Newly Discovered Vulnerability Raises Fears Of Another WannaCry (reuters.com) 109
A newly found flaw in widely used networking software leaves tens of thousands of computers potentially vulnerable to an attack similar to that caused by WannaCry, which infected more than 300,000 computers worldwide, cybersecurity researchers said on Thursday. From a Reuters report: The U.S. Department of Homeland Security on Wednesday announced the vulnerability, which could be exploited to take control of an affected computer, and urged users and administrators to apply a patch. Rebekah Brown of Rapid7, a cybersecurity company, told Reuters that there were no signs yet of attackers exploiting the vulnerability in the 12 hours since its discovery was announced. But she said it had taken researchers only 15 minutes to develop malware that made use of the hole. "This one seems to be very, very easy to exploit," she said. Rapid7 said it had found more than 100,000 computers running vulnerable versions of the software, Samba, free networking software developed for Linux and Unix computers.
And the link to the CVA is? (Score:2)
Or something with more details?
Re:And the link to the CVA is? (Score:5, Insightful)
It looks like the typical clickbait article. That's not what
Re:And the link to the CVA is? (Score:5, Informative)
For these critical info, a quick search on Google news got me this. [betanews.com]
Extract:
All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. A patch addressing this defect has been posted to http://www.samba.org/samba/security/ [samba.org] Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches... [samba.org]. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible.
Re:And the link to the CVA is? (Score:5, Informative)
If you get an output other than -bash: smbstatus: command not found, double validate if it is running.
Using systemd:
systemctl status smb
If you get an output different than Unit smb.service could not be found., you can assume samba is installed. You either make sure it is disabled (systemctl disable smb), or you update it.
Re: And the link to the CVA is? (Score:1)
Re: (Score:3)
Re: And the link to the CVA is? (Score:4, Informative)
FWIW, it looks like running lsof -i will tell unix users what ports are open. If port 445 is open, you might want to kill smbd while you sort things out. Purportedly adding "nt pipe support = no" to your smb.conf file and restarting smbd might allow some samba capability while still stopping the threat. See
https://www.samba.org/samba/se... [samba.org]
Note: If this advice turns your system into a quivering ball of protoplasm, Don't blame me. I'm only the messenger.
Re: (Score:2)
Stopping smbd and removing any Windows machines that you have connect to your server will better and relieve more stress in your life. /s
Re: (Score:1)
https://www.samba.org/samba/security/CVE-2017-7494.html
Every non-joke admin has already applied the security fixes since at least yesterday. And no, I am not kidding: all distros worth bothering with (plus samba upstream) released fixed versions yesterday.
Of course, the clouded cloud ops-that-aren't likely have no idea they need to update their base images. And Linux users are not usually that much better than windows users at applying security updates, so, yes, a new Wannacry is quite possible.
And on Lin
Re: (Score:2)
"And Linux users are not usually that much better than windows users at applying security updates, so, yes, a new Wannacry is quite possible."
Doubtful. All Ubuntu based distros had the patch pushed out yesterday. That would also include Mint and several others besides Kubuntu and KDE Neon (which is what I run).
Linux users stupid enough to turn off their automatic updates (which is on by default) deserve what they get.
More information: (Score:5, Informative)
https://gcn.com/articles/2017/... [gcn.com]
https://www.samba.org/samba/se... [samba.org]
Re:Bury the lede much? It's a SAMBA problem (Score:5, Informative)
Actually, it's a completely optional daemon that runs on top of Linux to support Windows clients from Linux or let Linux be a client for Windows drive sharing. It's not part of the OS, it's not mandatory to run with the OS, it's not related to the running of an all-Linux network, and it's based on specifications from the Windows folks.
Re:Bury the lede much? It's a SAMBA problem (Score:4, Informative)
Re: (Score:1)
Though hopefully it's only very, very rarely exposed to the internet.
It doesn't matter, all it takes is a compromised computer on the intranet whose ... *ahem* ... infection knows to scan for and exploit this vulnerability. Same as with WCry, really.
Re: (Score:2)
> Oh sure nobody puts their shitty never-updated NAS naked on the internet with no firewall.
You would have to kind of have to go out of you way to do that actually. You can't just plug it into the home network. You have to go to where your router physically is and manually wire it up upstream of your firewall.
I would likely get a routable IP address instead of a local non-routable one and possibly not talk to you own internal network very well.
That's not likely to happen by accident.
