SecPro#36: Outdated Samba Versions Vulnerable, How To Avoid Software and Data Integrity Failures, How To Threat Hunt during an Incident
Here’s another edition of the SecPro and it’s got a bit of something for everyone. We’ve been keenly watching the news about the Samba exploit and exploring how blue teams can use security incidents to threat hunt more effectively. We’re also getting close to the end of our OWASP Top 10 roundup, so be sure not to miss out on that important advice. In today’s issue:
- New Samba Exploit: Buffer Overflow Leads to Arbitrary Code Execution
- How to Perform Threat Hunting during an Incident
- OWASP Top 10: A08:2021 – Software and Data Integrity Failures
- Secret Knowledge: Web & Mobile Security
As promised last week, the SecPro newsletter now has a new editor – me, Austin! I’m looking forward to getting to know the SecPro community even better and bringing you the content you want every week. If you have any questions or suggestions for me, sign onto the new SecPro discord and tag me with your ideas and queries.
Exploit Detection & Analysis
Outdated Samba Versions Vulnerable to Remote Code Execution
By Austin Miller
A new vulnerability that allows remote attackers to execute arbitrary code as root has been found by the Trend Micro security team through Zero Day Initiative. With a whopping Common Vulnerability Scoring System (CVSS) rating of 9.9, affected Samba installations could potentially lead to attackers successfully executing arbitrary code and taking control of domain controllers as well as any Unix or Unix-like operating system on the network.
The Samba team has been quick to address the issue and provide updates and patches, but what exactly happens on these versions of Samba that haven’t been patched? How is vulnerability exploited and what can the exploit lead to?
What is the Samba Vulnerability?
What is Samba For?
Samba is a standard interoperability software suite that allows a Unix or Unix-like operating system such as Linux and macOS clients to communicate with Windows machines. Samba allows non-Windows systems to use a reimplementation of server message block (SMB) for communication and file and print services.
This makes it a necessary tool for network administrators that need to configure, integrate, and set up a Unix/Unix-like system as a domain controller (DC) or domain member that can communicate with Windows systems.
How Does the Vulnerability Work?
There are a number of vulnerabilities that all allow remote attackers to execute arbitrary code as root on affected Samba installations, making life difficult for Samba administrators. However, the most notable of these is CVE-2021-44142.
Within Samba, there is a serious fault – the vfs_fruit VFS module. Used to allow Apple SMB clients to communicate with and access files on Windows systems. It uses the SMB protocol and improves the functionality of the Netatalk 3 AFP file server file system – not having vfs_fruit (or another component that serves a similarly functionality) stops Apple systems contacting other systems, leading to a “no information found” error.
By writing a program that causes an out-of-bounds buffer overflow, attackers can create an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected macOS clients with Samba installed. We saw a similar issue to this last year with a vulnerability in Foxit.
Has This Vulnerability Been Exploited?
Although there has been no known exploitation of affected Samba installations as of yet, there have been a number of similar attacks that have led to data breaches and serious headaches for Samba administrators. Researchers Trend Micro stated that there were exploited vulnerabilities in versions of Samba released in 2016, 2017, and 2020.
- CVE-2016-2118 – Badlock, rated critical
- CVE-2017-7494 – EternalRed/SambaCry, rated important
- CVE-2020-1472 – Zerologon, rated critical
How Can I Secure My Domain Controller?
Thankfully, a number of patches are already available due to the work of Ralph Böhme of the Samba team. If you’re not in a position to update your systems, older versions of Samba can also be secured with a workaround provided.
A full breakdown of the most recent patches released for the Samba vulnerability can be accessed here.
The most recent additions came on 31/2/22 and provided updates to the three main CVEs associated with Samba prior to patching:
Workaround posted 2/2/22
If you cannot update your Samba installation at the present time, the development team also offered a workaround to protect your vulnerable domain controllers.
- Disable SMB1 on all Samba installations (although this should be disabled according to the default configurations).
- If SMB1 is enabled and cannot be disabled, run the parameters unix extensions = no in the [global] section of smb.conf and restart the smbd.
- Only allow exported share to areas of the file system that are SMB2 or NFS, not both.
How to Perform Threat Hunting during an Incident
Have you ever thought about looking for the ongoing threat when you’re working on a live incident? Wouldn’t it be great to know in advance what the threat actor is looking for and how we can control their movements without being noticed?
If that interests you, then this article is all about streamlining the threat hunting process while responding to an incident.
How Threat Hunting works during an Incident Response
Threat Hunting during a cyber incident pays dividends. The image is in a position where you chase a threat actor without noise or sounds. It is quite hard to find out where the threat actor is poking in and what they might be doing next but understanding Threat Hunting during a cyber incident would be more valuable to businesses of any size.
So how can we do Technical Threat Hunting during a cyber incident? Let’s find out!
Looking to read the complete tutorial? Click the button below to access the full tutorial on the SecPro website.
OWASP Top 10: A08:2021 – Software and Data Integrity Failures
By Austin Miller
Agile software development companies are everywhere now, and the speed of the software supply chain is only getting faster. But the real-world knock-on effect of that is twofold:
- DevOps teams and security teams (or a combined DevSecOps team) have less time to check the quality of new code and identify cryptographic failures, vulnerable and outdated components, or identification and authentication failures built into the software.
- The quick turnaround time requires developers to turn to potentially untrusted sources or outright malicious code that the adversary will easily exploit.
While security professionals always shout “shift left!”, it’s apparent that there are development teams out there that do not have sufficient integrity verification processes that allow them to analyze their work and protect their users against malicious code.
For that reason, it’s important to example number 8 in the OWASP Top 10 list – A08: Software and Data Integrity Failures.
What happens when there are poor integrity checks?
The most famous example of a failure in software and data integrity checks is the SolarWinds Orion attack, with the now-infamous attack centering around compromised update mechanisms.
After hacking into the SolarWinds backend through password spraying or some other form of brute force attack – with the concerningly weak solarwinds123 being the way in for the attackers – the suspected nation-state attackers inserted malicious code into the SolarWinds CI/CD pipeline.
The SolarWinds.Orion.Core.BusinessLayer.dll component was introduced into the SolarWinds update pipeline and signed off as a SolarWinds approved software update with legitimate digital signatures. This compromise in the software supply chain meant that the update was legitimate as far as SolarWinds and its customers were concerned.
Of course, this is only one example of monitoring failures that have led to system compromise and critical data being exposed to the internet. But if SolarWinds had better processes for monitoring its own updates, this would not have happened.
Want to find out more? Check out this SolarWinds report by TechTarget.
Want to read the entire report on the OWASP A08? Click the button below to access the full analysis on the SecPro website.
Secret Knowledge: Building Your Security Arsenal
Discover useful security resources, cheatsheets, hacks, and open-source CLI/web tools.
Web & Mobile Security
hahwul/authz0: Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URLs and Roles & Credentials.
blst-security/cherrybomb: Stop half-done API specifications! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by validating your API specifications.
optiv/InsecureShop: Developed in Kotlin, this application was created primarily for research on Android Deeplinks and Webviews. This also serves as a platform to test your Android pentesting skills.
future-architect / vuls: Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
infobyte / faraday: Collaborative Penetration Test and Vulnerability Management Platform
scipag / vulscan: Advanced vulnerability scanning with Nmap NSE
mitchellkrogza / nginx-ultimate-bad-bot-blocker: Nginx Block Bad Bots, Spam Referrer Blocker, vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, WordPress Theme Detector Blocking and Fail2Ban Jail for Repeat Offenders
OWASP / Nettacker: Automated Penetration Testing Framework – Open-Source Vulnerability Scanner – Vulnerability Management