Patching CVE-2017-7494 in Samba: It’s the Circle of Life

2017-05-27T02:51:04
ID RAPID7COMMUNITY:70F4A599D7DDC69173F490543EA5873E
Type rapid7community
Reporter jenellis
Modified 2017-05-27T02:51:04

Description

<!-- [DocumentBodyStart:be7d6c8c-369f-4dc9-8d63-ac0622dfbc33] --><div class="jive-rendered-content"><p><span style="color: black;">With the scent of scorched internet still lingering in the air from the <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=http%3A%2F%2Fcommunity.rapid7.com%2Fcommunity%2Finfosec%2Fblog%2F2017%2F05%2F12%2Fwanna-decryptor-wncry-ransomware-explained" rel="nofollow" target="_blank">WannaCry Ransomworm</a></span><span style="color: black;">, today we see a new scary-and-potentially-incendiary bug hitting the twitter news. The vulnerability - CVE-2017-7494 - affects versions 3.5 (released March 1, 2010) and onwards of Samba, the defacto standard for providing Windows-based file and print services on Unix and Linux systems. Check out <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.samba.org%2Fsamba%2Fsecurity%2FCVE-2017-7494.html" rel="nofollow" target="_blank">Samba's advisory</a></span><span style="color: black;"> for more details. </span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="color: black;">We strongly recommend that security and IT teams take immediate action to protect themselves.</span></p><p style="min-height: 8pt; padding: 0px;"> </p><h2></h2><h2>Who is affected?</h2><p>Many home and corporate network storage systems run Samba and it is frequently installed by default on many Linux systems, making it possible that some users are running Samba without realizing it. Given how easy it is to enable Samba on Linux endpoints, even devices requiring it to be manually enabled will not necessarily be in the clear.</p><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="color: black;">Samba makes it possible for Unix and Linux systems to share files the same way Windows does. While the WannaCry ransomworm impacted Windows systems and was easily identifiable, with clear remediation steps, the Samba vulnerability will impact Linux and Unix systems and could present significant technical obstacles to obtaining or deploying appropriate remediations. These obstacles will most likely present themselves in situations where devices are unmanaged by typical patch deployment solutions or don’t allow OS-level patching by the user. As a result, we believe those systems may be likely conduits into business networks.</span></p><p style="min-height: 8pt; padding: 0px;"> </p><h2></h2><h2>How bad is it?</h2><p>The internet is not on fire yet, but there’s a lot of potential for it to get pretty nasty. If there is a vulnerable version of Samba running on a device, and a malicious actor has access to upload files to that machine, exploitation is trivial.</p><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="color: black;">In a <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fsonar.labs.rapid7.com%2F" rel="nofollow" target="_blank">Project Sonar</a></span><span style="color: black;"> scan run today, Rapid7 Labs discovered <strong>more than 104,000 internet-exposed endpoints that appear to be running vulnerable versions of Samba on port 445.</strong> Of those, almost 90% (92,570) are running versions for which there is currently no direct patch available. In other </span><span style="color: black;">words, “We're way beyond the boundary of the Pride Lands.” (sorry - we promise that’s the last Lion King reference. Maybe.) </span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><a href="https://community.rapid7.com/servlet/JiveServlet/showImage/38-7892-67041/Samba+445+major_minor_vulnerable_version_counts_updated.png"><img alt="Samba 445 major_minor_vulnerable_version_counts_updated.png" class="image-1 jive-image" height="524" src="https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7892-67041/1600-524/Samba+445+major_minor_vulnerable_version_counts_updated.png" style="width: 620px; height: 204px;" width="1600"/></a></p><p><span style="color: black;">We’ve been seeing a significant increase in malicious traffic to port 445 since May 19th; however, the recency of the WannaCry vulnerability makes it difficult for us to attribute this directly to the Samba vulnerability. It should be noted that proof-of-concept exploit code has already appeared on Twitter, and we are seeing Metasploit modules making their way into the community.</span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="color: black;">We will continue to scan for potentially vulnerable endpoints and will provide an update on numbers in the next few days.</span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><strong><span style="text-decoration: underline;">RESEARCH UPDATE – 5/25/17</span> – </strong>We have now run a scan on port 139, which also exposes Samba endpoints. We found very similar numbers to those for the scan of port 445. <strong>On port 139, we found approximately 110,000 internet-exposed endpoints running vulnerable versions of Samba.</strong> Of these, about 91% (99,645) are running older, unsupported versions of Samba (pre-4.4).</p><p style="min-height: 8pt; padding: 0px;"> </p><p><a href="https://community.rapid7.com/servlet/JiveServlet/showImage/38-7892-67042/Samba+139+major_minor_vulnerable_version_counts_updated.png"><img alt="Samba 139 major_minor_vulnerable_version_counts_updated.png" class="image-2 jive-image" height="524" src="https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7892-67042/1600-524/Samba+139+major_minor_vulnerable_version_counts_updated.png" style="width: 620px; height: 204px;" width="1600"/></a></p><p style="min-height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; padding: 0px;"> </p><h2>What should you do to protect yourself?