troll slashdot for fun, and CmdrTaco *hated* the trolls :-).

  10. Beware of the hoodie by Gorilla_Man · · Score: 1

    My favorite part is the photo caption on the reuters link:
    FILE PHOTO: A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017.

    1. Re:Beware of the hoodie by Anonymous Coward · · Score: 0

      I didn't approve of my likeness being used this way. I AM GOING TO SUE!

  11. Re:I'm going to laugh my ass off... by guruevi · · Score: 4, Informative

    The vulnerability has a lot of prerequisites:
    - You need write access to a shared
    - You need to know the underlying directory structure
    - You end up with a shell as user "nobody"

    Sure it's bad, but it's not WannaCry bad. At best you get a shell to execute some replication code, at worst you get nothing (modern SELinux, Solaris etc refuse execution rights to nobody).

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  12. Re:I'm going to laugh my ass off... by Xenna · · Score: 3, Interesting

    As I understand it Wannacry only used an SMB vulnerability when it had already infected a PC via a mailed exploit. Only one employee opening an attachment could quickly infect a whole company network.

    So, this one could be used in the same scenario even without having open shares on the Internet.

  13. 100,000 computers by lastman71 · · Score: 1

    had found more than 100,000 computers running vulnerable versions of the software

    Do you mean that there is 100,000 computers with samba exposed on internet? That is scary....

    1. Re:100,000 computers by Guybrush_T · · Score: 1, Insightful

      Wait, you also need to have a writable share. This should reduce the count to ... 2 ?

    2. Re:100,000 computers by RhettLivingston · · Score: 1

      You need a writeable share exposed to the intranet for this to work like wannacry. If you're running samba, that is very likely the case. Why else run samba than to allow windows machines on your network to access it? Many corporations use linux machines running samba as web servers for windows machines.

      Once a windows or linux user opens any single email with an exploit and writes it to any samba share on your corporate network, the worm could then hit every machine within the intranet that is vulnerable.

      What is really bad is that this response of denial is simply repeating history. The following quote is from this ars article).

      "When the Windows vulnerability was first disclosed in April, many security experts assumed it would be hard to exploit because few computers would expose file- and print-sharing capabilities on the Internet. The rapid spread of WCry quickly dashed those assumptions. Dan Tentler, founder of security firm Phobos Group, told Ars that more than 477,000 Samba-enabled computers exposed port 445, although it wasn't clear how many of them were running a vulnerable version of the utility. Tentler cited figures returned by the Shodan computer search engine."

    3. Re:100,000 computers by thegarbz · · Score: 1

      No. There's 485000 computers with Samba exposed to the internet. There's 100000 running a version of Samba with this vulnerability.

    4. Re:100,000 computers by thegarbz · · Score: 1

      You think someone who exposes a Samba machine directly to the internet has the intelligence to not put a writable share on there?
      Linux admins are immune to being incredibly stupid.

    5. Re:100,000 computers by pjt33 · · Score: 0

      Why else run samba than to allow windows machines on your network to access it?

      I have a read-only samba share on my desktop which I use to copy photos to my Android phone so that I can bore my colleagues with them. It's the simplest method I've found.

    6. Re: 100,000 computers by Brockmire · · Score: 1

      The irony of calling someone stupid while making a stupid error.

    7. Re: 100,000 computers by thegarbz · · Score: 1

      The irony of calling out a stupid error while confusing stupid with a typo. Get over yourself.

  14. Re:Newly Discovered Vulnerability Raises Fears by Anonymous Coward · · Score: 0

    I'm sure you'll find something. In the meantime, I'm hammering away getting work done on my Win7 machine. Talk about user-friendly and bulletproof. Anyway, enjoy your malware! Toodles!

  15. Re:I'm going to laugh my ass off... by Anonymous Coward · · Score: 1

    Samba is only used by Linux people when they talk to Windows machines. Take Windows out of the picture and Samba is no longer necessary. Saying that this is a problem for all Linux is like saying that a vulnerability in the Windows Linux Subsystem is a problem for all Windows users.

