Samba recently issued software updates to address multiple security vulnerabilities. These flaws enable remote attackers to execute arbitrary code with the highest privileges on vulnerable devices, if successfully exploited. The most prominent is CVE-2021-44142, an out-of-bounds heap read/write vulnerability in the VFS module “vfs_fruit” that provides compatibility with Apple SMB clients. The vulnerability, rated 9.9 on the CVSS scale, affects all versions of Samba before 4.13.17.
Samba recommends that organizations with vulnerable devices upgrade to these releases or apply the patch as soon as possible to mitigate the defect and thwart any potential attacks exploiting the vulnerability.
When it comes to quickly patching vulnerable Samba installations, the biggest challenge is identifying all of the vulnerable instances across all enterprise networks and cloud environments. Using standard approaches, this could take weeks or even months.
Samba is a popular freeware implementation of the Server Message Block (SMB) protocol that allows users to access files, printers, and other commonly shared resources over a network. Hundreds of vendors use Samba, and this vulnerability affects widely used Linux distributions such as Red Hat, SUSE Linux, and Ubuntu. (See the full list from CERT here.)
Although as of posting, Armis had not seen any exploit attempts, this is a critical vulnerability so it is only a matter of time. We highly recommend immediate remediation of vulnerable devices.
Armis identified over 100,000 impacted customer assets, including servers, VMs, workstations, personal computers, and printers. See figure 1 for breakdown by device type.
Figure 1: Affected devices by type
The vast majority of these impacted assets run a Linux Operating System, as illustrated in figure 2.
Figure 2: Affected devices by operating system
The Armis platform can quickly provide you with a list of all assets that are impacted by the latest Samba vulnerabilities, giving you specific information about the asset owner and location to help you quickly respond to the threat.
The platform makes this possible by automatically mapping, classifying, and inventorying all connected assets across enterprise networks and cloud environments. By analyzing the collected information against the Armis Asset Knowledgebase, the Armis platform gives you pertinent intelligence about vulnerable devices so you can plan and prioritize your response.
Armis has already notified customers about the relevant query they should run to map out all vulnerable assets. Be sure to isolate affected assets until it is possible to upgrade Samba to the latest version (this can also be done automatically with Armis policies).
Not an Armis Customer? No Worries – We Can Still Help! Armis offers a free Quick Asset Visibility Assessment with its agentless, cloud-based platform to help you find and identify assets with vulnerable Samba installations. Our platform works with your existing infrastructure to ensure you have a complete, real-time asset inventory you can rely on.
Are you ready to start seeing more with less effort?
Let an Armis expert help you get started in as little as 30 minutes.
Mapping out your connected assets and understanding which of them can be impacted by this and other critical vulnerabilities helps IT and security teams respond to threats and improve the overall security posture.
The Armis platform’s asset visibility and intelligence can improve overall asset management, IT hygiene, threat detection and response, license management, and even reduce costs.To find out more, contact us today.
Sign up to receive the latest news