Re: (Score:2)
When I got DSL the first time, Pac Bell gave me a DSL router and five IP addresses. Naked, unfiltered IP addresses, because the DSL router did not do any firewalling (I'm not sure if it even could or not) and all internet-routable. The way I used this environment was to put one router on one IP and only use that one IP, but you can assume that most people who had more than one machine just got a hub or switch and plugged their machines into it.
Today, this is probably fairly unusual. Most of us only get one
Re: (Score:2)
> Can this vuln be exploited via IPv6?
Yes.
Re: (Score:2)
To my mind that is where the likely danger lies today, because people may be bridging a while block of routeable addresses into their home. But maybe I'm way off-base here. Besides, one can't just dismiss the problem by saying that they're firewalled. If someone brings in a USB stick and sticks it in the Windows machine that one is using samba to support in the first place, then who knows what will happen on your network. It's not like you can trust the local net.
Re: (Score:2)
Maybe.
I no longer have an IPv6 capable ISP to test with, but when I was on comcast I was impressed that I could ssh directly into a machine running at home behind my router. There are almost certainly people who've enabled ipv6 without realizing that.
However comcast were issuing a /64 to every user, so that gave me 18,446,744,073,709,551,616 addresses for my house. Good luck getting nmap to find open samba servers in that kind of an address space.
Re:Bury the lede much? It's a SAMBA problem (Score:4, Informative)
Though hopefully it's only very, very rarely exposed to the internet
Shodan only lists 485000 instances of samba exposing port 445 to the internet. ...
Don't assume Linux admins are immune to stupid.
Re: (Score:1)
Does Shodan make the difference between a Linux and a Windows machine wich are both using port 445?
Re: (Score:2)
Yes.
You can also filter by versions which is where the article got the 100000 with versions that are exploitable.
Re: (Score:2)
Maybe not today, though.
Re: (Score:2)
Those SMB shares should never be open to the Internet. There are plenty of ways to get into a local network and then scan for this sort of thing, though. Layers of security are always important.
Re: (Score:2)
It could be worse. It could be an SSH or SSL bug.
Re: Bury the lede much? It's a SAMBA problem (Score:2)
"or let Linux be a client for Windows drive sharing"
No, smbd isn't required for this, and nmbd is optional of you have working dns, winnind only required to map NT SIDs to Linux UIDs if the client is joined to a domain without RFC2307 schema.
So, no daemon required for that, mount.cifs from cifs-utils may be all you meed.
Re: (Score:2)
The nmbd client is part of the Samba project. Many installers ask if you "need SMB support" and install both. The Samba project is indeed for both being a server and a client. I'm so, so sorry I offended you because only one part of the project has the gaping security hole.
Re: (Score:2)
Sorry, cifs-utils is also part of the Samba project.
Re: (Score:2)
You could delete half the news item text and you wouldn't lose anything. The first paragraph is useless scare mongering. While the the second paragraph only has relevant information in the end. This is getting pretty pathetic. I thought Slashdot had better tech coverage than this. It's like I'm reading a frikin news for dummies site.
How about just saying a vulnerability in Samba was found, describe the vulnerability, then the impact? kthx bye.
Re:Bury the lede much? It's a SAMBA problem (Score:5, Informative)
Yes, that is the core of the bug. However, I can offer some explanation into how it happened.
There are 2 subsystems involved here.
(1). Load a shared library module and execute it.
This has many uses inside Samba.
(2). Allow a client request on an RPC pipe to be routed to an external process or library.
This allows Samba to be built without embedding all the named pipe services inside it, which makes it a smaller binary for embedded vendors.
Unfortunately an old commit connected the two subsystems together, re-using the shared library module existing code to find and load the service the client was asking for. There was insufficient sanitization of the requesting name which caused the problem.
The commit happened in 2009, before we had two-engineer design and review practices and the full regression test suite we now use.
Eventually I want to remove the ability to load any shared modules containing more than one path component. This has to be done carefully however to avoid breaking existing configured systems that may depend on this.
Re: (Score:2)
Re: (Score:3)
Coverity analysis, Codenomicon fuzzing, all changes peer-engineer review, no code changes without regression test coverage, no back-ports without a bug report.
Pretty basic stuff for professional code quality these days.
For this one, the only way to catch it would have been the peer-engineer review and fuzzing steps, and we weren't doing them back in 2009.