  16. Re:I'm going to laugh my ass off... by Anonymous Coward · · Score: 1

    I use samba to make my video/audio library easily accessible for Linux machines running Kodi (readonly though). Sure I could use nfs, but samba was the easiest to setup.

  17. Re:I'm going to laugh my ass off... by jedidiah · · Score: 1

    The operative word in your screed is WHEN.

    Have fun waiting.

    --
    A Pirate and a Puritan look the same on a balance sheet.
  18. Re:I'm going to laugh my ass off... by Anonymous Coward · · Score: 0

    They'll just hand-wave it away saying "well it's fixed, you just need to update!" Ignoring, of course, lack of updates is why WannaCry spread.

  19. Samba seems to be aware of something by Anonymous Coward · · Score: 0

    ...and they already appear to have a fix

  20. Bigger than it sounds at first? by Fencepost · · Score: 1

    This is affecting SAMBA, so that means Linux (and *BSD) boxes, but that may also include most NAS units and an awful lot of set-top boxes, streaming devices, etc. if they're accessible from Windows systems.

    --
    fencepost
    just a little off
    1. Re:Bigger than it sounds at first? by Anonymous Coward · · Score: 0

      My thought exactly.

    2. Re: Bigger than it sounds at first? by Anonymous Coward · · Score: 0

      But the attacker needs to have an account on your device with write access for this to work so unless you give anonymous write access on your NAS it will still be uneffected.

  21. Re:I'm going to laugh my ass off... by RhettLivingston · · Score: 1

    And there can be good reason for lack of updates. From the ars article on the subject today:

    "Researchers with security firm Rapid7, meanwhile, said they detected 110,000 devices exposed on the Internet that appeared to run vulnerable versions of Samba. 92,500 of them appeared to run unsupported versions of Samba for which no patch was available."

    That directly mirrors the windows situation in which many of the infected machines were running unsupported OS versions.

  22. Re:I'm going to laugh my ass off... by Altrag · · Score: 1

    Ahh I was looking for a zealot who didn't read far enough through the article and spouted off a stereotypical "just switch to Linux!" post. But this batch of mental gymnastics is a pretty close second.

    And no, its nothing like that. The amount of Linux machines that have to interact with Windows (especially in commercial environments) significantly dwarfs the number of people who use WLS. Maybe that won't always be the case, but it certainly is for now, if for no other reason than because WLS is extremely new while Samba's been around for decades.

    Sure you're technically correct that its not a problem for "all" Linux machines.. but its a problem for a large enough portion of them to warrant serious concern about the threat level. Especially since, as the pundits like to point out ad nauseum, Linux has a far greater share of the market in the server room than it does on the desktop and servers are where important data tends to be stored.

  23. Re:I'm going to laugh my ass off... by thegarbz · · Score: 1

    Given that there's Shodan 485000 Samba servers on Linux exposing the required port directly to the internet I would say that Linux isn't free from incompetent administrators and that you're very likely to find many machines that fit just that stupid scenario you're describing.

    Interestingly a large number of these severs seem to be based in the UAE. What's the bet they are related to industrial machines connected to the internet...

  24. Re:I'm going to laugh my ass off... by phantomfive · · Score: 1

    I have nothing to say other than if those people don't get hacked today, they'll get hacked tomorrow.

    --
    "First they came for the slanderers and i said nothing."
  25. Re: I'm going to laugh my ass off... by Anonymous Coward · · Score: 0

    No it's not. You can only be attacked by people who you have given write access to your samba share.

  26. Re: I'm going to laugh my ass off... by grahamsz · · Score: 1

    Right, but consider how many samba machines are on small business networks. If a piece of malware gets onto any windows machine or phone attached to your network, it can potentially execute this exploit against your fileserver.

  27. Re:I'm going to laugh my ass off... by Anonymous Coward · · Score: 0

    It might not be intentional. Linux distro's by default come with a whole load of server applications active; samba, avahi, cups, ntp, dhclient. The free routers provided by budget ISP's don't provide any control over the permissions of internet traffic (multicasts, protocols, ports, inbound, outbound). You can't even replace them because they are locked in to the head-end by MAC address. Insecurity baked in.