</h2><p>The makers of Samba have <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.samba.org%2Fsamba%2Fhistory%2Fsecurity.html" rel="nofollow" target="_blank">provided a patch for versions 4.4 onwards</a><span style="color: black;">.</span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="color: black;">A workaround for unsupported and vulnerable older versions (3.5.x to 4.4.x) is available, and that same workaround can also be used for supported versions that cannot upgrade. We also recommend that users of older, affected versions upgrade to a more recent, supported version of Samba (4.4 or later) and then apply the available patch. </span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="color: black;">Organizations should be reviewing their official asset and configuration management systems to immediately identify vulnerable systems and then perform comprehensive and regular full network vulnerability scans to identify misconfigured or rogue systems. Additionally, organizations should review their firewall rules to ensure that SMB/Samba network traffic is not allowed directly from the internet to their assets.</span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="color: black;">Many network-attached storage (NAS) environments are used as network backup systems. A direct attack or worm would render those backups almost useless, so if patching cannot be done immediately, we recommend creating an offline copy of critical data as soon as possible.</span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="color: black;">In addition, organizations should be monitoring all internal and external network traffic for increases in connections or connection attempts to Windows file sharing protocols.</span></p><p style="min-height: 8pt; padding: 0px;"> </p><h2>How can Rapid7 help?</h2><p>We are working on checks for <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F" target="_blank">Rapid7 InsightVM</a> and <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fnexpose%2F" target="_blank">Rapid7 Nexpose </a><span style="color: black;">so customers can scan their environments for vulnerable endpoints and take mitigating action as quickly as possible.</span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="color: black;">We also expect a module in the <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fmetasploit%2F" target="_blank">Metasploit Framework</a></span><span style="color: black;"> very soon, enabling security professionals to test the effectiveness of their mitigations, and understand the potential impact of exploitation.</span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="color: black;">We will notify users of the availability of these solutions as soon as they are available.</span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><strong><span style="text-decoration: underline;">PRODUCT UPDATE – 5/25/17</span> –</strong> We have authenticated checks available for Samba CVE-2017-7494 in Rapid7 InsightVM and Rapid7 Nexpose.  The authenticated checks relate to vendor-specific fixes as follows:</p><ul style="list-style-type: disc;"><li>ubuntu-cve-2017-7494</li><li>debian-cve-2017-7494</li><li>freebsd-cve-2017-7494</li><li>oracle_linux-cve-2017-7494</li><li>redhat_linux-cve-2017-7494</li><li>suse-cve-2017-7494</li></ul><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="text-decoration: underline;"><strong>PRODUCT UPDATE 2 – 5/25/17</strong> </span>– We now have both authenticated and unauthenticated remote checks in Rapid7 InsightVM and Rapid7 Nexpose. In the unauthenticated cases we use anonymous or guest login to gather the required information, and on systems that are hardened against that kind of login, the authenticated remote check is available.</p><p style="min-height: 8pt; padding: 0px;"> </p><p>Not a Rapid7 customer? <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F" target="_blank">Scan your network with InsightVM</a> to understand the impact this vulnerability has on your organization. We also have a <a class="jive-link-blog-small" data-containerId="1004" data-containerType="37" data-objectId="7895" data-objectType="38" href="https://community.rapid7.com/community/nexpose/blog/2017/05/25/scanning-and-remediating-samba-cve-2017-7494-in-insightvm-and-nexpose">step-by-step guide on how to scan</a> for Samba CVE-2017-7494 using our vulnerability scanners.</p><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="text-decoration: underline;"><strong>PRODUCT UPDATE 3 - 5/25/17</strong> </span>- We now have <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Flinux%2Fsamba%2Fis_known_pipename" target="_blank">a Metasploit module available</a> for this vulnerability, so you can see whether you can be exploited via Samba CVE-2017-7494, and understand the impact of such an attack. <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fmetasploit%2Fdownload%2F" target="_blank">Download Metasploit to try it out.</a></p><p style="min-height: 8pt; padding: 0px;"> </p><p><em>P.S. yes, we know the lion is called Simba. But who doesn't love a gratuitous and tenuous cartoon lion reference?! Rowr. </em></p></div><!-- [DocumentBodyEnd:be7d6c8c-369f-4dc9-8d63-ac0622dfbc33] -->