Slashdot Mirror
Newly Discovered Vulnerability Raises Fears Of Another WannaCry (reuters.com)
A newly found flaw in widely used networking software leaves tens of thousands of computers potentially vulnerable to an attack similar to that caused by WannaCry, which infected more than 300,000 computers worldwide, cybersecurity researchers said on Thursday. From a Reuters report: The U.S. Department of Homeland Security on Wednesday announced the vulnerability, which could be exploited to take control of an affected computer, and urged users and administrators to apply a patch. Rebekah Brown of Rapid7, a cybersecurity company, told Reuters that there were no signs yet of attackers exploiting the vulnerability in the 12 hours since its discovery was announced. But she said it had taken researchers only 15 minutes to develop malware that made use of the hole. "This one seems to be very, very easy to exploit," she said. Rapid7 said it had found more than 100,000 computers running vulnerable versions of the software, Samba, free networking software developed for Linux and Unix computers.
Or something with more details?
https://gcn.com/articles/2017/...
https://www.samba.org/samba/se...
Actually, it's a completely optional daemon that runs on top of Linux to support Windows clients from Linux or let Linux be a client for Windows drive sharing. It's not part of the OS, it's not mandatory to run with the OS, it's not related to the running of an all-Linux network, and it's based on specifications from the Windows folks.
"I''m going to laugh my ass off when a vulnerability like this is found on Linux and you smug bastards get exploited en masse. It's just a matter of time, and I can't wait until it happens. Yay!"
Meanwhile, we commend you on your dedication to Microsoft.
I had to read till halfway through the last sentence to find out what software was actually effected.
Keep up the clickbait
Yup. But it IS very widely used. Though hopefully it's only very, very rarely exposed to the internet.
Don't disappoint your bird dog. Go to the range.
This one is on Linux, but it's not as bad as the headline makes it seem. You need write access to a shared drive over Samba for it to be effective. Wannacry iirc could attack clients, not just servers, and write access wasn't necessary.
I'll be honest, if you're giving remote anonymous write access to your Samba share on the open internet, you should probably stop doing that. Figure out another way to achieve that goal.
"First they came for the slanderers and i said nothing."
Maybe not today, though.
Though hopefully it's only very, very rarely exposed to the internet.
It doesn't matter, all it takes is a compromised computer on the intranet whose ... *ahem* ... infection knows to scan for and exploit this vulnerability. Same as with WCry, really.
You could delete half the news item text and you wouldn't lose anything. The first paragraph is useless scare mongering. While the the second paragraph only has relevant information in the end. This is getting pretty pathetic. I thought Slashdot had better tech coverage than this. It's like I'm reading a frikin news for dummies site.
How about just saying a vulnerability in Samba was found, describe the vulnerability, then the impact? kthx bye.
If you have a SAMBA share on the open internet you should stop doing that. There are much better ways to accomplish file sharing.
If it's a SAMBA vuln, put the word "SAMBA" in your headline or, at the very least, in first line of the summary.
The Daddy casts sleep on the Baby. The Baby resists!
It could be worse. It could be an SSH or SSL bug.
My favorite part is the photo caption on the reuters link:
FILE PHOTO: A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017.
The vulnerability has a lot of prerequisites:
- You need write access to a shared
- You need to know the underlying directory structure
- You end up with a shell as user "nobody"
Sure it's bad, but it's not WannaCry bad. At best you get a shell to execute some replication code, at worst you get nothing (modern SELinux, Solaris etc refuse execution rights to nobody).
Custom electronics and digital signage for your business: www.evcircuits.com
As I understand it Wannacry only used an SMB vulnerability when it had already infected a PC via a mailed exploit. Only one employee opening an attachment could quickly infect a whole company network.
So, this one could be used in the same scenario even without having open shares on the Internet.
had found more than 100,000 computers running vulnerable versions of the software
Do you mean that there is 100,000 computers with samba exposed on internet? That is scary....
Yes, that is the core of the bug. However, I can offer some explanation into how it happened.
There are 2 subsystems involved here.
(1). Load a shared library module and execute it.
This has many uses inside Samba.
(2). Allow a client request on an RPC pipe to be routed to an external process or library.
This allows Samba to be built without embedding all the named pipe services inside it, which makes it a smaller binary for embedded vendors.
Unfortunately an old commit connected the two subsystems together, re-using the shared library module existing code to find and load the service the client was asking for. There was insufficient sanitization of the requesting name which caused the problem.
The commit happened in 2009, before we had two-engineer design and review practices and the full regression test suite we now use.
Eventually I want to remove the ability to load any shared modules containing more than one path component. This has to be done carefully however to avoid breaking existing configured systems that may depend on this.
