Does WannaCry Ransmonware affect Samba?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Does WannaCry Ransmonware affect Samba?

Samba - General mailing list
Hello,

     Up till today I have only heard that it affects Windows clients and
Servers. However I received this today that sparked my question

https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_WannaCry_Ransomware.pdf

This suggests blocking port 445 for Samba specifically. First wouldn't
blocking port 445 break all file and printer sharing functionality?
Second isn't this port needed even by Windows for SMB? I'm confused. Thanks.


--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Does WannaCry Ransmonware affect Samba?

Samba - General mailing list
On Thu, 18 May 2017 08:11:08 -0400
lingpanda101 via samba <[hidden email]> wrote:

> Hello,
>
>      Up till today I have only heard that it affects Windows clients
> and Servers. However I received this today that sparked my question
>
> https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_WannaCry_Ransomware.pdf
>
> This suggests blocking port 445 for Samba specifically. First
> wouldn't blocking port 445 break all file and printer sharing
> functionality? Second isn't this port needed even by Windows for SMB?
> I'm confused. Thanks.
>
>

I think what they are trying to say is:

Whilst wannacry will have no affect to a Samba server, if it is on a
Samba share that you connect to, your Windows computer may get infected.

The cure seems to be, turn off file sharing with the Samba server, it
might as well have said 'Go to Samba server, identify the power lead
and pull it out of the power socket' ;-)

Rowland

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Does WannaCry Ransmonware affect Samba?

Samba - General mailing list
On 5/18/2017 8:32 AM, Rowland Penny wrote:

> On Thu, 18 May 2017 08:11:08 -0400
> lingpanda101 via samba <[hidden email]> wrote:
>
>> Hello,
>>
>>       Up till today I have only heard that it affects Windows clients
>> and Servers. However I received this today that sparked my question
>>
>> https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_WannaCry_Ransomware.pdf
>>
>> This suggests blocking port 445 for Samba specifically. First
>> wouldn't blocking port 445 break all file and printer sharing
>> functionality? Second isn't this port needed even by Windows for SMB?
>> I'm confused. Thanks.
>>
>>
> I think what they are trying to say is:
>
> Whilst wannacry will have no affect to a Samba server, if it is on a
> Samba share that you connect to, your Windows computer may get infected.
>
> The cure seems to be, turn off file sharing with the Samba server, it
> might as well have said 'Go to Samba server, identify the power lead
> and pull it out of the power socket' ;-)
>
> Rowland
>
>  

Didn't think about it from the standpoint of protecting Windows machines
from malware residing on a Samba server.

This is exactly what I thought it was saying. Basically "We don't know
how best to secure Samba, so just turn it off". I just couldn't fathom
it would more or less mean that. Thanks.

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Does WannaCry Ransmonware affect Samba?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2017-05-18 14:11, lingpanda101 via samba wrote:
> Hello,
>
>     Up till today I have only heard that it affects Windows clients and
> Servers. However I received this today that sparked my question
>
> https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_WannaCry_Ransomware.pdf
>
>
> This suggests blocking port 445 for Samba specifically.

Probably a typo/misunderstanding. 445 is for all SMB implementations.

> First wouldn't> blocking port 445 break all file and printer sharing functionality?
>
> Second isn't this port needed even by Windows for SMB? I'm confused.
> Thanks.

Yes to both. That's what the slight understatement "may cause
disruptions on systems that require port 445" means.

Samba in itself is not vulnerable to ETERNALBLUE, so it cannot be
infected by WannaCry.

However, vulnerable clients with write access to Samba shares can still
encrypt files on Samba shares and render them useless, so you should
still make sure you can detect ransomware attacks and make sure your
backups work.

--
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP [hidden email] | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Does WannaCry Ransmonware affect Samba?

Samba - General mailing list
On 2017-05-18 07:47, Sven Schwedas via samba wrote:

> On 2017-05-18 14:11, lingpanda101 via samba wrote:
>
>> Hello,
>>
>> Up till today I have only heard that it affects Windows clients and
>> Servers. However I received this today that sparked my question
>>
>> https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_WannaCry_Ransomware.pdf
>>
>> This suggests blocking port 445 for Samba specifically.
>
> Probably a typo/misunderstanding. 445 is for all SMB implementations.
>
>> First wouldn't> blocking port 445 break all file and printer sharing functionality?
>>
>> Second isn't this port needed even by Windows for SMB? I'm confused.
>> Thanks.
>
> Yes to both. That's what the slight understatement "may cause
> disruptions on systems that require port 445" means.
>
> Samba in itself is not vulnerable to ETERNALBLUE, so it cannot be
> infected by WannaCry.
>
> However, vulnerable clients with write access to Samba shares can still
> encrypt files on Samba shares and render them useless, so you should
> still make sure you can detect ransomware attacks and make sure your
> backups work.
>
> --
> Mit freundlichen Grüßen, / Best Regards,
> Sven Schwedas, Systemadministrator
> Mail/XMPP [hidden email] | Skype sven.schwedas
> TAO Digital | Lendplatz 45 | A8020 Graz
> https://www.tao-digital.at | Tel +43 680 301 7167

As the facts emerge about this story. I think we will find that most
affected workstations and servers were NOT software up to date. Every
common workstation user is too quick to cancel "that" update because "I
have 'work' I HAVE to get done, now!" with little or no thought to the
consequences of the failing to update.

Those of us that keep W and Samba as "current" as possible should be "in
front" of most virus and threats.

Just my penny (sorry Rowland) and a half on this almost not Samba
subject.

--
_______________________________

Bob Wooden of Donelson Trophy
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba