Slashdot Mirror

← Back to Stories (view on slashdot.org)

Newly Discovered Vulnerability Raises Fears Of Another WannaCry (reuters.com)

Posted by msmash on from the security-woes dept.

A newly found flaw in widely used networking software leaves tens of thousands of computers potentially vulnerable to an attack similar to that caused by WannaCry, which infected more than 300,000 computers worldwide, cybersecurity researchers said on Thursday. From a Reuters report: The U.S. Department of Homeland Security on Wednesday announced the vulnerability, which could be exploited to take control of an affected computer, and urged users and administrators to apply a patch. Rebekah Brown of Rapid7, a cybersecurity company, told Reuters that there were no signs yet of attackers exploiting the vulnerability in the 12 hours since its discovery was announced. But she said it had taken researchers only 15 minutes to develop malware that made use of the hole. "This one seems to be very, very easy to exploit," she said. Rapid7 said it had found more than 100,000 computers running vulnerable versions of the software, Samba, free networking software developed for Linux and Unix computers.

3 of 109 comments (clear)

  1. RE: And the link to the CVA is? by Anonymous Coward · · Score: 5, Informative

    https://www.samba.org/samba/security/CVE-2017-7494.html

    ===========
    Description
    ===========

    All versions of Samba from 3.5.0 onwards are vulnerable to a remote
    code execution vulnerability, allowing a malicious client to upload a
    shared library to a writable share, and then cause the server to load
    and execute it.
    ==========
    Workaround
    ==========

    Add the parameter:

    nt pipe support = no

    to the [global] section of your smb.conf and restart smbd. This
    prevents clients from accessing any named pipe endpoints. Note this
    can disable some expected functionality for Windows clients.

  2. Re:And the link to the CVA is? by courteaudotbiz · · Score: 5, Informative

    For these critical info, a quick search on Google news got me this.

    Extract:

    All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches.... Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible.

  3. Re:Bury the lede much? It's a SAMBA problem by Jeremy+Allison+-+Sam · · Score: 5, Informative

    Yes, that is the core of the bug. However, I can offer some explanation into how it happened.

      There are 2 subsystems involved here.

    (1). Load a shared library module and execute it.

    This has many uses inside Samba.

    (2). Allow a client request on an RPC pipe to be routed to an external process or library.

    This allows Samba to be built without embedding all the named pipe services inside it, which makes it a smaller binary for embedded vendors.

    Unfortunately an old commit connected the two subsystems together, re-using the shared library module existing code to find and load the service the client was asking for. There was insufficient sanitization of the requesting name which caused the problem.

    The commit happened in 2009, before we had two-engineer design and review practices and the full regression test suite we now use.

    Eventually I want to remove the ability to load any shared modules containing more than one path component. This has to be done carefully however to avoid breaking existing configured systems that may depend on this.