Topic: Wannacry/Wannacrypt SMB flaw - checking SME 9.x not vulnerable, please confirm

[stabilys]

Resume: there's a nasty new ransomware variant spreading via an SMB worm (I'm sure that everyone knows this now!)

Windows 10 and Linux/Mac workstations immune to the SMB exploit

Windows < 10 vulnerable and need March '17 patch in MS March updates:


https://technet.microsoft.com/library/security/MS17-010

MS have released a patch for this even for Windows XP, here (inter alia) if anyone needs it:

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

As per the subject: we've had a busy weekend so far checking that Win 7 and 8 (very few of these) workstations @ clients have the appropriate patch (they *should* have, but we are checking also AV/AMWare up to date,  there's a new Wannacry variant out that is worse than the Friday one)

I had a look at this: https://access.redhat.com/solutions/3031551

which states not vulnerable to the SMB exploit as I would expect. I trust that this applies to the 9.x codebase?

Can any developer confirm please?

I would emphasise that not having this vulnerability ONLY means that the ransomware cannot spread by the SMB MACHINE-TO-MACHINE vector, all other avenues are open, ensure you have updated protection on Windows and secure backups as any SMB workstation can encrypt the data on the server!

There's also a rule to block the SMB exploit for those using Emerging Threats rulesets on firewalls, qv.


MeJ

[DanB35]

I trust that this applies to the 9.x codebase?

I'm not a developer, but SME 9.x is built on the RHEL 6.x codebase, which is a currently-supported version of RHEL.  If it's correct that "Red Hat products are not vulnerable to the flaw", the SME is similarly not vulnerable.

[stabilys]

That's my working assumption too, just double-checking...

MeJ

[guest22]

e-mail attachments that are opened by users is their own responsibility. The specific ransomware hopes that Windows users will do so for it uses an known exploit.

As usual, e-mail users are deceived and 'think' that e-mail is a given fact and safe to use. It is not. It's not a cyber attack, it is using the users that 'think' email is a thing that simply works, just like the telephone. Again it is not.

So yes, email servers will deliver infected emails to end users (So this coming Monday many people will start outlook and will click the attachment, but the harm was already done last Friday. Any company with common sense would have cleared their email queue if they use windows PC's for their users. It is a Windows problem. For more info, please call the NSA https://www.nsa.gov/ or Microsoft https://microsoft.com

[Stefano]

This is not a M$ issue but an human one.. Patches for this vulnerability are available since match, 17th
The real issue is that IT security (and clients management) is still considered an useless ezpense in many places

[guest22]

One first needs to fully understand what email actually is. Don;t forget, most user are born while email was simply there. Nobody explained anything about it.

[Stefano]

This is true too, indeed

[stabilys]

e-mail attachments that are opened by users is their own responsibility. The specific ransomware hopes that Windows users will do so for it uses an known exploit.

Actually no email is involved. It's a direct SMB exploit that spreads machine to machine. Yes, apparently developed by the NSA. That's above my pay grade to challenge, sorry

[stabilys]

This is true too, indeed

It certainly is. Many users fail entirely to understand how any of it works. It's not my job to train them, though we encourage client companies to do so... many don't.

[SchulzStefan]

I'm not a developer, but SME 9.x is built on the RHEL 6.x codebase, which is a currently-supported version of RHEL.  If it's correct that "Red Hat products are not vulnerable to the flaw", the SME is similarly not vulnerable.

No, I don't thing so. At least for the ibays not.

One of my users opened a few weeks ago an attachment (ransomware Wanna Cry) on a win7 ws. It took less than 1 minute and all shares (ibays) on the SME box have been decrypted. This happend early in the morning. As we are doing twice a day a backup it was not a big deal to restore the data...

The only advice I can give is backup, backup, backup...

regards,
stefan

[guest22]

2 things in play here:


1. A user opens an attachment
2. The attachment contains malicious code that abuses windows flaws and protocol flaws (in this case Samba)


It all starts with #1 and end user skills/non skills. email servers simply deliver and MTA's simply open by users choice.

[guest22]

Sorry I have to revise that.

