samba - May 2017 - Does WannaCry Ransmonware affect Samba?

Hello,

     Up till today I have only heard that it affects Windows clients and 
Servers. However I received this today that sparked my question

https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_WannaCry_Ransomware.pdf

This suggests blocking port 445 for Samba specifically. First wouldn't 
blocking port 445 break all file and printer sharing functionality? 
Second isn't this port needed even by Windows for SMB? I'm confused.
Thanks.


-- 
--
James

On Thu, 18 May 2017 08:11:08 -0400
lingpanda101 via samba <samba at lists.samba.org> wrote:
> Hello,
> 
>      Up till today I have only heard that it affects Windows clients
> and Servers. However I received this today that sparked my question
> 
>
https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_WannaCry_Ransomware.pdf
> 
> This suggests blocking port 445 for Samba specifically. First
> wouldn't blocking port 445 break all file and printer sharing
> functionality? Second isn't this port needed even by Windows for SMB?
> I'm confused. Thanks.
> 
> 
I think what they are trying to say is:

Whilst wannacry will have no affect to a Samba server, if it is on a
Samba share that you connect to, your Windows computer may get infected.

The cure seems to be, turn off file sharing with the Samba server, it
might as well have said 'Go to Samba server, identify the power lead
and pull it out of the power socket' ;-)

Rowland

On 5/18/2017 8:32 AM, Rowland Penny wrote:
> On Thu, 18 May 2017 08:11:08 -0400
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>>       Up till today I have only heard that it affects Windows clients
>> and Servers. However I received this today that sparked my question
>>
>>
https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_WannaCry_Ransomware.pdf
>>
>> This suggests blocking port 445 for Samba specifically. First
>> wouldn't blocking port 445 break all file and printer sharing
>> functionality? Second isn't this port needed even by Windows for
SMB?
>> I'm confused. Thanks.
>>
>>
> I think what they are trying to say is:
>
> Whilst wannacry will have no affect to a Samba server, if it is on a
> Samba share that you connect to, your Windows computer may get infected.
>
> The cure seems to be, turn off file sharing with the Samba server, it
> might as well have said 'Go to Samba server, identify the power lead
> and pull it out of the power socket' ;-)
>
> Rowland
>
>   
Didn't think about it from the standpoint of protecting Windows machines 
from malware residing on a Samba server.

This is exactly what I thought it was saying. Basically "We don't know 
how best to secure Samba, so just turn it off". I just couldn't fathom 
it would more or less mean that. Thanks.

-- 
--
James

On 2017-05-18 14:11, lingpanda101 via samba wrote:
> Hello,
> 
>     Up till today I have only heard that it affects Windows clients and
> Servers. However I received this today that sparked my question
> 
>
https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_WannaCry_Ransomware.pdf
> 
> 
> This suggests blocking port 445 for Samba specifically. 
Probably a typo/misunderstanding. 445 is for all SMB implementations.
> First wouldn't> blocking port 445 break all file and printer sharing
functionality?
>
> Second isn't this port needed even by Windows for SMB? I'm
confused.
> Thanks.
Yes to both. That's what the slight understatement "may cause
disruptions on systems that require port 445" means.

Samba in itself is not vulnerable to ETERNALBLUE, so it cannot be
infected by WannaCry.

However, vulnerable clients with write access to Samba shares can still
encrypt files on Samba shares and render them useless, so you should
still make sure you can detect ransomware attacks and make sure your
backups work.

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167

On 2017-05-18 07:47, Sven Schwedas via samba wrote:
> On 2017-05-18 14:11, lingpanda101 via samba wrote: 
> 
>> Hello,
>> 
>> Up till today I have only heard that it affects Windows clients and
>> Servers. However I received this today that sparked my question
>> 
>>
https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_WannaCry_Ransomware.pdf
>> 
>> This suggests blocking port 445 for Samba specifically.
> 
> Probably a typo/misunderstanding. 445 is for all SMB implementations.
> 
>> First wouldn't> blocking port 445 break all file and printer
sharing functionality?
>> 
>> Second isn't this port needed even by Windows for SMB? I'm
confused.
>> Thanks.
> 
> Yes to both. That's what the slight understatement "may cause
> disruptions on systems that require port 445" means.
> 
> Samba in itself is not vulnerable to ETERNALBLUE, so it cannot be
> infected by WannaCry.
> 
> However, vulnerable clients with write access to Samba shares can still
> encrypt files on Samba shares and render them useless, so you should
> still make sure you can detect ransomware attacks and make sure your
> backups work.
> 
> -- 
> Mit freundlichen Grüßen, / Best Regards,
> Sven Schwedas, Systemadministrator
> Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
> TAO Digital | Lendplatz 45 | A8020 Graz
> https://www.tao-digital.at | Tel +43 680 301 7167
As the facts emerge about this story. I think we will find that most
affected workstations and servers were NOT software up to date. Every
common workstation user is too quick to cancel "that" update because
"I
have 'work' I HAVE to get done, now!" with little or no thought to
the
consequences of the failing to update. 

Those of us that keep W and Samba as "current" as possible should be
"in
front" of most virus and threats. 

Just my penny (sorry Rowland) and a half on this almost not Samba
subject.

-- 
_______________________________

Bob Wooden of Donelson Trophy