  28. Oh great... by Anonymous Coward · · Score: 0

    Oh great... so how many months will it be before Canonical FINALLY pushes the patched sambe out to the repo?

  29. Nobody sane lets SMB past the border-firewall by gweihir · · Score: 1

    I begin to think of these things as evolution finally beginning to punish the dumb again. Incidentally, it does not matter whether it takes 15min, 1h, 1 day or 1 week to develop an exploit for a vulnerability. The article is dripping stupidity.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Nobody sane lets SMB past the border-firewall by Anonymous Coward · · Score: 0

      Sorry but sane and smb are two different things.

    2. Re:Nobody sane lets SMB past the border-firewall by gweihir · · Score: 1

      Oh yes, they are. But the article is about Samba, not sane.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  30. Re:I'm going to laugh my ass off... by Jerry · · Score: 0

    "I'm going to laugh my ass off when a vulnerability like this is found on Linux and you smug bastards get exploited en masse. It's just a matter of time, and I can't wait until it happens. Yay!"

    LOL! You obviously do not understand how Linux works. It doesn't have promiscuous "ActiveX" type controls..

    Enjoy going through life without your posterior! :D

    --

    Running with Linux for over 20 years!

  31. Re: Patch was already released... by Brockmire · · Score: 1

    What is a normal update in linux? I've had to manually configure yum-cron on all my boxes. Then I need to check logwatch reports for which yum-cron ran out of memory and needs reboot. That being said, none of my boxes had Port 445 open.

  32. Re:Patch was already released... by rocket97 · · Score: 1

    A patch was available for Windows almost 2 months before the wannacry worm. Your point?

    --
    "The two most abundant elements in the universe are hydrogen and stupidity." -Harlan Ellison
  33. Ubuntu and downstream derivatives by Zanadou · · Score: 1

    Patched in Ubuntu and downstream derivatives in Samba v2:4.3.11+dfsg-0ubuntu0.16.04.7 (This is the xenial one.)

    samba (2:4.3.11+dfsg-0ubuntu0.16.04.7) xenial-security; urgency=medium

    * SECURITY UPDATE: remote code execution from a writable share- debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a slash inside in source3/rpc_server/srv_pipe.c.

    - CVE-2017-7494

    -- Marc Deslauriers Fri, 19 May 2017 14:18:13 -0400

    Source: http://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.11+dfsg-0ubuntu0.16.04.7/changelog

  34. Step 1: Don't disable SELinux by 3count · · Score: 1

    Those that left SELinux enforcing are probably just fine (RedHat 7 CVE-2017-7494.) I've had my battles with SELinux, but I've left it enforcing. So often when I have an issue and find a solution on the Internet, step 1 is "disable SELinux". Yes, it can be a pain, but you really don't want to do that. Skip step 1.

  35. Re:Patch was already released... by Anonymous Coward · · Score: 0

    yes because Microsoft didn't patch the bug 2 months before

    idiot

  36. Re:I'm going to laugh my ass off... by Anonymous Coward · · Score: 0

    It absolutely IS WannaCry bad or worse. WannaCry really was only really bad in intranet scenarios where a user runs malicious code. This is exactly the scenario you will have access to SAMBA shares with write access and plenty of common directory structures exist.

  37. Just block incoming ports by default by Anonymous Coward · · Score: 0

    I recommend a broad ipchains rule set to allow incoming connections on a white list basis: ./ipntables -F INPUT; ./ipntables -F OUTPUT; ./ipntables -P INPUT DROP; ./ipntables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; ./ipntables -A INPUT -p tcp --dport 80 -j ACCEPT; ./ipntables -A INPUT -i lo -j ACCEPT; ./ipntables -A OUTPUT -o lo -j ACCEPT;

    iptables -A INPUT -p icmp -j ACCEPT;
    ip6tables -A INPUT -p icmpv6 -j ACCEPT;

    iptables -A INPUT -p udp -m udp --dport 67 -j ACCEPT;
    iptables -A INPUT -p udp -m udp --dport 68 -j ACCEPT;

    ip6tables -A INPUT -p udp -m udp --dport 546 -j ACCEPT
    ip6tables -A INPUT -p udp -m udp --dport 547 -j ACCEPT ./ipntables -A INPUT -j DROP

    Where ipntables is a shell script that calls both ip6tables and iptables with with arguments.

