Sergey Nivens - Fotolia
A Samba vulnerability was recently discovered on the heels of the WannaCry ransomware worm. Researchers say the Samba vulnerability is similar to the EternalBlue bug used in the WannaCry attacks. How are they similar, and what mitigation steps are available?
The vulnerability in Samba -- as well as WannaCry ransomware -- shows that every organization needs to apply appropriate patches and enforce configuration management in its systems to defend itself against security risks.
These Linux and Windows systems are similar in that both created remote concerns by having port 445 open on the perimeter. Samba is used to enable Linux devices, such as printers, to communicate with Windows systems, and it is a key element in having interoperability between the operating systems.
It's interesting the Samba vulnerability (CVE-2017-7494) was announced soon after the WannaCry ransomware spread. While neither has anything to do with the other, seeing this vulnerability just cements the urgent need for IT security to move back to the fundamentals.
Both of the vulnerabilities are concerning for remote execution if the systems are exposed to the internet and are unpatched. Also, both of the vulnerabilities require a payload to be dropped in order to achieve their results. In the case of WannaCry, it was EternalBlue that was used to power the malware; in the Samba vulnerability, there was no known malware wrapped around the exploit.
It's a little harder to infect a system with the Samba vulnerability than it is with WannaCry. With Samba, there needs to be a vulnerable system, the attacker needs to know the path of the file share, and he must either be able to authenticate or have a share that enables anonymous authentication. Many of these things need to be in place for the vulnerability to work; however, the exploit is not impossible, and it needs to be remediated either way.
The Samba advisory released a patch to remediate the issue, as well as a workaround to assist those that couldn't patch. Adding nt pipe support = no to your global Samba configuration will stop the threat, but it also might stop Windows systems from connecting to the shares.
There's no guarantee that the workaround will be effective, and the only surefire way to stop the threat is to patch. This can be a concern because many of these systems don't have an auto-update feature, like Windows does, to receive the patch automatically.
If patching these systems -- which are most likely servers that need to be on at all times -- becomes an issue, creating proper network segmentation and removing any instance of them publically is the best way to reduce the risk now.
All systems running Samba need to be patched to stop this risk, but it shouldn't stop there. These two vulnerabilities are eye-opening occurrences that happened within a few weeks of each other, which shows that performing basic patch and configuration management is what the industry needs to start focusing on more.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Check out these five steps for businesses after the WannaCry attack
Learn how WannaCry malware can affect industrial control system networks
Find out more about the connection between Samba and WannaCry
Dig Deeper on Microsoft Patch Tuesday and patch management
Related Q&A from Matthew Pascucci
Understanding the differences between sandboxes vs. containers for security can help companies determine which best suits their particular use cases. Continue Reading
Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet ... Continue Reading
What sets web roles and worker roles apart in Microsoft's Azure Cloud Services? Here's a look at how they are different. Continue Reading