Re: (Score:1)
RE: And the link to the CVA is? (Score:5, Informative)
https://www.samba.org/samba/security/CVE-2017-7494.html
===========
Description
===========
All versions of Samba from 3.5.0 onwards are vulnerable to a remote
code execution vulnerability, allowing a malicious client to upload a
shared library to a writable share, and then cause the server to load
and execute it.
==========
Workaround
==========
Add the parameter:
nt pipe support = no
to the [global] section of your smb.conf and restart smbd. This
prevents clients from accessing any named pipe endpoints. Note this
can disable some expected functionality for Windows clients.
So dangerous (Score:1)
I had to read till halfway through the last sentence to find out what software was actually effected.
Keep up the clickbait
Put SAMBA in the headline (Score:3)
Re: (Score:2)
Yeah, but Slashdot has always disliked Samba since time immemorial.
I think it's because early Samba Team member Tim Potter (tpot) used to troll slashdot for fun, and CmdrTaco *hated* the trolls :-).
Beware of the hoodie (Score:1)
My favorite part is the photo caption on the reuters link:
FILE PHOTO: A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017.
100,000 computers (Score:1)
had found more than 100,000 computers running vulnerable versions of the software
Do you mean that there is 100,000 computers with samba exposed on internet? That is scary....
Re: (Score:2, Insightful)
Re: (Score:2)
You need a writeable share exposed to the intranet for this to work like wannacry. If you're running samba, that is very likely the case. Why else run samba than to allow windows machines on your network to access it? Many corporations use linux machines running samba as web servers for windows machines.
Once a windows or linux user opens any single email with an exploit and writes it to any samba share on your corporate network, the worm could then hit every machine within the intranet that is vulnerable.
Wh
Re: (Score:1)
I have a read-only samba share on my desktop which I use to copy photos to my Android phone so that I can bore my colleagues with them. It's the simplest method I've found.
Re: (Score:2)
You think someone who exposes a Samba machine directly to the internet has the intelligence to not put a writable share on there?
Linux admins are immune to being incredibly stupid.
Re: 100,000 computers (Score:1)
Re: (Score:2)
The irony of calling out a stupid error while confusing stupid with a typo. Get over yourself.
Re: (Score:2)
No. There's 485000 computers with Samba exposed to the internet. There's 100000 running a version of Samba with this vulnerability.
Bigger than it sounds at first? (Score:2)
Nobody sane lets SMB past the border-firewall (Score:2)
I begin to think of these things as evolution finally beginning to punish the dumb again. Incidentally, it does not matter whether it takes 15min, 1h, 1 day or 1 week to develop an exploit for a vulnerability. The article is dripping stupidity.
Re: (Score:2)
Oh yes, they are. But the article is about Samba, not sane.
Ubuntu and downstream derivatives (Score:2)
Patched in Ubuntu and downstream derivatives in Samba v2:4.3.11+dfsg-0ubuntu0.16.04.7 (This is the xenial one.)
samba (2:4.3.11+dfsg-0ubuntu0.16.04.7) xenial-security; urgency=medium
* SECURITY UPDATE: remote code execution from a writable share- debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a slash inside in source3/rpc_server/srv_pipe.c.
- CVE-2017-7494
-- Marc Deslauriers Fri, 19 May 2017 14:18:13 -0400
Source: http://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4 [ubuntu.com]
Step 1: Don't disable SELinux (Score:1)
Re: (Score:2)
"I''m going to laugh my ass off when a vulnerability like this is found on Linux and you smug bastards get exploited en masse. It's just a matter of time, and I can't wait until it happens. Yay!"
Meanwhile, we commend you on your dedication to Microsoft.
Re:I'm going to laugh my ass off... (Score:5, Informative)
I'll be honest, if you're giving remote anonymous write access to your Samba share on the open internet, you should probably stop doing that. Figure out another way to achieve that goal.
Re: (Score:1)
If you have a SAMBA share on the open internet you should stop doing that. There are much better ways to accomplish file sharing.
Re: I'm going to laugh my ass off... (Score:2)
"It might not be intentional. Linux distro's by default come with a whole load of server applications active; samba, avahi, cups, ntp, dhclient."
Please list one linux distro that installs and enables smbd by default.
The rest are not server-only software, cups is usually configured to listen on yhe loopback interface, and avahi and ntpd normally run as non-root
So the biggest risk is the dhcp client. One wonders if it is necessary for the dhcp client to listen all the time these days. Of course it should be p
Re:I'm going to laugh my ass off... (Score:4, Interesting)
As I understand it Wannacry only used an SMB vulnerability when it had already infected a PC via a mailed exploit. Only one employee opening an attachment could quickly infect a whole company network.