5 things in play:

1. The receiving email server is not very well aware of email threats, virus, spam, blacklists etc etc
2. The malicious email/attachment STILL gets delivered to the end user (read delivery queue, all email servers security checked)
3. The end user opens the email attachment
4. The activated malicious code does it's thing and can reach the local network for it was activated by a trusted user on the local network and will have same access levels.
5. The malicious code is aware it has local network access and can do its thing by itself, and no longer needs a carrying agent such as email and a unaware user to open an attachment

[DanB35]

One of my users opened a few weeks ago an attachment (ransomware Wanna Cry) on a win7 ws. It took less than 1 minute and all shares (ibays) on the SME box have been decrypted. This happend early in the morning. As we are doing twice a day a backup it was not a big deal to restore the data...

Your user was an idiot, but that doesn't mean there was an SME vulnerability.  A file server is going to do whatever the connected client tells it to, within that client's permissions.  That's not a bug or a vulnerability on the part of the server.  But if the malware spreads server-to-server, that's a vulnerability in the server.  RH is saying there's no vulnerability with RHEL (which would mean no vulnerability in CentOS either), but that doesn't mean the server won't do exactly what the user tells it to do.

[Stefano]

Standing ovation for Dan

[SchulzStefan]

But if the malware spreads server-to-server, that's a vulnerability in the server.

I didn't see that. Only from WS to server.

regards,
stefan

[stabilys]

Your user was an idiot, but that doesn't mean there was an SME vulnerability.  A file server is going to do whatever the connected client tells it to...

It's safer to assume ALL users are idiots, including oneself, because it is at some time true. I've seen brilliant people - in their area - commit barbarities in mine. And I've done them too!

So we put in place what protections we can and a way of backing out of disaster if feasible.

And as far as the WannaCry/SMB vulnerability is concerned, assuming the SME is NOT vulnerable to the SMB attack, that in NO WAY protects against an encryptor being run by any user. Thinking it does is a confusion of themes. For example:

Usual scenario:

- company gets 200 bona-fide UPS messages a day
- new UPS message comes in, user opens it
- nothing happens, user shrugs and moves to next message
- fileserver encrypted 30 min later

I've had to deal with this in the past. The only solution was for them to pay the ransom as their backup was not up to date and it would have taken days + $$$$ lost business to restore. Not nice.

And was the user really an idiot? Would I have opened that email? Probably. I might have been more suspicious about the result...

[guest22]

Don't forget, the Wannacry is just the to key to open the door which is Windows flaws. An end user may expect he is provided with safe company assets and systems. So that brings us to the IT department.... The IT department has the 'difficult task' to ask for budget and explain why security on email is required.... and training.....

[guest22]

At the end, very few understand what email actually is and what it was designed for... So now that some get bitten in the behind, they start blaming everybody except themselves... So the general public got 'educated' by fancy MTA's like Outloook, and added 'functionality' was added, but nobody questioned the security aspects except for spam and viruses. There is a lot more to it.

[stabilys]

...
3. The end user opens the email attachment
...
5. The malicious code is aware it has local network access and can do its thing by itself, and no longer needs a carrying agent such as email and a unaware user to open an attachment
...

RequestedDeletion, slight misapprehension here, there's some evidence the infection was spreading directly from network to network using SMB and ports that were open on firewalls (ie 445). This is not definitive. It no doubt spreads by email too.

Readers might like to check this analysis and consider their ports:

https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/

MeJ

[guest22]

Good that we are all interested in this issue.

I've read the article, but see no way the virus can get to a network without a user opening malicious attachments. So to me it seems my 1 through 5 still stands, where maybe 5 is more sophisticated.

[Stefano]

I found an article that explains a (quite) simple workaround

https://www.ossramblings.com/Detecting-And-Stopping-Cryptolocker-Type-Viruses

it is not perfect, but may help

[guest22]

Another way is to simply shut down samba and use webdav instead for sharing files. Don't forget, samba is a proprietary protocol, webdav is not. Hence the popularity of systems like Nextcloud.

[Stefano]

true but unworkable in 99% of offices

it's like "simply don't use windows" (I don't use it).. it would solve many problems, but will arise many others..
so we must face windows and try to make it work in the safer environment we can

[stabilys]

Another way is to simply shut down samba and use webdav instead for sharing files. Don't forget, samba is a proprietary protocol, webdav is not. Hence the popularity of systems like Nextcloud.

