Home » “WannaCry” on Linux systems: How do you protect yourself?

“WannaCry” on Linux systems: How do you protect yourself?

Solutons:


This Samba new vulnerability is already being called “Sambacry”, while the exploit itself mentions “Eternal Red Samba”, announced in twitter (sensationally) as:

Samba bug, the metasploit one-liner to trigger is just:
simple.create_pipe(“/path/to/target.so”)

Potentially affected Samba versions are from Samba 3.5.0 to 4.5.4/4.5.10/4.4.14.

If your Samba installation meets the configurations described bellow, the fix/upgrade should be done ASAP as there are already exploits, other exploit in python and
metasploit modules out there.

More interestingly enough, there are already add-ons to a know honeypot from the honeynet project, dionaea both to WannaCry and SambaCry plug-ins.

Samba cry seems to be already being (ab)used to install more crypto-miners “EternalMiner” or double down as a malware dropper in the future.

honeypots set up by the team of researchers from Kaspersky Lab have
captured a malware campaign that is exploiting SambaCry vulnerability
to infect Linux computers with cryptocurrency mining software. Another
security researcher, Omri Ben Bassat‏, independently discovered the
same campaign and named it “EternalMiner.”

The advised workaround for systems with Samba installed (which also is present in the CVE notice) before updating it, is adding to smb.conf:

nt pipe support = no

(and restarting the Samba service)

This is supposed to disable a setting that turns on/off the ability to make anonymous connections to the windows IPC named pipes service. From man samba:

This global option is used by developers to allow or disallow Windows
NT/2000/XP clients the ability to make connections to NT-specific SMB
IPC$ pipes. As a user, you should never need to override the default.

However from our internal experience, it seems the fix is not compatible with older? Windows versions ( at least some? Windows 7 clients seem to not work with the nt pipe support = no), and as such the remediation route can go in extreme cases into installing or even compiling Samba.

More specifically, this fix disable shares listing from Windows clients, and if applied they have to manually specify the full path of the share to be able to use it.

Other known workaround is to make sure Samba shares are mounted with the noexec option. This will prevent the execution of binaries residing on the mounted filesystem.

The official security source code patch is here from the samba.org security page.

Debian already pushed yesterday (24/5) an update out the door, and the corresponding security notice DSA-3860-1 samba

To verify in if the vulnerability is corrected in Centos/RHEL/Fedora and derivates, do:

#rpm -q –changelog samba | grep -i CVE
– resolves: #1450782 – Fix CVE-2017-7494
– resolves: #1405356 – CVE-2016-2125 CVE-2016-2126
– related: #1322687 – Update CVE patchset

There is now an nmap detection script :samba-vuln-cve-2017-7494.nse for detecting Samba versions, or a much better nmap script that checks if the service is vulnerable at http://seclists.org/nmap-dev/2017/q2/att-110/samba-vuln-cve-2017-7494.nse , copy it to /usr/share/nmap/scripts and then update the nmap database , or run it as follows:

nmap --script /path/to/samba-vuln-cve-2017-7494.nse -p 445 <target>

About long term measures to protect the SAMBA service: The SMB protocol should never be offered directly to the Internet at large.

It goes also without saying that SMB has always been a convoluted protocol, and that these kind of services ought to be firewalled and restricted to the internal networks [to which they are being served].

When remote access is needed, either to home or specially to corporate networks, those accesses should be better done using VPN technology.

As usual, on this situations the Unix principle of only installing and activating the minimum services required does pay off.

Taken from the exploit itself:

Eternal Red Samba Exploit — CVE-2017-7494.
Causes vulnerable Samba server to load a shared library in root context.
Credentials are not required if the server has a guest account.
For remote exploit you must have write permissions to at least one share.
Eternal Red will scan the Samba server for shares it can write to.
It will also determine the fullpath of the remote share.

    For local exploit provide the full path to your shared library to load.  

