Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Newly Discovered Vulnerability Raises Fears Of Another WannaCry (reuters.com) 109

A newly found flaw in widely used networking software leaves tens of thousands of computers potentially vulnerable to an attack similar to that caused by WannaCry, which infected more than 300,000 computers worldwide, cybersecurity researchers said on Thursday. From a Reuters report: The U.S. Department of Homeland Security on Wednesday announced the vulnerability, which could be exploited to take control of an affected computer, and urged users and administrators to apply a patch. Rebekah Brown of Rapid7, a cybersecurity company, told Reuters that there were no signs yet of attackers exploiting the vulnerability in the 12 hours since its discovery was announced. But she said it had taken researchers only 15 minutes to develop malware that made use of the hole. "This one seems to be very, very easy to exploit," she said. Rapid7 said it had found more than 100,000 computers running vulnerable versions of the software, Samba, free networking software developed for Linux and Unix computers.
This discussion has been archived. No new comments can be posted.

Newly Discovered Vulnerability Raises Fears Of Another WannaCry

Comments Filter:
  • Or something with more details?

    • by courteaudotbiz ( 1191083 ) on Thursday May 25, 2017 @01:36PM (#54486259) Homepage
      You have to dig deep in the summary to get to know that Samba is the vulnerable piece of software, and the article has no technical detail. Would have been nice to get a real news title like "Critical vulnerability found in Samba on Linux", and yes, with a link the the CVE.

      It looks like the typical clickbait article. That's not what /. users want. We want some gravy, Crunch tech detail, specs, version numbers, and the most important thing, what version numbers are vulnerable and is it patched in the most recent releases.
      • by courteaudotbiz ( 1191083 ) on Thursday May 25, 2017 @01:39PM (#54486297) Homepage

        For these critical info, a quick search on Google news got me this. [betanews.com]

        Extract:

        All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. A patch addressing this defect has been posted to http://www.samba.org/samba/security/ [samba.org] Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches... [samba.org]. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible.

      • cheers to those with the stamina to dig that out. the summary posted was so dumb.
        • You mean the stamina to do a 5 seconds search on Google and post meaningful links in their submission? I don't call this "stamina", I call this non-laziness.
        • by vtcodger ( 957785 ) on Thursday May 25, 2017 @02:45PM (#54486715)

          FWIW, it looks like running lsof -i will tell unix users what ports are open. If port 445 is open, you might want to kill smbd while you sort things out. Purportedly adding "nt pipe support = no" to your smb.conf file and restarting smbd might allow some samba capability while still stopping the threat. See
          https://www.samba.org/samba/se... [samba.org]

          Note: If this advice turns your system into a quivering ball of protoplasm, Don't blame me. I'm only the messenger.

          • Stopping smbd and removing any Windows machines that you have connect to your server will better and relieve more stress in your life. /s

    • by Anonymous Coward

      https://www.samba.org/samba/security/CVE-2017-7494.html

      Every non-joke admin has already applied the security fixes since at least yesterday. And no, I am not kidding: all distros worth bothering with (plus samba upstream) released fixed versions yesterday.

      Of course, the clouded cloud ops-that-aren't likely have no idea they need to update their base images. And Linux users are not usually that much better than windows users at applying security updates, so, yes, a new Wannacry is quite possible.

      And on Lin

      • by Jerry ( 6400 )

        "And Linux users are not usually that much better than windows users at applying security updates, so, yes, a new Wannacry is quite possible."

        Doubtful. All Ubuntu based distros had the patch pushed out yesterday. That would also include Mint and several others besides Kubuntu and KDE Neon (which is what I run).
        Linux users stupid enough to turn off their automatic updates (which is on by default) deserve what they get.

  • by Anonymous Coward on Thursday May 25, 2017 @01:07PM (#54486025)

    https://www.samba.org/samba/security/CVE-2017-7494.html

    ===========
    Description
    ===========

    All versions of Samba from 3.5.0 onwards are vulnerable to a remote
    code execution vulnerability, allowing a malicious client to upload a
    shared library to a writable share, and then cause the server to load
    and execute it.
    ==========
    Workaround
    ==========

    Add the parameter:

    nt pipe support = no

    to the [global] section of your smb.conf and restart smbd. This
    prevents clients from accessing any named pipe endpoints. Note this
    can disable some expected functionality for Windows clients.

  • by Anonymous Coward

    I had to read till halfway through the last sentence to find out what software was actually effected.

    Keep up the clickbait

  • by chispito ( 1870390 ) on Thursday May 25, 2017 @01:38PM (#54486293)
    If it's a SAMBA vuln, put the word "SAMBA" in your headline or, at the very least, in first line of the summary.
    • Yeah, but Slashdot has always disliked Samba since time immemorial.

      I think it's because early Samba Team member Tim Potter (tpot) used to troll slashdot for fun, and CmdrTaco *hated* the trolls :-).

  • My favorite part is the photo caption on the reuters link:
    FILE PHOTO: A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017.

  • had found more than 100,000 computers running vulnerable versions of the software

    Do you mean that there is 100,000 computers with samba exposed on internet? That is scary....

    • Re: (Score:2, Insightful)

      by Guybrush_T ( 980074 )
      Wait, you also need to have a writable share. This should reduce the count to ... 2 ?
      • You need a writeable share exposed to the intranet for this to work like wannacry. If you're running samba, that is very likely the case. Why else run samba than to allow windows machines on your network to access it? Many corporations use linux machines running samba as web servers for windows machines.

        Once a windows or linux user opens any single email with an exploit and writes it to any samba share on your corporate network, the worm could then hit every machine within the intranet that is vulnerable.

        Wh

        • by pjt33 ( 739471 )

          Why else run samba than to allow windows machines on your network to access it?

          I have a read-only samba share on my desktop which I use to copy photos to my Android phone so that I can bore my colleagues with them. It's the simplest method I've found.

      • You think someone who exposes a Samba machine directly to the internet has the intelligence to not put a writable share on there?
        Linux admins are immune to being incredibly stupid.

    • No. There's 485000 computers with Samba exposed to the internet. There's 100000 running a version of Samba with this vulnerability.

  • This is affecting SAMBA, so that means Linux (and *BSD) boxes, but that may also include most NAS units and an awful lot of set-top boxes, streaming devices, etc. if they're accessible from Windows systems.
  • I begin to think of these things as evolution finally beginning to punish the dumb again. Incidentally, it does not matter whether it takes 15min, 1h, 1 day or 1 week to develop an exploit for a vulnerability. The article is dripping stupidity.

  • Patched in Ubuntu and downstream derivatives in Samba v2:4.3.11+dfsg-0ubuntu0.16.04.7 (This is the xenial one.)

    samba (2:4.3.11+dfsg-0ubuntu0.16.04.7) xenial-security; urgency=medium

    * SECURITY UPDATE: remote code execution from a writable share- debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a slash inside in source3/rpc_server/srv_pipe.c.

    - CVE-2017-7494

    -- Marc Deslauriers Fri, 19 May 2017 14:18:13 -0400

    Source: http://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4 [ubuntu.com]

  • Those that left SELinux enforcing are probably just fine (RedHat 7 CVE-2017-7494 [redhat.com].) I've had my battles with SELinux, but I've left it enforcing. So often when I have an issue and find a solution on the Internet, step 1 is "disable SELinux". Yes, it can be a pain, but you really don't want to do that. Skip step 1.

Basic is a high level languish. APL is a high level anguish.

Working...