wanna cry ransomware patch for samba-4.5.5

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

wanna cry ransomware patch for samba-4.5.5

Samba - samba-technical mailing list
Hi Team,

We are using samba-4.5.5. for file sharing in Mips Linux Platform.
Is there any fix available for "wanna cry" ransomware ?

If available, can you please share git clone path.

Thanks & Regards,
Jawath Muckdhar




--

be inspired ! be happy! be urself!

~ jawath ~
Reply | Threaded
Open this post in threaded view
|

Re: wanna cry ransomware patch for samba-4.5.5

Samba - samba-technical mailing list
On Mon, May 15, 2017 at 02:47:42PM +0530, Jawath Muckdhar via samba-technical wrote:
> Hi Team,
>
> We are using samba-4.5.5. for file sharing in Mips Linux Platform.
> Is there any fix available for "wanna cry" ransomware ?

As far as I know we're not vulnerable to the SMB1 exploit
that allows this ransomware to propagate, it appears to
be a Windows-specific implementation flaw.

Jeremy.

Reply | Threaded
Open this post in threaded view
|

Re: wanna cry ransomware patch for samba-4.5.5

Samba - samba-technical mailing list
Thanks Jeremy.

I think that it is possible that an infected SAMBA client ( a windows
machine ) might be able to encrypt the files on the server and
affect the files.
Is there any way to prevent this from happening ?
Therefore the samba clients will need to patch their windows client and
disable SMB1.

Regards,
Yogesh


On Tue, May 16, 2017 at 11:50 AM, Jeremy Allison via samba-technical <
[hidden email]> wrote:

> On Mon, May 15, 2017 at 02:47:42PM +0530, Jawath Muckdhar via
> samba-technical wrote:
> > Hi Team,
> >
> > We are using samba-4.5.5. for file sharing in Mips Linux Platform.
> > Is there any fix available for "wanna cry" ransomware ?
>
> As far as I know we're not vulnerable to the SMB1 exploit
> that allows this ransomware to propagate, it appears to
> be a Windows-specific implementation flaw.
>
> Jeremy.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: wanna cry ransomware patch for samba-4.5.5

Samba - samba-technical mailing list
On Wed, May 17, 2017 at 12:01:27PM -0700, Yogesh Kulkarni wrote:
> Thanks Jeremy.
>
> I think that it is possible that an infected SAMBA client ( a windows machine )
> might be able to encrypt the files on the server and 
> affect the files. 
> Is there any way to prevent this from happening ? 

I can't see any way to prevent this. An infected
Windows client is just doing normal file operations
(open/read/write/close) to the Samba server. There's
no way for the server to know these operations are
malicious and indended to encrypt the file data without
the user's consent.

Reply | Threaded
Open this post in threaded view
|

Re: wanna cry ransomware patch for samba-4.5.5

Samba - samba-technical mailing list
On Wed, May 17, 2017 at 3:28 PM, Jeremy Allison via samba-technical
<[hidden email]> wrote:

> On Wed, May 17, 2017 at 12:01:27PM -0700, Yogesh Kulkarni wrote:
>> Thanks Jeremy.
>>
>> I think that it is possible that an infected SAMBA client ( a windows machine )
>> might be able to encrypt the files on the server and
>> affect the files.
>> Is there any way to prevent this from happening ?
>
> I can't see any way to prevent this. An infected
> Windows client is just doing normal file operations
> (open/read/write/close) to the Samba server. There's
> no way for the server to know these operations are
> malicious and indended to encrypt the file data without
> the user's consent.
>

While Jeremy is of course exactly correct, if I guess if one were so
inclined and technically able, they could put a security layer on top
of the Samba file server engine by creating a VFS module that somehow
(hand-waving here, I'm assuming there is an access pattern or
something that can be used to fingerprint the various strains of the
malware that exist in the wild) identifies the malware's access
attempt and prohibits writing to (encrypting of) the share.  No one is
going to go to the trouble unless their employer wants to scratch this
itch, but it's probably doable.  I think it's no longer maintained,
but as a proof of concept there was a ClamAV file scanner VFS module
that allowed for real time virus scanning of files as they were
accessed.  I'm just throwing this out there on the off chance that
someone needs to scratch this itch.

