Updated Tuesday, Feb. 24, 2015, 2:11 PM: Added content for Tripwire Enterprise customers to find Samba in their environment. A major vulnerability (CVE-2015-0240) has been discovered in Samba, which is a widely used and distributed SMB/CIFS Linux/Unix application for interoperability with Microsoft Windows. Samba provides integration of Linux systems in Windows environments for file and print services, and integrates with Active Directory. The vulnerability exists in the smbd file server daemon, where a remote client can initiate an attack sending crafted packets to the server, allowing the attacker to execute code with root privileges as smbd runs as root. According to the report by Redhat, although it is believed code execution is possible, examples of this have not yet been seen in the wild. We have issued a Tripwire VERT Threat Alert for CVE-2015-0240 with additional information regarding this vulnerability and product coverage. Detection where coverage for this vulnerability in Tripwire IP360 will be available in an ASPL package available February 25, which will include coverage for CVE-2015-0240 on RHEL, CentOS, Ubuntu, Debian and OEL. For remediation, it is recommended that administrators install patches being released by the various Linux distributions today, as soon as possible.
Finding Samba with Tripwire Enterprise
For Tripwire Enterprise customers you can identify what systems in your environment are running vulnerable Samba versions by creating rules and policies using command output capture rules (COCR). Here is a zip file with both policy and rule files to run a basic COCR you can import and run on your Linux groups to identify what systems are running Samba: CVE-2015-0240 COCR Rule & Polcies (ZIP)
Future Strategies for High Impact Vulnerabilities
RedHat has given this vulnerability a CVSS score of 7.9. Although not as severe and widespread as other vulnerabilities we have seen, such as Heartbleed and Shellshock, this is another example of the fact that high impact vulnerabilities will be becoming more frequent with varying degrees of severity. We will be providing a free educational webcast "Are You Prepared for More High-Impact Vulnerabilities?" on March 12 at 11AM PST. The informative webcast will cover strategies organizations can implement today to mitigate risk and develop a rapid response plan around high impact vulnerabilities. Learn to quickly detect and remediate vulnerabilities in your environment, as well as identify and contain systems that may have been compromised during the breach to detection gap. Register Here.