With all of the press the WannaCry ransomware exploit received last month, you might be excused for thinking that by now everyone would have battened down the hatches and locked down potentially dangerous ports — at least those that are vulnerable to this exploit. According to two separate reports, that’s not the case. And while it’s true that many of the vulnerable devices are in the hands of consumers who don’t know any better, it’s a good bet that the majority are servers running in data centers, under the care of sysadmins who should know better.
Last week, security firm Rapid7 issued its annual National Exposure Index report, the result of scans of over 3 billion IP-addressable, public internet devices, checking for exposed services on 30 different ports. It found 160 million devices with open ports that generally should’t be exposed to the internet. For file-sharing SMB port 445, the port associated with WannaCry, it found 5.5 million devices operating with the port exposed. About 800,000 of those were on Windows’ systems — meaning they’re directly vulnerable to the cryptoworm that targets Windows machines. Oddly, given the WannaCry panic, this is a higher number than last year when Rapid7 found only 4.6 million devices running with port 445 open.
This follows another set of numbers released last week from John Matherly, the founder the Shodan search engine which allows users to search the internet by device type. He reported finding more than 2,300,000 online devices with open SMB ports. More disturbingly, 42 percent of these — almost 970,000 devices — were configured for “guest access,” making the data shared by way of the SMB file-sharing protocol available to anyone, with no authentication required. This also makes them vulnerable to simpler exploits than WannaCry.
Of the devices running with guest access enabled, Matherly said 90 percent were running Samba, the Linux file-sharing application that enables Linux servers to interface with Windows’ clients. In both Windows and Samba, guest access is disabled by default, meaning admins have intentionally enabled the feature. Half of those were located on the network of Etisalat, a UAE-based ISP that operates in 17 countries across Asia, the Middle East and Africa, which Matherly sees as good news, but only because they’re confined to a single network.
Although the Linux machines running Samba can’t be targeted by EternalBlue, the exploit believed to have been developed by the NSA upon which WannaCry is based, they’re not entirely safe either. Since late May, all versions of Samba released since 2010 have been vulnerable to an exploit called SambaCry in which a hacker can upload a shared library to a writable share and then cause the server to load and execute it.
There are now patched versions of Samba available to deal with the SambaCry exploit, but with everything else going on, it’s likely that a considerable number of vulnerable Samba instances are still running.
If I ran a data center, I think I’d be sending a security advisory out to my customers right about now. Obviously, not everyone is paying attention.