    Your shared library should look something like this

    extern bool change_to_root_user(void);
    int samba_init_module(void)
    {
        change_to_root_user();
        /* Do what thou wilt */
    }

It is also known systems with SELinux enabled are not vulnerable to the exploit.

See 7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely

According to the Shodan computer search engine, more than 485,000
Samba-enabled computers exposed port 445 on the Internet, and
according to researchers at Rapid7, more than 104,000 internet-exposed
endpoints appeared to be running vulnerable versions of Samba, out of
which 92,000 are running unsupported versions of Samba.

Since Samba is
the SMB protocol implemented on Linux and UNIX systems, so some
experts are saying it is “Linux version of EternalBlue,” used by the
WannaCry ransomware.

…or should I say SambaCry?

Keeping in mind the
number of vulnerable systems and ease of exploiting this
vulnerability, the Samba flaw could be exploited at large scale with
wormable capabilities.

Home networks with network-attached storage
(NAS) devices [that also run Linux] could also be vulnerable to this flaw.

See also A wormable code-execution bug has lurked in Samba for 7 years. Patch now!

The seven-year-old flaw, indexed as CVE-2017-7494, can be reliably
exploited with just one line of code to execute malicious code, as
long as a few conditions are met. Those requirements include
vulnerable computers that:

(a) make file- and printer-sharing port 445
reachable on the Internet,
(b) configure shared files to have write
privileges, and
(c) use known or guessable server paths for those
files.

When those conditions are satisfied, remote attackers can
upload any code of their choosing and cause the server to execute it,
possibly with unfettered root privileges, depending on the vulnerable
platform.

Given the ease and reliability of exploits, this hole is worth
plugging as soon as possible. It’s likely only a matter of time until
attackers begin actively targeting it.

Also Rapid 7 – Patching CVE-2017-7494 in Samba: It’s the Circle of Life

And more SambaCry: The Linux Sequel to WannaCry.

Need-to-Know Facts

CVE-2017-7494 has a CVSS Score of 7.5
(CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)3.

Threat Scope

A shodan.io query of “port:445 !os:windows” shows approximately one
million non-Windows hosts that have tcp/445 open to the Internet, more
than half of which exist in the United Arab Emirates (36%) and the
U.S. (16%). While many of these may be running patched versions,
have SELinux protections, or otherwise don’t match the necessary
criteria for running the exploit, the possible attack surface for this
vulnerability is large.

P.S. The commit fix in the SAMBA github project appear to be commit 02a76d86db0cbe79fcaf1a500630e24d961fa149

Most of us running Samba servers out there are probably running it inside LANs, behind firewalls and don’t expose its ports directly to the outside world.

It would an awful practice if you did so, and inexcusable one when there are simple, effective and free (as in beer and as in speech) VPN solutions like OpenVPN around. SMB was not designed with open Internet in mind (heck, TCP/IP even came as an afterthought in that protocol) and should be treated as such. Additional suggestion is running firewall rules on the actual file sharing host that whitelist only local (and eventually VPN) network adresses on all SMB ports (139/TCP, 445/TCP, 137/UDP and 138/UDP).

Also, if your use case allows, you should consider running Samba unprivileged (as, say, samba user who is not alias of root). I understand that it’s not that easy to marry limitations of NT ACLs with POSIX ACLs with this setup but if it’s possible to do so in your particular setup it’s the way to go.

Finally, even with such a “lockdown” it’s still advisable to apply a patch if you can (because there are NAS boxes out there where that might not be doable), and to test if your particular use case works with nt pipe support set to no.



Related Solutions

Joining bash arguments into single string with spaces

[*] I believe that this does what you want. It will put all the arguments in one string, separated by spaces, with single quotes around all: str="'$*'" $* produces all the scripts arguments separated by the first character of $IFS which, by default, is a space....

AddTransient, AddScoped and AddSingleton Services Differences

TL;DR Transient objects are always different; a new instance is provided to every controller and every service. Scoped objects are the same within a request, but different across different requests. Singleton objects are the same for every object and every...

