- #THE CIRCLE 2017 UPDATE#
- #THE CIRCLE 2017 PATCH#
- #THE CIRCLE 2017 UPGRADE#
- #THE CIRCLE 2017 FULL#
- #THE CIRCLE 2017 CODE#
PRODUCT UPDATE – 5/25/17 – We have authenticated checks available for Samba CVE-2017-7494 in Rapid7 InsightVM and Rapid7 Nexpose. We will notify users of the availability of these solutions as soon as they are available. We also expect a module in the Metasploit Framework very soon, enabling security professionals to test the effectiveness of their mitigations, and understand the potential impact of exploitation. We are working on checks for Rapid7 InsightVM and Rapid7 Nexpose so customers can scan their environments for vulnerable endpoints and take mitigating action as quickly as possible. In addition, organizations should be monitoring all internal and external network traffic for increases in connections or connection attempts to Windows file sharing protocols. A direct attack or worm would render those backups almost useless, so if patching cannot be done immediately, we recommend creating an offline copy of critical data as soon as possible. Many network-attached storage (NAS) environments are used as network backup systems. Additionally, organizations should review their firewall rules to ensure that SMB/Samba network traffic is not allowed directly from the internet to their assets.
#THE CIRCLE 2017 FULL#
Organizations should be reviewing their official asset and configuration management systems to immediately identify vulnerable systems and then perform comprehensive and regular full network vulnerability scans to identify misconfigured or rogue systems.
#THE CIRCLE 2017 UPGRADE#
We also recommend that users of older, affected versions upgrade to a more recent, supported version of Samba (4.4 or later) and then apply the available patch. Ī workaround for unsupported and vulnerable older versions (3.5.x to 4.4.x) is available, and that same workaround can also be used for supported versions that cannot upgrade.
#THE CIRCLE 2017 PATCH#
The makers of Samba have provided a patch for versions 4.4 onwards. Of these, about 91% (99,645) are running older, unsupported versions of Samba (pre-4.4). On port 139, we found approximately 110,000 internet-exposed endpoints running vulnerable versions of Samba. We found very similar numbers to those for the scan of port 445.
RESEARCH UPDATE – 5/25/17 – We have now run a scan on port 139, which also exposes Samba endpoints. We will continue to scan for potentially vulnerable endpoints and will provide an update on numbers in the next few days.
#THE CIRCLE 2017 CODE#
It should be noted that proof-of-concept exploit code has already appeared on Twitter, and we are seeing Metasploit modules making their way into the community. We've been seeing a significant increase in malicious traffic to port 445 since May 19th however, the recency of the WannaCry vulnerability makes it difficult for us to attribute this directly to the Samba vulnerability. In other words, “We're way beyond the boundary of the Pride Lands.” (sorry - we promise that's the last Lion King reference. Of those, almost 90% (92,570) are running versions for which there is currently no direct patch available.
In a Project Sonar scan run today, Rapid7 Labs discovered more than 104,000 internet-exposed endpoints that appear to be running vulnerable versions of Samba on port 445. If there is a vulnerable version of Samba running on a device, and a malicious actor has access to upload files to that machine, exploitation is trivial. The internet is not on fire yet, but there's a lot of potential for it to get pretty nasty. As a result, we believe those systems may be likely conduits into business networks. These obstacles will most likely present themselves in situations where devices are unmanaged by typical patch deployment solutions or don't allow OS-level patching by the user. While the WannaCry ransomworm impacted Windows systems and was easily identifiable, with clear remediation steps, the Samba vulnerability will impact Linux and Unix systems and could present significant technical obstacles to obtaining or deploying appropriate remediations. Samba makes it possible for Unix and Linux systems to share files the same way Windows does. Given how easy it is to enable Samba on Linux endpoints, even devices requiring it to be manually enabled will not necessarily be in the clear. Many home and corporate network storage systems run Samba and it is frequently installed by default on many Linux systems, making it possible that some users are running Samba without realizing it. We strongly recommend that security and IT teams take immediate action to protect themselves. Check out Samba's advisory for more details. The vulnerability - CVE-2017-7494 - affects versions 3.5 (released March 1, 2010) and onwards of Samba, the defacto standard for providing Windows-based file and print services on Unix and Linux systems. With the scent of scorched internet still lingering in the air from the WannaCry Ransomworm, today we see a new scary-and-potentially-incendiary bug hitting the twitter news.
0 kommentar(er)