I too am not in any way fond of Microsoft. I started out on IBM 360 system at CDC as a programmer/system analyst, and moved to Novell in micro systems later. I moved all our clients from Novell 4 when WfW 3.11 was released and beat Novell in every way for our client's needs.

I stopped using Microsoft on MY desktop in '99 after:

1. MS Word ate my thesis the day before I had to present it (23 hours of rewriting and reassembly from backups) and
2. MS Windows got a virus. I had all protections running, am extremely careful (I've had an internet email account since 1988) and it did not matter - the virus exploited a coding flaw and infected my system.

I still use it for my music workstations and playing games, but that's all.

UNIX-style OS's have won everywhere except the desktop. It's worth remembering that UNIX-style systems have never been particularly secure and were originally and briefly single user (that's the Un in Unix!) - the very first internet worm, the Morris worm, exploited flaws in UNIX networking code.

But Windows still rules the desktop in business and government and always will.

My colleagues have convinced me that with this I have up to put.

So, while I agree with your proposals in principle, it ain't going to happen. We have to protect the infrastructure that is there. There is no way that users who barely can scratch their IT arses will ever learn to use anything other than drive letters.

MeJ

[guest22]

true but unworkable in 99% of offices

Maybe that is because 99% of the offices do not think. Sharing files is one of the oldest IT mechanisms, just like e-mail. Nothing to do with Microsoft of PC OS used. Maybe we should build in an option into SME Server for people to choose a technology and protocol.

[stabilys]

I found an article that explains a (quite) simple workaround

https://www.ossramblings.com/Detecting-And-Stopping-Cryptolocker-Type-Viruses

it is not perfect, but may help

Interesting, thanks...

[Stefano]

Maybe that is because 99% of the offices do not think. Sharing files is one of the oldest IT mechanisms, just like e-mail. Nothing to do with Microsoft of PC OS used. Maybe we should build in an option into SME Server for people to choose a technology and protocol.

I would like to offer something different but:
- how many users out there will use it? I mean: almost nobody will be interested in something that need some tricks to work on their workstations.. samba is there, it works.. even if not safe, it will always be the preferred tool
- how much work does it need? have you got any idea about a (workable and sustainable) solution?

[brianr]

I would like to offer something different but:
- how many users out there will use it? I mean: almost nobody will be interested in something that need some tricks to work on their workstations.. samba is there, it works.. even if not safe, it will always be the preferred tool
- how much work does it need? have you got any idea about a (workable and sustainable) solution?

This would have to work WS to WS (Windows, Apple and Linux) as well as WS to Server, and allow printers to be shared...

[stabilys]

Just to finish off this thread and in reference to the opening question, Charlie Brady kindly pointed me to this:

https://access.redhat.com/articles/2243351

and pointed out that SME-server systems updated post March 2016 will have the fixes.

MeJ

[brianr]

From here:

https://nakedsecurity.sophos.com/2017/05/17/wannacry-the-ransomware-worm-that-didnt-arrive-on-a-phishing-hook/

It would appear that this did not start at with an unfortunate clicking on a link or executing an attachment in a phishing email, but directly through an open SMB port.

<smug mode on> So, those of us with networks of workstations protected by an SMEServer in server-gateway mode would be completely protected <smug mode off>

Actually even if we did have SMB ports open, they would normally only terminate on the SMEServer, and still be safe!

[Daniel B.]

The SMB exploit is just one way to propagate the ransomware. A malicious email is another possible one. And if a workstation behind SME is infected, it can then infect the other workstations through the SMB exploit, without SME being able to do anything. So no, SME itself is not vulnerable, but it doesn't protect you 100% (because 100% protection is not possible)

[brianr]

The SMB exploit is just one way to propagate the ransomware. A malicious email is another possible one. And if a workstation behind SME is infected, it can then infect the other workstations through the SMB exploit, without SME being able to do anything. So no, SME itself is not vulnerable, but it doesn't protect you 100% (because 100% protection is not possible)

That is true in general for ransomware and other assorted nasties, but from what that article indicated, this one only used the SMB exploit.

[p-jones]

SME itself is not vulnerable, but it doesn't protect you 100% (because 100% protection is not possible)

I can vouch that it is NOT 100% protected.