So, this one could be used in the same scenario even without having open shares on the Internet.
Re: (Score:2)
Given that there's Shodan 485000 Samba servers on Linux exposing the required port directly to the internet I would say that Linux isn't free from incompetent administrators and that you're very likely to find many machines that fit just that stupid scenario you're describing.
Interestingly a large number of these severs seem to be based in the UAE. What's the bet they are related to industrial machines connected to the internet...
Re: (Score:2)
Re:I'm going to laugh my ass off... (Score:5, Informative)
The vulnerability has a lot of prerequisites:
- You need write access to a shared
- You need to know the underlying directory structure
- You end up with a shell as user "nobody"
Sure it's bad, but it's not WannaCry bad. At best you get a shell to execute some replication code, at worst you get nothing (modern SELinux, Solaris etc refuse execution rights to nobody).
Re: (Score:1)
Samba is only used by Linux people when they talk to Windows machines. Take Windows out of the picture and Samba is no longer necessary. Saying that this is a problem for all Linux is like saying that a vulnerability in the Windows Linux Subsystem is a problem for all Windows users.
Re: (Score:1)
I use samba to make my video/audio library easily accessible for Linux machines running Kodi (readonly though). Sure I could use nfs, but samba was the easiest to setup.
Re: (Score:2)
NFS is much easier to set up (single line config and start the service) and works better with kodi... I can't imagine going to the trouble of installing samba for a scenario like this.
Re: I'm going to laugh my ass off... (Score:2)
I have a similar setup.
Why?
Kodi profiles.
I have one Kodi instance, running as one unix user, but if the Kids profile is logged in, there is no way to access non-child-apprpriate content.
When the master profile logs in to Kodi, the samba shares are used, accessed by username/password.
Yes, it is not secure, but enougj to keep kids under 9 away from stuff they probably don't need to hear/see.
And, due to the nature of NFS, not so easy to do (since NFS perma apply bu unix uid or other similar proxy e.g uid with
Re: (Score:2)
Ahh I was looking for a zealot who didn't read far enough through the article and spouted off a stereotypical "just switch to Linux!" post. But this batch of mental gymnastics is a pretty close second.
And no, its nothing like that. The amount of Linux machines that have to interact with Windows (especially in commercial environments) significantly dwarfs the number of people who use WLS. Maybe that won't always be the case, but it certainly is for now, if for no other reason than because WLS is extremely
Re: (Score:2)
Right, but consider how many samba machines are on small business networks. If a piece of malware gets onto any windows machine or phone attached to your network, it can potentially execute this exploit against your fileserver.
Re: I'm going to laugh my ass off... (Score:2)
I worked for an enterprise until recently.
Our team ran about 200 VMs.
About 4 ran Windows, the rest Linux (RHEal7 mostly).
About 2 of the Linux VMs had Samba (to store common large software packages used by developers). The shares weren't writable eccept by system administrators, and the underlying filesystems mounted noexec. SELinux set to enforcing.
It's not like it wpuld be a burden to patch those, and lots of mitigations if exploited before someone does patch them.
So your idea that 'Linux in the enterprise
Re: (Score:2)
So your idea that 'Linux in the enterprise runs Samba' needs a qualifier.
I keep forgetting that on Slashdot you always have to explicitly state the qualifier: "all generalizations have exceptions." In most settings that's just a given.
Re: (Score:2)
The operative word in your screed is WHEN.
Have fun waiting.
Re: (Score:2)
And there can be good reason for lack of updates. From the ars article on the subject today:
"Researchers with security firm Rapid7, meanwhile, said they detected 110,000 devices exposed on the Internet that appeared to run vulnerable versions of Samba. 92,500 of them appeared to run unsupported versions of Samba for which no patch was available."
That directly mirrors the windows situation in which many of the infected machines were running unsupported OS versions.
Re: (Score:2)
And many of these will also be too old to contain the vulnerability...
Re: (Score:1)
"I'm going to laugh my ass off when a vulnerability like this is found on Linux and you smug bastards get exploited en masse. It's just a matter of time, and I can't wait until it happens. Yay!"
LOL! You obviously do not understand how Linux works. It doesn't have promiscuous "ActiveX" type controls..
Enjoy going through life without your posterior! :D
Re: Patch was already released... (Score:1)
Re: (Score:1)