Are the latest Samba vulnerabilities putting your devices at risk? (CVE-2021-44142)

Samba recently issued software updates to address multiple security vulnerabilities. These flaws enable remote attackers to execute arbitrary code with the highest privileges on vulnerable devices, if successfully exploited. The most prominent is CVE-2021-44142, an out-of-bounds heap read/write vulnerability in the VFS module “vfs_fruit” that provides compatibility with Apple SMB clients. The vulnerability, rated 9.9 on the CVSS scale, affects all versions of Samba before 4.13.17. 

Samba recommends that organizations with vulnerable devices upgrade to these releases or apply the patch as soon as possible to mitigate the defect and thwart any potential attacks exploiting the vulnerability.

Do you know where your vulnerable assets are?

When it comes to quickly patching vulnerable Samba installations, the biggest challenge is identifying all of the vulnerable instances across all enterprise networks and cloud environments. Using standard approaches, this could take weeks or even months. 

Samba is a popular freeware implementation of the Server Message Block (SMB) protocol that allows users to access files, printers, and other commonly shared resources over a network. Hundreds of vendors use Samba, and this vulnerability affects widely used Linux distributions such as Red Hat, SUSE Linux, and Ubuntu. (See the full list from CERT here.)

Although as of posting, Armis had not seen any exploit attempts, this is a critical vulnerability so it is only a matter of time. We highly recommend immediate remediation of vulnerable devices.

Armis identified over 100,000 impacted customer assets, including servers, VMs, workstations, personal computers, and printers. See figure 1 for breakdown by device type.

Figure 1: Affected devices by type

The vast majority of these impacted assets run a Linux Operating System, as illustrated in figure 2.

Figure 2: Affected devices by operating system

How Can Armis Help?

The Armis platform can quickly provide you with a list of all assets that are impacted by the latest Samba vulnerabilities, giving you specific information about the asset owner and location to help you quickly respond to the threat. 

The platform makes this possible by automatically mapping, classifying, and inventorying all connected assets across enterprise networks and cloud environments. By analyzing the collected information against the Armis Asset Knowledgebase, the Armis platform gives you pertinent intelligence about vulnerable devices so you can plan and prioritize your response.

Armis Customers Can Quickly Find Impacted Assets And Mitigate The Threat

Armis has already notified customers about the relevant query they should run to map out all vulnerable assets. Be sure to isolate affected assets until it is possible to upgrade Samba to the latest version (this can also be done automatically with Armis policies). 

Not an Armis Customer? No Worries – We Can Still Help! Armis offers a free Quick Asset Visibility Assessment with its agentless, cloud-based platform to help you find and identify assets with vulnerable Samba installations. Our platform works with your existing infrastructure to ensure you have a complete, real-time asset inventory you can rely on. 

Are you ready to start seeing more with less effort?

Let an Armis expert help you get started in as little as 30 minutes.

Other recommended best practices:

• Disable the ability for users to install software on their workstations and engage the practice of least privilege where possible. 
• Ensure your organization has an up-to-date ASL (approved software list). 
• Perform information security awareness training routinely to help end users better understand current threats.

Staying ahead of the game

Mapping out your connected assets and understanding which of them can be impacted by this and other critical vulnerabilities helps IT and security teams respond to threats and improve the overall security posture. 

The Armis platform’s asset visibility and intelligence can improve overall asset management, IT hygiene, threat detection and response, license management, and even reduce costs.To find out more, contact us today.