I have just done a big cleanup/recovery from an attack. Whilst the integrity of the core SME 9.2 remained intact, several ibays were totally trashed to the point of being 100% un-useable and un-recoverable.
(and for good measure, there seems to be a bug in the 'restore selective files from workstation' which prevented it from being useful - another topic which I will create a bug report for.)

[ReetP]

I can vouch that it is NOT 100% protected.

Be very careful exactly what you say so as not to mislead users. You are wrong.

As you note, SME *itself* won't get attacked by this and is not vulnerable as mentioned. As you discovered, SME core was fine, and fortunately that enabled you to sort out the mess left behind by your users and their infected desktops (hint drop Microsoft desktops for a happier sysadmin experience!)

I have just done a big cleanup/recovery from an attack. Whilst the integrity of the core SME 9.2 remained intact, several ibays were totally trashed to the point of being 100% un-useable and un-recoverable.
(and for good measure, there seems to be a bug in the 'restore selective files from workstation' which prevented it from being useful - another topic which I will create a bug report for.)

Any files appear stored on SME appear as normal network files and can therefore be subject to being encrypted by an infected client, as you found out.

That isn't SMEs fault....

[p-jones]

Be very careful exactly what you say so as not to mislead users. You are wrong.

I dont believe anything I have said is WRONG. To suggest, directly or by implication, particularly to newbies, that installing ANY flavoured linux server will leave them 'safe' because linux is immune is in itself misleading.

As a general concept, the average user doesnt give a toss about the server-core, they care about the user data. The server-core is also easy to sort, the user data is usually irreplaceable. Collateral damage

As you discovered, SME core was fine

That did not negate the necessity to have to do a full  re-install and restore to recover, mainly because a selective file restore would not play nice.

mess left behind by your users and their infected desktops

One can give users good tools but it is not easy to control what they do with them after.

(hint drop Microsoft desktops for a happier sysadmin experience!)

I / We all wish !!

Backups in my situation are done to a NAS4FREE box. Miscellaneous files on that also got trashed BUT because the backup was written by Linux, with Linux permissions not MS permissions,  seemed to be a saving grace, leaving the backup integrity 100% good.

That isn't SMEs fault....

I am not  blaming SME, I am just telling my experience how it is, namely running SME or Linux server does not leave one 100% safe from grief & this piece of malware, direct or indirect. (FACT)

Gotta say, computing was a whole lot easier and safer before we ll had internet and email on every desktop !!!

[guest22]

another topic which I will create a bug report for.)

Please open a bug per topic, but please do so.

[p-jones]

bug 10356

[guest22]

As a heads-up, it seems that currently (June 27, 2017) there is another 'attack' under way

[ReetP]

You said (and note the name of the thread):

I can vouch that it is NOT 100% protected.

Yup, nothing is 100% protected, but in THIS instance it is about making the distinction between the server itself and any user data.

With this particular infection the server itself will be OK, even if user data isn't.

As a general concept, the average user doesnt give a toss about the server-core, they care about the user data. The server-core is also easy to sort, the user data is usually irreplaceable.

Indeed, users don't, but they are hardly likely to be frequenting this forum. So the advice for sysadmins (and there are a lot of inexperienced ones here) should be that Wannacry/pt may totally trash your users data, but it will not affect your core server components. Restoration of user data from backup may be required.

Collateral damage
That did not negate the necessity to have to do a full  re-install and restore to recover, mainly because a selective file restore would not play nice.
One can give users good tools but it is not easy to control what they do with them after.

Nope. But that isn't the fault of the server. It is just doing what it was asked to do.

As an addendum it also demonstrates the value of having a backup that can be physically disconnected from the server and removed, just for good measure.

I / We all wish !!

Easy....

I am not  blaming SME, I am just telling my experience how it is, namely running SME or Linux server does not leave one 100% safe from grief & this piece of malware, direct or indirect. (FACT)

Does not leave ones DATA free from grief. And that is the point of this particular thread.

Gotta say, computing was a whole lot easier and safer before we ll had internet and email on every desktop !!!

Or before the scammers got involved and buggered it all up

B. Rgds
John

[guest22]

JFYI: Maersk Rotterdam went down, but now they are down globally...


http://www.maersk.com/en