And those of you who have already been using the agent may soon be happy they have backups – because WannaCry comes to Linux! Yep, EternalBlue exploit for Linux aka SambaCry (CVE-2017-7494) has been published last week – so the countdown to another worldwide IT havoc has already started. The vulnerability affects all versions of Samba from 3.5 (released March 1, 2010) and onward – up until the latest versions which are 4.6.4, 4.5.10 and 4.4.14. This exploit is going to be a huge problem for most IT shops, as Samba is the defacto standard for providing Windows-based file and print services on Linux, and as such it is usually installed by default on many systems. But even those small, purely Windows shops are in danger here because at the very least, their Linux-based NAS devices (often also holding backups!) and routers are likely exploitable. For all I know, my home NAS and both routers are all affected.
From what I gather, the vulnerability is very easy to exploit: all it takes is a single simple.create_pipe command with a path to special .so and bingo! Major Linux distributions, such as Red Hat and Ubuntu, have already released patches. However, I don't expect consumer NAS and networking vendors to be able to react as fast, or ever (why would they go back and patch some 7 year old devices)? So for those devices, you want to apply a manual fix against the vulnerability by adding nt pipe support = no line into smb.conf configuration file (remember to restart the SMB daemon smbd).
Some thoughts on this... WannaCry obviously did sparkle a new wave of discussions on how Linux is superior in terms of security, and how big the impact on business could be for betting on Windows. But SambaCry not only levels the scales – it tips them over! Because if WannaCry was easily identifiable and has a simple remediation, SambaCry presents significant obstacles in obtaining and deploying patches for all those countless virtual or physical Linux-based appliances in your network which are not covered by the OS patch deployment process, or simply not allowing OS-level patching. Obviously, instead of doing useless things like encrypting appliances themselves, smart hackers will prefer to remain undetected, and use those systems as conduits into your production network. So, SambaCry may go a long way and have a unique and unpredictable impact on every business.
Funny enough, Microsoft was quick to prevent appliance massacre from WannaCry in Azure – albeit impacting our business in a big and unexpected way. As you may know, Veeam has a number of appliances in the Azure marketplace, and some of our products are distributed exclusively through the marketplace – for example, Veeam Managed Backup Portal. So when WannaCry came, Microsoft simply pulled all legacy Windows-based images from the marketplace, and asked all publishers to update and re-deploy all of their images. And this is really not the kind of task one can do overnight, but customers could not deploy our software – so we had to scramble (by the way, we should be done later this week). Needless to say, we were pretty upset about this – but Microsoft did the necessary evil and the only right thing to prevent much bigger problems.