Samba is only used by Linux people when they talk to Windows machines. Take Windows out of the picture and Samba is no longer necessary. Saying that this is a problem for all Linux is like saying that a vulnerability in the Windows Linux Subsystem is a problem for all Windows users.
I use samba to make my video/audio library easily accessible for Linux machines running Kodi (readonly though). Sure I could use nfs, but samba was the easiest to setup.
The operative word in your screed is WHEN.
Have fun waiting.
A Pirate and a Puritan look the same on a balance sheet.
> Oh sure nobody puts their shitty never-updated NAS naked on the internet with no firewall.
You would have to kind of have to go out of you way to do that actually. You can't just plug it into the home network. You have to go to where your router physically is and manually wire it up upstream of your firewall.
I would likely get a routable IP address instead of a local non-routable one and possibly not talk to you own internal network very well.
That's not likely to happen by accident.
A Pirate and a Puritan look the same on a balance sheet.
This is affecting SAMBA, so that means Linux (and *BSD) boxes, but that may also include most NAS units and an awful lot of set-top boxes, streaming devices, etc. if they're accessible from Windows systems.
fencepost
just a little off
Is there anywhere that is posted the security practices you now use? That would be interesting to read about.
"First they came for the slanderers and i said nothing."
When I got DSL the first time, Pac Bell gave me a DSL router and five IP addresses. Naked, unfiltered IP addresses, because the DSL router did not do any firewalling (I'm not sure if it even could or not) and all internet-routable. The way I used this environment was to put one router on one IP and only use that one IP, but you can assume that most people who had more than one machine just got a hub or switch and plugged their machines into it.
Today, this is probably fairly unusual. Most of us only get one IP due to shortages. IPv6, on the other hand, may bring that state of affairs back.
Can this vuln be exploited via IPv6?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
And there can be good reason for lack of updates. From the ars article on the subject today:
"Researchers with security firm Rapid7, meanwhile, said they detected 110,000 devices exposed on the Internet that appeared to run vulnerable versions of Samba. 92,500 of them appeared to run unsupported versions of Samba for which no patch was available."
That directly mirrors the windows situation in which many of the infected machines were running unsupported OS versions.
Ahh I was looking for a zealot who didn't read far enough through the article and spouted off a stereotypical "just switch to Linux!" post. But this batch of mental gymnastics is a pretty close second.
And no, its nothing like that. The amount of Linux machines that have to interact with Windows (especially in commercial environments) significantly dwarfs the number of people who use WLS. Maybe that won't always be the case, but it certainly is for now, if for no other reason than because WLS is extremely new while Samba's been around for decades.
Sure you're technically correct that its not a problem for "all" Linux machines.. but its a problem for a large enough portion of them to warrant serious concern about the threat level. Especially since, as the pundits like to point out ad nauseum, Linux has a far greater share of the market in the server room than it does on the desktop and servers are where important data tends to be stored.
Given that there's Shodan 485000 Samba servers on Linux exposing the required port directly to the internet I would say that Linux isn't free from incompetent administrators and that you're very likely to find many machines that fit just that stupid scenario you're describing.
Interestingly a large number of these severs seem to be based in the UAE. What's the bet they are related to industrial machines connected to the internet...
Though hopefully it's only very, very rarely exposed to the internet
Shodan only lists 485000 instances of samba exposing port 445 to the internet. ...
Don't assume Linux admins are immune to stupid.
I have nothing to say other than if those people don't get hacked today, they'll get hacked tomorrow.
"First they came for the slanderers and i said nothing."
> Can this vuln be exploited via IPv6?
Yes.
Coverity analysis, Codenomicon fuzzing, all changes peer-engineer review, no code changes without regression test coverage, no back-ports without a bug report.
Pretty basic stuff for professional code quality these days.
For this one, the only way to catch it would have been the peer-engineer review and fuzzing steps, and we weren't doing them back in 2009.
To my mind that is where the likely danger lies today, because people may be bridging a while block of routeable addresses into their home. But maybe I'm way off-base here. Besides, one can't just dismiss the problem by saying that they're firewalled. If someone brings in a USB stick and sticks it in the Windows machine that one is using samba to support in the first place, then who knows what will happen on your network. It's not like you can trust the local net.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Right, but consider how many samba machines are on small business networks. If a piece of malware gets onto any windows machine or phone attached to your network, it can potentially execute this exploit against your fileserver.
Maybe.
I no longer have an IPv6 capable ISP to test with, but when I was on comcast I was impressed that I could ssh directly into a machine running at home behind my router. There are almost certainly people who've enabled ipv6 without realizing that.
However comcast were issuing a /64 to every user, so that gave me 18,446,744,073,709,551,616 addresses for my house. Good luck getting nmap to find open samba servers in that kind of an address space.
