Remember that Wannacry ransomware in Windows these past 3 months or so, which have paralyzed a number of major systems most notably the UK Healthcare system?
Although the vulnerability is different, the exploits which are already in the wild are the same… ransomware encrypting your shared files through a SAMBA vulnerability. Anyone running any modern version of SAMBA (3.5 and later) is affected.
At the moment as this is being posted, there are only a few infections, but if you can’t wait for the bugfix, be sure to implement the patch in the RHEL bulletin. Since this is now hitting the general public news outlets, there may be more exploits written.
And, this means that everyone should be on the watch for the expected System Update which will include this patch… Don’t delay your next system update (maybe execute daily for now).
They are both now available in the Update repository.
That being said, this vulnerability requires guest account write permissions to a public share or a user with said permissions and isn’t quite as automated as the Windows version which required no access to shares.
Server only, client unaffected.
Server SAMBA shares are writable (any level of authentication)
Is incredibly easy to exploit.
Only possible slight complication is that the attacker generally needs to know the system path to the Share, which might be based on a fixed or variable PATH configuration.
I’ve reviewed a simple test generating output using a standard metasploit framework tool and another that doesn’t just output text but deploys a root console (executable on the Server).
I think that I first saw the update on Tuesday. I applied it to my laptop. But I did not apply to my desktop until this morning. (The desktop is a samba server). It did not seem urgent enough, so I waited until my scheduled update period.
One reason that I wasn’t seriously concerned, is that I do routinely backup the samba shares (“rsync” backup to another box).
I would say that at this time, the chance of being exploited is extremely low.
The consequences can be catastrophic, even to possibly putting out of business overnight, or facing losing your prized archive of family and/or financial files forever (You never know if even paying the ransom and applying the key will work).
Even restoring from backup of course means losing file changes since that backup.
The point is, if the patch is available and easy to apply, your worst nightmares can be avoided painlessly.