Topic: Wannacry/Wannacrypt SMB flaw - checking SME 9.x not vulnerable, please confirm

[stabilys]

Resume: there's a nasty new ransomware variant spreading via an SMB worm (I'm sure that everyone knows this now!)

Windows 10 and Linux/Mac workstations immune to the SMB exploit

Windows < 10 vulnerable and need March '17 patch in MS March updates:


https://technet.microsoft.com/library/security/MS17-010

MS have released a patch for this even for Windows XP, here (inter alia) if anyone needs it:

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

As per the subject: we've had a busy weekend so far checking that Win 7 and 8 (very few of these) workstations @ clients have the appropriate patch (they *should* have, but we are checking also AV/AMWare up to date,  there's a new Wannacry variant out that is worse than the Friday one)

I had a look at this: https://access.redhat.com/solutions/3031551

which states not vulnerable to the SMB exploit as I would expect. I trust that this applies to the 9.x codebase?

Can any developer confirm please?

I would emphasise that not having this vulnerability ONLY means that the ransomware cannot spread by the SMB MACHINE-TO-MACHINE vector, all other avenues are open, ensure you have updated protection on Windows and secure backups as any SMB workstation can encrypt the data on the server!

There's also a rule to block the SMB exploit for those using Emerging Threats rulesets on firewalls, qv.


MeJ

[DanB35]

I trust that this applies to the 9.x codebase?

I'm not a developer, but SME 9.x is built on the RHEL 6.x codebase, which is a currently-supported version of RHEL.  If it's correct that "Red Hat products are not vulnerable to the flaw", the SME is similarly not vulnerable.

[stabilys]

That's my working assumption too, just double-checking...

MeJ

[guest22]

e-mail attachments that are opened by users is their own responsibility. The specific ransomware hopes that Windows users will do so for it uses an known exploit.

As usual, e-mail users are deceived and 'think' that e-mail is a given fact and safe to use. It is not. It's not a cyber attack, it is using the users that 'think' email is a thing that simply works, just like the telephone. Again it is not.

So yes, email servers will deliver infected emails to end users (So this coming Monday many people will start outlook and will click the attachment, but the harm was already done last Friday. Any company with common sense would have cleared their email queue if they use windows PC's for their users. It is a Windows problem. For more info, please call the NSA https://www.nsa.gov/ or Microsoft https://microsoft.com

[Stefano]

This is not a M$ issue but an human one.. Patches for this vulnerability are available since match, 17th
The real issue is that IT security (and clients management) is still considered an useless ezpense in many places

[guest22]

One first needs to fully understand what email actually is. Don;t forget, most user are born while email was simply there. Nobody explained anything about it.

[Stefano]

This is true too, indeed

[stabilys]

e-mail attachments that are opened by users is their own responsibility. The specific ransomware hopes that Windows users will do so for it uses an known exploit.

Actually no email is involved. It's a direct SMB exploit that spreads machine to machine. Yes, apparently developed by the NSA. That's above my pay grade to challenge, sorry

[stabilys]

This is true too, indeed

It certainly is. Many users fail entirely to understand how any of it works. It's not my job to train them, though we encourage client companies to do so... many don't.

[SchulzStefan]

I'm not a developer, but SME 9.x is built on the RHEL 6.x codebase, which is a currently-supported version of RHEL.  If it's correct that "Red Hat products are not vulnerable to the flaw", the SME is similarly not vulnerable.

No, I don't thing so. At least for the ibays not.

One of my users opened a few weeks ago an attachment (ransomware Wanna Cry) on a win7 ws. It took less than 1 minute and all shares (ibays) on the SME box have been decrypted. This happend early in the morning. As we are doing twice a day a backup it was not a big deal to restore the data...

The only advice I can give is backup, backup, backup...

regards,
stefan

[guest22]

2 things in play here:


1. A user opens an attachment
2. The attachment contains malicious code that abuses windows flaws and protocol flaws (in this case Samba)


It all starts with #1 and end user skills/non skills. email servers simply deliver and MTA's simply open by users choice.

[guest22]

Sorry I have to revise that.

5 things in play:

1. The receiving email server is not very well aware of email threats, virus, spam, blacklists etc etc
2. The malicious email/attachment STILL gets delivered to the end user (read delivery queue, all email servers security checked)
3. The end user opens the email attachment
4. The activated malicious code does it's thing and can reach the local network for it was activated by a trusted user on the local network and will have same access levels.
5. The malicious code is aware it has local network access and can do its thing by itself, and no longer needs a carrying agent such as email and a unaware user to open an attachment

[DanB35]

One of my users opened a few weeks ago an attachment (ransomware Wanna Cry) on a win7 ws. It took less than 1 minute and all shares (ibays) on the SME box have been decrypted. This happend early in the morning. As we are doing twice a day a backup it was not a big deal to restore the data...

Your user was an idiot, but that doesn't mean there was an SME vulnerability.  A file server is going to do whatever the connected client tells it to, within that client's permissions.  That's not a bug or a vulnerability on the part of the server.  But if the malware spreads server-to-server, that's a vulnerability in the server.  RH is saying there's no vulnerability with RHEL (which would mean no vulnerability in CentOS either), but that doesn't mean the server won't do exactly what the user tells it to do.

[Stefano]

Standing ovation for Dan

[SchulzStefan]

But if the malware spreads server-to-server, that's a vulnerability in the server.

I didn't see that. Only from WS to server.

regards,
stefan