It’s not just Windows anymore: Samba has a major SMB bug | ZDNet

http://www.zdnet.com/article/its-not-just-windows-anymore-samba-has-a-major-smb-bug/

The other week, Microsoft got its security teeth kicked in when an old SMB security hole was exploited by the WannaCry ransomware attack. This week, it’s the turn of Samba, the popular open-source SMB server.
Like the WannaCry security hole, the good news is the Samba file-sharing bug has already been fixed. The bad news is you may be using Samba without knowing it. 

3 Comments

  1. Tomi Engdahl says:

    WannaCry was terrible, but it never had to happen – here’s why
    https://www.tuxera.com/wannacry-was-terrible-but-it-never-had-to-happen-heres-why/?utm_content=54953937&utm_medium=social&utm_source=facebook

    Hospitals, businesses, metro stations, universities, operators, and other organizations were brought to their knees without access to their important shared documents and files.

    The situation was so critical that Microsoft released an emergency security update for some versions of Windows that no longer receive mainstream support. Luckily, due to the swift action of Microsoft and cybersecurity experts around the world, the spread of WannaCry trickled off by May 16.

    WannaCry wasn’t inevitable – it was preventable

    The interesting thing is, the attack was entirely preventable. Firstly, Microsoft released a security update just a few months before the attack to address a susceptibility WannaCry exploited. Those who enabled this update were protected. Secondly, the exploit targeted a vulnerability found in a legacy version of the protocol, SMB1. And according to Microsoft, SMB1 is not safe. In fact, Microsoft’s own Ned Pyle wrote an entire blog post back in September 2016 begging people to stop using it!

    Mr. Pyle wrote his blog post in connection with Microsoft Security Bulletin MS16-114, released September 2016. The bulletin detailed a vulnerability which “could allow remote code execution if an authenticated attacker sends specially crafted packets to an affected Microsoft Server Message Block 1.0 (SMB1) Server…The potential impact is denial of service.”

    This vulnerability was discovered and reported to Microsoft by Tuxera software engineers, Oleg Kravtsov and Alexander Ovchinnikov.

    Microsoft already declared that SMB1 is not secure. WannaCry would not have become such a large-scale problem had people simply stopped using SMB1 in favor of the latest, most secure version, SMB3. This begs the question, why is SMB1 still in use?

    A big reason is that outdated versions of Samba – the open-source SMB server implementation – are used inside embedded devices, such as routers. These older versions of Samba only support SMB1. Interestingly enough, there are newer Samba versions that support SMB3, the most secure version of the protocol. But using these latest Samba versions has a catch – they are licensed under GNU General Public License Version 3 (GPLv3).

    Thus, hardware manufacturers resort to choosing older versions of Samba, which are not licensed under GPLv3. In turn, these versions only support SMB1 – which leads us to the crux of the issue.

    Reply
  2. Tomi Engdahl says:

    Linux SambaCry
    http://hackaday.com/2017/05/25/linux-sambacry/

    Great news everyone, Windows is not the only operating system with remote code execution via SMB. Linux has also its own, seven-year-old version of the bug. /s

    This Linux remote execution vulnerability (CVE-2017-7494) affects Samba, the Linux re-implementation of the SMB networking protocol, from versions 3.5.0 onwards (since 2010). The SambaCry moniker was almost unavoidable.

    The bug, however, has nothing to do on how Eternalblue works, one of the exploits that the current version of WannaCry ransomware packs with. While Eternalblue is essentially a buffer overflow exploit, CVE-2017-7494 takes advantage of an arbitrary shared library load. To exploit it, a malicious client needs to be able to upload a shared library file to a writeable share, afterwards it’s possible for the attacker to cause the server to load and execute it. A Metasploit exploit module is already public, able to target Linux ARM, X86 and X86_64 architectures.

    A patch addressing this defect has been posted to the official website and Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect.

    https://www.samba.org/samba/history/security.html

    Reply
  3. Tomi Engdahl says:

    Warning! Hackers Started Using “SambaCry Flaw” to Hack Linux Systems
    http://thehackernews.com/2017/06/linux-samba-vulnerability.html?m=1

    Two weeks ago we reported about a 7-year-old critical remote code execution vulnerability in Samba networking software (re-implementation of SMB networking protocol) that allows a remote hacker to take full control of a vulnerable Linux and Unix machines.
    To know more about the SambaCry vulnerability (CVE-2017-7494)

    At that time, nearly 485,000 Samba-enabled computers were found to be exposed on the Internet, and researchers predicted that the SambaCry-based attacks also have potential to spread just like WannaCry ransomware widely.

    The prediction came out to be quite accurate, as honeypots set up by the team of researchers from Kaspersky Lab have captured a malware campaign that is exploiting SambaCry vulnerability to infect Linux computers with cryptocurrency mining software.

    After compromising the vulnerable machines using SambaCry vulnerability, attackers execute two payloads on the targeted systems:
    INAebsGB.so — A reverse-shell that provides remote access to the attackers.
    cblRWuoCc.so — A backdoor that includes cryptocurrency mining utilities – CPUminer.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*