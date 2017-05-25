Newly Discovered Vulnerability Raises Fears Of Another WannaCry (reuters.com) 36
A newly found flaw in widely used networking software leaves tens of thousands of computers potentially vulnerable to an attack similar to that caused by WannaCry, which infected more than 300,000 computers worldwide, cybersecurity researchers said on Thursday. From a Reuters report: The U.S. Department of Homeland Security on Wednesday announced the vulnerability, which could be exploited to take control of an affected computer, and urged users and administrators to apply a patch. Rebekah Brown of Rapid7, a cybersecurity company, told Reuters that there were no signs yet of attackers exploiting the vulnerability in the 12 hours since its discovery was announced. But she said it had taken researchers only 15 minutes to develop malware that made use of the hole. "This one seems to be very, very easy to exploit," she said. Rapid7 said it had found more than 100,000 computers running vulnerable versions of the software, Samba, free networking software developed for Linux and Unix computers.
All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. A patch addressing this defect has been posted to http://www.samba.org/samba/security/ [samba.org] Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches... [samba.org]. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible.
"I''m going to laugh my ass off when a vulnerability like this is found on Linux and you smug bastards get exploited en masse. It's just a matter of time, and I can't wait until it happens. Yay!"
Meanwhile, we commend you on your dedication to Microsoft.
I'll be honest, if you're giving remote anonymous write access to your Samba share on the open internet, you should probably stop doing that. Figure out another way to achieve that goal.
As I understand it Wannacry only used an SMB vulnerability when it had already infected a PC via a mailed exploit. Only one employee opening an attachment could quickly infect a whole company network.
So, this one could be used in the same scenario even without having open shares on the Internet.
The vulnerability has a lot of prerequisites:
- You need write access to a shared
- You need to know the underlying directory structure
- You end up with a shell as user "nobody"
Sure it's bad, but it's not WannaCry bad. At best you get a shell to execute some replication code, at worst you get nothing (modern SELinux, Solaris etc refuse execution rights to nobody).
https://gcn.com/articles/2017/... [gcn.com]
https://www.samba.org/samba/se... [samba.org]
Actually, it's a completely optional daemon that runs on top of Linux to support Windows clients from Linux or let Linux be a client for Windows drive sharing. It's not part of the OS, it's not mandatory to run with the OS, it's not related to the running of an all-Linux network, and it's based on specifications from the Windows folks.
Re:Bury the lede much? It's a SAMBA problem (Score:4, Informative)
Maybe not today, though.
It could be worse. It could be an SSH or SSL bug.
You could delete half the news item text and you wouldn't lose anything. The first paragraph is useless scare mongering. While the the second paragraph only has relevant information in the end. This is getting pretty pathetic. I thought Slashdot had better tech coverage than this. It's like I'm reading a frikin news for dummies site.
How about just saying a vulnerability in Samba was found, describe the vulnerability, then the impact? kthx bye.
Yes, that is the core of the bug. However, I can offer some explanation into how it happened.
There are 2 subsystems involved here.
(1). Load a shared library module and execute it.
This has many uses inside Samba.
(2). Allow a client request on an RPC pipe to be routed to an external process or library.
This allows Samba to be built without embedding all the named pipe services inside it, which makes it a smaller binary for embedded vendors.
https://www.samba.org/samba/security/CVE-2017-7494.html
Description
All versions of Samba from 3.5.0 onwards are vulnerable to a remote
code execution vulnerability, allowing a malicious client to upload a
shared library to a writable share, and then cause the server to load
and execute it.
Workaround
Add the parameter:
nt pipe support = no
to the [global] section of your smb.conf and restart smbd. This
prevents clients from accessing any named pipe endpoints. Note this
100,000 computers (Score:1)
had found more than 100,000 computers running vulnerable versions of the software
Do you mean that there is 100,000 computers with samba exposed on internet? That is scary....