I begin to think of these things as evolution finally beginning to punish the dumb again. Incidentally, it does not matter whether it takes 15min, 1h, 1 day or 1 week to develop an exploit for a vulnerability. The article is dripping stupidity.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
What is a normal update in linux? I've had to manually configure yum-cron on all my boxes. Then I need to check logwatch reports for which yum-cron ran out of memory and needs reboot. That being said, none of my boxes had Port 445 open.
A patch was available for Windows almost 2 months before the wannacry worm. Your point?
"The two most abundant elements in the universe are hydrogen and stupidity." -Harlan Ellison
Patched in Ubuntu and downstream derivatives in Samba v2:4.3.11+dfsg-0ubuntu0.16.04.7 (This is the xenial one.)
samba (2:4.3.11+dfsg-0ubuntu0.16.04.7) xenial-security; urgency=medium
* SECURITY UPDATE: remote code execution from a writable share- debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a slash inside in source3/rpc_server/srv_pipe.c.
- CVE-2017-7494
-- Marc Deslauriers Fri, 19 May 2017 14:18:13 -0400
Source: http://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.11+dfsg-0ubuntu0.16.04.7/changelog
Those that left SELinux enforcing are probably just fine (RedHat 7 CVE-2017-7494.) I've had my battles with SELinux, but I've left it enforcing. So often when I have an issue and find a solution on the Internet, step 1 is "disable SELinux". Yes, it can be a pain, but you really don't want to do that. Skip step 1.
NFS is much easier to set up (single line config and start the service) and works better with kodi... I can't imagine going to the trouble of installing samba for a scenario like this.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
And many of these will also be too old to contain the vulnerability...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Does Shodan make the difference between a Linux and a Windows machine wich are both using port 445?
when maintainers let us know what's up with a flaw on slashdot. i love the linux community for stuff like this. thank you for commenting here with answers :)
Yes.
You can also filter by versions which is where the article got the 100000 with versions that are exploitable.
Those SMB shares should never be open to the Internet. There are plenty of ways to get into a local network and then scan for this sort of thing, though. Layers of security are always important.
"It might not be intentional. Linux distro's by default come with a whole load of server applications active; samba, avahi, cups, ntp, dhclient."
Please list one linux distro that installs and enables smbd by default.
The rest are not server-only software, cups is usually configured to listen on yhe loopback interface, and avahi and ntpd normally run as non-root
So the biggest risk is the dhcp client. One wonders if it is necessary for the dhcp client to listen all the time these days. Of course it should be possible to write a dhxp client that drops privs and requires the minimum capabilities to configure network interfaces.
Of course, all of these are optional, and you would only lose the feature provided by the service if you disable it, and updates won't re-enable anything you have disabled (unlike on Windows).
So, I don't think we willl see the same level of exploitation.
I have a similar setup.
Why?
Kodi profiles.
I have one Kodi instance, running as one unix user, but if the Kids profile is logged in, there is no way to access non-child-apprpriate content.
When the master profile logs in to Kodi, the samba shares are used, accessed by username/password.
Yes, it is not secure, but enougj to keep kids under 9 away from stuff they probably don't need to hear/see.
And, due to the nature of NFS, not so easy to do (since NFS perma apply bu unix uid or other similar proxy e.g uid with access to kerberos tgt).
If there is a samba-less solution, I would like to hear it, since I have no Windows in my house.
I worked for an enterprise until recently.
Our team ran about 200 VMs.
About 4 ran Windows, the rest Linux (RHEal7 mostly).
About 2 of the Linux VMs had Samba (to store common large software packages used by developers). The shares weren't writable eccept by system administrators, and the underlying filesystems mounted noexec. SELinux set to enforcing.
It's not like it wpuld be a burden to patch those, and lots of mitigations if exploited before someone does patch them.
So your idea that 'Linux in the enterprise runs Samba' needs a qualifier.
"or let Linux be a client for Windows drive sharing"
No, smbd isn't required for this, and nmbd is optional of you have working dns, winnind only required to map NT SIDs to Linux UIDs if the client is joined to a domain without RFC2307 schema.
So, no daemon required for that, mount.cifs from cifs-utils may be all you meed.
So your idea that 'Linux in the enterprise runs Samba' needs a qualifier.
I keep forgetting that on Slashdot you always have to explicitly state the qualifier: "all generalizations have exceptions." In most settings that's just a given.
The nmbd client is part of the Samba project. Many installers ask if you "need SMB support" and install both. The Samba project is indeed for both being a server and a client. I'm so, so sorry I offended you because only one part of the project has the gaping security hole.
Sorry, cifs-utils is also part of the Samba project.