How Does Samba Compare to WannaCry?

Wednesday, July 05, 2017

Rotem Iram


Many reports are drawing comparisons between the Samba vulnerability and WannaCry, withsome even dubbing it SambaCry. There’s no denying that the Samba vulnerability is serious. It also shares some similarities with WannaCry: it exploits a vulnerability in a service that utilizes Windows' SMB protocol, and, like WannaCry, is 'wormable' – meaning each infected machine could potentially infect other machines in its network, significantly increasing the spread of the malware. But, it doesn’t pose the same widespread risk as WannaCry.

To start, the number of potential targets of the Samba vulnerability is significantly less. Of the 2.3 million machines worldwide, the Samba vulnerability could only potentially impact a fraction – 60,000 to be exact. While, from a first glance, it would seem like there are millions of machines running Samba, from routers and network printers to your home NAS, there are several factors that must align for a machine to be exploited by this vulnerability:

  1. The machine needs to have TCP port 445 open and directly connected to the internet – this brings the number of potential targets down to 2.3 million machines worldwide;
  2. Guest login without password needs to be enabled – down to 980 thousand machines worldwide;
  3. The server is indeed running the vulnerable SAMBA version – down to 120 thousand machines worldwide;
  4. A writeable network share needs to exist on the system – down to about 70 thousand machines worldwide;
  5. And, finally, Samba inter-process communication needs to be enabled – down to about 60 thousand machines worldwide.

Although the risk is not as dire as WannaCry, organizations should always be vigilant to protect against any potential threats and should not ignore the possibility of an attacker exploiting Samba. The following “Three P’s” will help mitigate the potential threat posed by the Samba vulnerability to your business:

  • Patch, Patch & Patch: If a Samba server is enabled on a targeted device, or if your business is running an older Samba protocol version, keep that device updated with recent patches. File sharing is a business need, and patches will ensure that your system remains secure.
  • Password Protect: Often, guest logins do not require a password; however, all systems should be password protected to deflect attacks. Without a password, your system remains vulnerable.
  • Port it Shut: Firewalls are important, and ensuring that the specific Samba 445 Port is closed will eliminate the threat of external exploitation.

With new vulnerabilities constantly being brought to light, there’s considerable fear of security risks, and confusion about what these risks mean to organizations. In the case of the Samba vulnerability, it’s important to remember that this is just a vulnerability. There is no evidence to suggest that if a malware exploits the Samba vulnerability that it will be a ransom malware, nor would this likely be a massive attack.

But, organizations should always be aware of potential threats. They need to understand the business and technical implications of their systems’ vulnerabilities, and select the best set of controls to prevent attackers from using exploits.

About the author: Rotem Iram is the Founder and CEO of stealth cyber insurance company CyberJack. With nearly two decades of security and engineering experience, Rotem previously served as a Managing Director and COO in the Cyber Security practice of K2 Intelligence, a leading global risk management firm, focusing on cyber intelligence, cyber defense strategy, and incident response.

General Enterprise Security Security Awareness Breaches
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.