How to download package not install it with apt-get command?

Use --download-only: sudo apt-get install --download-only pppoe This will download pppoe and any dependencies you need, and place them in /var/cache/apt/archives. That way a subsequent apt-get install pppoe will be able to complete without any extra downloads....

What defines the maximum size for a command single argument?

Answers Definitely not a bug. The parameter which defines the maximum size for one argument is MAX_ARG_STRLEN. There is no documentation for this parameter other than the comments in binfmts.h: /* * These are the maximum length and maximum number of strings...

Bulk rename, change prefix

I'd say the simplest it to just use the rename command which is common on many Linux distributions. There are two common versions of this command so check its man page to find which one you have: ## rename from Perl (common in Debian systems -- Ubuntu, Mint,...

Output from ls has newlines but displays on a single line. Why?

When you pipe the output, ls acts differently. This fact is hidden away in the info documentation: If standard output is a terminal, the output is in columns (sorted vertically) and control characters are output as question marks; otherwise, the output is...

mv: Move file only if destination does not exist

mv -vn file1 file2. This command will do what you want. You can skip -v if you want. -v makes it verbose - mv will tell you that it moved file if it moves it(useful, since there is possibility that file will not be moved) -n moves only if file2 does not exist....

Is it possible to store and query JSON in SQLite?

SQLite 3.9 introduced a new extension (JSON1) that allows you to easily work with JSON data . Also, it introduced support for indexes on expressions, which (in my understanding) should allow you to define indexes on your JSON data as well. PostgreSQL has some...

Combining tail && journalctl

You could use: journalctl -u service-name -f -f, --follow Show only the most recent journal entries, and continuously print new entries as they are appended to the journal. Here I've added "service-name" to distinguish this answer from others; you substitute...

how can shellshock be exploited over SSH?

One example where this can be exploited is on servers with an authorized_keys forced command. When adding an entry to ~/.ssh/authorized_keys, you can prefix the line with command="foo" to force foo to be run any time that ssh public key is used. With this...

Why doesn’t the tilde (~) expand inside double quotes?

The reason, because inside double quotes, tilde ~ has no special meaning, it's treated as literal. POSIX defines Double-Quotes as: Enclosing characters in double-quotes ( "" ) shall preserve the literal value of all characters within the double-quotes, with the...

What is GNU Info for?

GNU Info was designed to offer documentation that was comprehensive, hyperlinked, and possible to output to multiple formats. Man pages were available, and they were great at providing printed output. However, they were designed such that each man page had a...

Set systemd service to execute after fstab mount

a CIFS network location is mounted via /etc/fstab to /mnt/ on boot-up. No, it is not. Get this right, and the rest falls into place naturally. The mount is handled by a (generated) systemd mount unit that will be named something like mnt-wibble.mount. You can...

Merge two video clips into one, placing them next to each other

To be honest, using the accepted answer resulted in a lot of dropped frames for me. However, using the hstack filter_complex produced perfectly fluid output: ffmpeg -i left.mp4 -i right.mp4 -filter_complex hstack output.mp4 ffmpeg -i input1.mp4 -i input2.mp4...

How portable are /dev/stdin, /dev/stdout and /dev/stderr?

It's been available on Linux back into its prehistory. It is not POSIX, although many actual shells (including AT&T ksh and bash) will simulate it if it's not present in the OS; note that this simulation only works at the shell level (i.e. redirection or...

How can I increase the number of inodes in an ext4 filesystem?

It seems that you have a lot more files than normal expectation. I don't know whether there is a solution to change the inode table size dynamically. I'm afraid that you need to back-up your data, and create new filesystem, and restore your data. To create new...

Why doesn’t cp have a progress bar like wget?

The tradition in unix tools is to display messages only if something goes wrong. I think this is both for design and practical reasons. The design is intended to make it obvious when something goes wrong: you get an error message, and it's not drowned in...