SambaCry critical vulnerability: how to protect

In a popular package for creating network drives on various Samba operating systems, a critical vulnerability was discovered that allows you to gain control over Linux and Unix systems remotely. The error lasted for 7 years - all versions of the package, starting with Samba 3.5.0, which was released on March 1, 2010, are vulnerable to CVE-2017-7494. Today we will talk about how to protect against this vulnerability.

Possible consequences of operation

Vulnerability descriptions were published on Habré (the exploit code was also published ), so we will not dwell on this in detail. Suffice it to say that, according to the Shodan search engine, more than 485,000 thousand computers using Samba are currently available from the Internet. Researchers at Rapid7 estimated the share of externally accessible vulnerable systems at 104,000, of which 92,000 computers use unsupported versions of Samba.

This major problem affects Synology NAS servers, including:
')

Vulnerable are also a large number of routers and NAS by Netgear, which has published its own security bulletin on this issue.

The scale of the problem allowed Cisco security expert Craig Williams (Craig Williams) to announce the threat that the CVE-2017-7494 vulnerability would trigger "the first large-scale epidemic of ransomware worms on Linux systems."

In many home routers, Samba is used to organize shared access to USB devices — and, as a rule, in such cases, write access is granted to such devices. Therefore, if the manufacturers of network equipment in their firmware used a visible version of Samba, then this opens up broad opportunities for conducting attacks, for example, to create botnets.

How to protect

Samba developers have reported the removal of the vulnerability in the latest versions of the package (4.6.4 / 4.5.10 / 4.4.14) - users are advised to install the patch as soon as possible. In the event that a transition to a more recent version of the package is not possible, the product creators recommend making changes to the smb.conf configuration file by adding a line to the [global] section:

nt pipe support = no 

After that, restart the SMB daemon (smbd). These changes will block the ability of clients to fully access network machines and limit the functionality of connected Windows systems. Later patches were published for older versions of Samba.

You can block the possibility of an attack using SELinux policies — for example, the default RHEL configuration does not allow attackers to exploit a vulnerability in Samba.

GuardiCore has developed a script to detect the attack - to download it you must fill out a form on the site.

In turn, the experts of Positive Technologies created a Suricata signature that allows detecting attempts to exploit the CVE-2017-7494 vulnerability in Samba:



In addition, to reduce the risk of a successful attack with this error, company experts recommend that public folders only have read permissions, but not write files (you can read how to do this in this manual ). It can be difficult to find all network folders with write permissions - for this you should use, for example, the nmap tool. You can see all the “balls” with write permissions using the following command (you need to look at Current user access):

 nmap --script smb-enum-shares.nse -p445 <host> 

In addition, it is recommended to analyze the access rights to network folders, leaving read and write access to them only for certain trusted users using checklists .