The ‘SambaCry’ Samba Vulnerability in Containers

There’s a new vulnerability which could affect containerized apps; this time it’s the Samba vulnerability affecting Linux networking. Samba allows non-Windows operating systems to share network shared folders, files, and printers with a Windows operating system.

The network security space keeps catching people’s eyes recently with new exploits affecting popular systems. The Windows “WannaCry” ransomware attack, which I wrote about recently, is still spreading throughout the world. And the Samba vulnerability exploit is another example of the continuous threat environment facing enterprises.

Now Linux and Mac users using the most popular networking software have similar troubles to worry about. A 7-year-old critical remote code execution vulnerability has been discovered in the Samba networking software that could allow a remote attacker to take control of an affected Linux system.

This CVE-2017-7494 affects all versions newer than Samba 3.5.0 since March, 2010. Researchers have said that more than a hundred thousand internet facing systems are running vulnerable versions of Samba, the SMB protocol implemented on Linux systems. Some experts are calling this “SambaCry,” a Linux version of “WannaCry” ransomware.

In some cases it is just so easy to exploit these vulnerabilities. And in this real case of Samba CVE-2017-7494, just one line of code is enough:

simple.create_pipe("/path/to/target.so")

The malicious code will be executed on the affected system, allowing a remote attacker to take control of the affected machine!

The POC code can be found here: https://github.com/omri9741/cve-2017-7494. Patches and fixes are already provided by Samba: https://www.samba.org/samba/history/security.html.

Finding the Vulnerability in Containers

Today if you have updated your CVE database in time, vulnerability scanning software could help to find this CVE in container images. The live scan feature of NeuVector would automatically perform this scan on both running containers and Docker hosts. But could you catch this and remediate it before it was exploited?

Preventing These and Other Container Exploits

For continuous detection and prevention, most importantly, a distributed container firewall like NeuVector should be in place to detect these critical vulnerabilities and real-time exploits. By default, port 445, which is used in this exploit, should not be open to the public. Even for internal east-west traffic, NeuVector will block unnecessary network access and these attacks will be detected, alerted and blocked at every step in the kill chain.

Even if an admin mistakenly introduced a vulnerable container into the network, the zero-trust model of NeuVector will help lock down (whitelist) normal behavior of application containers. So it doesn’t matter if an exploit happens with a 7-year-old critical “SambaCry” CVE or something totally unknown as of today. The NeuVector behavior-based network security container will continuously protect application containers at the most efficient security layer – the network layer.

Looking at all these recent ransomware attacks it’s clear that these are real threat cases where it’s so simple for hackers to find victims and initiate an attack. For hackers it’s low cost and low tech to just keep trying from a lab or coffee shop. On the other side, for enterprise security teams, static scanning or manual firewalling is heavyweight and expensive. There must be a better solution.

Containers bring with them the ability to easily, quickly, and automatically deploy and update applications. They also bring the ability to build security into the run-time environment, with the appropriate security tools. With the NeuVector container-based solution, security can be lightweight, automated and much easier to maintain, without the headache and costs of traditional security technology!