  38. Re:I'm going to laugh my ass off... by Anonymous Coward · · Score: 0

    Nobody at UK NHS confirmed if it was indeed an e-mailed exploit. The source could be malvertising (malicious ads) in websites or through the IME-AMT feature of Intel CPU's.

  39. Re:I'm going to laugh my ass off... by Anonymous Coward · · Score: 0

    You're going to laugh your ass off when a vulnerability is found on thousands of computers and that vulnerability leads to an exploit that...cripples websites you use? ...causes thousands of computers to attack your computer? ...causes losses to you or someone/something you cherish? That isn't very smart at all.

  40. Re:I'm going to laugh my ass off... by Bert64 · · Score: 1

    NFS is much easier to set up (single line config and start the service) and works better with kodi... I can't imagine going to the trouble of installing samba for a scenario like this.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  41. Re:I'm going to laugh my ass off... by Bert64 · · Score: 1

    And many of these will also be too old to contain the vulnerability...

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  42. Re:I'm going to laugh my ass off... by Anonymous Coward · · Score: 0

    The free routers provided by budget ISP's don't provide any control over the permissions of internet traffic

    Which budget ISPs give the machines behind the router public IP addresses by default?

  43. Re:I'm going to laugh my ass off... by Anonymous Coward · · Score: 0

    The free routers provided by budget ISP's don't provide any control over the permissions of internet traffic

    Which budget ISPs give the machines behind the router public IP addresses by default?

    Comcast (though I debate them being referred to as a "budget" ISP).

    You'll get a whole /48 assigned to you. Not sure how well their filter ingress v6 traffic at their edges.

  44. Re: I'm going to laugh my ass off... by buchanmilne · · Score: 1

    "It might not be intentional. Linux distro's by default come with a whole load of server applications active; samba, avahi, cups, ntp, dhclient."

    Please list one linux distro that installs and enables smbd by default.

    The rest are not server-only software, cups is usually configured to listen on yhe loopback interface, and avahi and ntpd normally run as non-root

    So the biggest risk is the dhcp client. One wonders if it is necessary for the dhcp client to listen all the time these days. Of course it should be possible to write a dhxp client that drops privs and requires the minimum capabilities to configure network interfaces.

    Of course, all of these are optional, and you would only lose the feature provided by the service if you disable it, and updates won't re-enable anything you have disabled (unlike on Windows).

    So, I don't think we willl see the same level of exploitation.

  45. Re: I'm going to laugh my ass off... by buchanmilne · · Score: 1

    I have a similar setup.

    Why?

    Kodi profiles.

    I have one Kodi instance, running as one unix user, but if the Kids profile is logged in, there is no way to access non-child-apprpriate content.

    When the master profile logs in to Kodi, the samba shares are used, accessed by username/password.

    Yes, it is not secure, but enougj to keep kids under 9 away from stuff they probably don't need to hear/see.

    And, due to the nature of NFS, not so easy to do (since NFS perma apply bu unix uid or other similar proxy e.g uid with access to kerberos tgt).

    If there is a samba-less solution, I would like to hear it, since I have no Windows in my house.

  46. Re: I'm going to laugh my ass off... by buchanmilne · · Score: 1

    I worked for an enterprise until recently.

    Our team ran about 200 VMs.

    About 4 ran Windows, the rest Linux (RHEal7 mostly).
    About 2 of the Linux VMs had Samba (to store common large software packages used by developers). The shares weren't writable eccept by system administrators, and the underlying filesystems mounted noexec. SELinux set to enforcing.

    It's not like it wpuld be a burden to patch those, and lots of mitigations if exploited before someone does patch them.

    So your idea that 'Linux in the enterprise runs Samba' needs a qualifier.

  47. Re: I'm going to laugh my ass off... by Altrag · · Score: 1

    So your idea that 'Linux in the enterprise runs Samba' needs a qualifier.

    I keep forgetting that on Slashdot you always have to explicitly state the qualifier: "all generalizations have exceptions." In most settings that's just a given.