--
Peace and Blessings,
-Scott.

Reply | Threaded
Open this post in threaded view
|

RE: wanna cry ransomware patch for samba-4.5.5

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
I do like the idee..

A vfs plugin that allows only certain mimetypes.

The suggestion to block files by type is a good idee imo but only if you use mimetype not extentions.

I dont know that happens if an a crypto virus try to write a modified .docx of .pdf.
And you allow only .docx .pdf mimetypes.

And useing mimetypes, should prevent users for example write .exe files as .pdf files.

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba-technical
> [mailto:[hidden email]] Namens
> Jeremy Allison via samba-technical
> Verzonden: woensdag 17 mei 2017 22:28
> Aan: Yogesh Kulkarni
> CC: Jawath Muckdhar; samba-technical
> Onderwerp: Re: wanna cry ransomware patch for samba-4.5.5
>
> On Wed, May 17, 2017 at 12:01:27PM -0700, Yogesh Kulkarni wrote:
> > Thanks Jeremy.
> >
> > I think that it is possible that an infected SAMBA client (
> a windows
> > machine ) might be able to encrypt the files on the server
> and affect
> > the files.
> > Is there any way to prevent this from happening ?
>
> I can't see any way to prevent this. An infected Windows
> client is just doing normal file operations
> (open/read/write/close) to the Samba server. There's no way
> for the server to know these operations are malicious and
> indended to encrypt the file data without the user's consent.
>
>


Reply | Threaded
Open this post in threaded view
|

RE: wanna cry ransomware patch for samba-4.5.5

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
> -----Original Message-----
> From: samba-technical [mailto:[hidden email]] On
> Behalf Of Jeremy Allison via samba-technical
> Sent: Tuesday, May 16, 2017 2:50 PM
> To: Jawath Muckdhar <[hidden email]>
> Cc: [hidden email]
> Subject: Re: wanna cry ransomware patch for samba-4.5.5
>
> On Mon, May 15, 2017 at 02:47:42PM +0530, Jawath Muckdhar via samba-
> technical wrote:
> > Hi Team,
> >
> > We are using samba-4.5.5. for file sharing in Mips Linux Platform.
> > Is there any fix available for "wanna cry" ransomware ?
>
> As far as I know we're not vulnerable to the SMB1 exploit that allows this
> ransomware to propagate, it appears to be a Windows-specific implementation
> flaw.

There are several independent aspects to this attack, and Samba folks might be interested in this detailed preliminary analysis of the attack:

https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

Tom.

Reply | Threaded
Open this post in threaded view
|

Re: wanna cry ransomware patch for samba-4.5.5

Samba - samba-technical mailing list
On Thu, May 18, 2017 at 03:55:27PM +0000, Tom Talpey via samba-technical wrote:

> > -----Original Message-----
> > From: samba-technical [mailto:[hidden email]] On
> > Behalf Of Jeremy Allison via samba-technical
> > Sent: Tuesday, May 16, 2017 2:50 PM
> > To: Jawath Muckdhar <[hidden email]>
> > Cc: [hidden email]
> > Subject: Re: wanna cry ransomware patch for samba-4.5.5
> >
> > On Mon, May 15, 2017 at 02:47:42PM +0530, Jawath Muckdhar via samba-
> > technical wrote:
> > > Hi Team,
> > >
> > > We are using samba-4.5.5. for file sharing in Mips Linux Platform.
> > > Is there any fix available for "wanna cry" ransomware ?
> >
> > As far as I know we're not vulnerable to the SMB1 exploit that allows this
> > ransomware to propagate, it appears to be a Windows-specific implementation
> > flaw.
>
> There are several independent aspects to this attack, and Samba folks might be interested in this detailed preliminary analysis of the attack:
>
> https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

Thanks Tom, very interesting and informative article !