Sergey Nivens - Fotolia

How is the Samba vulnerability different from EternalBlue?

A recently discovered Samba vulnerability bears a striking resemblance to the notorious Windows exploit EternalBlue. Expert Matthew Pascucci compares the two vulnerabilities.

A Samba vulnerability was recently discovered on the heels of the WannaCry ransomware worm. Researchers say the Samba vulnerability is similar to the EternalBlue bug used in the WannaCry attacks. How are they similar, and what mitigation steps are available?

The vulnerability in Samba -- as well as WannaCry ransomware -- shows that every organization needs to apply appropriate patches and enforce configuration management in its systems to defend itself against security risks.

These Linux and Windows systems are similar in that both created remote concerns by having port 445 open on the perimeter. Samba is used to enable Linux devices, such as printers, to communicate with Windows systems, and it is a key element in having interoperability between the operating systems.

It's interesting the Samba vulnerability (CVE-2017-7494) was announced soon after the WannaCry ransomware spread. While neither has anything to do with the other, seeing this vulnerability just cements the urgent need for IT security to move back to the fundamentals.

Both of the vulnerabilities are concerning for remote execution if the systems are exposed to the internet and are unpatched. Also, both of the vulnerabilities require a payload to be dropped in order to achieve their results. In the case of WannaCry, it was EternalBlue that was used to power the malware; in the Samba vulnerability, there was no known malware wrapped around the exploit.

It's a little harder to infect a system with the Samba vulnerability than it is with WannaCry. With Samba, there needs to be a vulnerable system, the attacker needs to know the path of the file share, and he must either be able to authenticate or have a share that enables anonymous authentication. Many of these things need to be in place for the vulnerability to work; however, the exploit is not impossible, and it needs to be remediated either way.

The Samba advisory released a patch to remediate the issue, as well as a workaround to assist those that couldn't patch. Adding nt pipe support = no to your global Samba configuration will stop the threat, but it also might stop Windows systems from connecting to the shares.

There's no guarantee that the workaround will be effective, and the only surefire way to stop the threat is to patch. This can be a concern because many of these systems don't have an auto-update feature, like Windows does, to receive the patch automatically.

If patching these systems -- which are most likely servers that need to be on at all times -- becomes an issue, creating proper network segmentation and removing any instance of them publically is the best way to reduce the risk now.

All systems running Samba need to be patched to stop this risk, but it shouldn't stop there. These two vulnerabilities are eye-opening occurrences that happened within a few weeks of each other, which shows that performing basic patch and configuration management is what the industry needs to start focusing on more.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Check out these five steps for businesses after the WannaCry attack

Learn how WannaCry malware can affect industrial control system networks

Find out more about the connection between Samba and WannaCry

This was last published in August 2017

Dig Deeper on Application and platform security