SMBLoris: Remote Denial-of-Service Against Samba

Updated -
Resolved Status

Red Hat Product Security has been made aware of a vulnerability affecting the versions of Samba package shipped with Red Hat Enterprise Linux and Red Hat Gluster Storage. The vulnerability has not been assigned a CVE yet and is being named as SMBLoris.  This issue was publicly disclosed on 3-Aug-2017 and has been rated as Moderate.

Background Information

Samba is the suite of programs that allow machines to share files, printers, and other information.  This package provides an SMB/CIFS server that can provide network services to SMB/CIFS clients.

SMBLoris is a remote denial-of-service attack that exploits a flaw in the Server Message Block (SMB) network protocol implementation. The attack causes Samba servers to allocate large amounts of memory, which ultimately leads to OOM (Out-Of-Memory) conditions.

Red Hat Product Security has rated this vulnerability as having a security impact of Moderate.

Impacted Products

The following Red Hat product versions are impacted:

  • Red Hat Enterprise Linux (all versions)
  • Red Hat Gluster Storage

Attack Description and Impact

SMBLoris is a remote denial-of-service attack that exploits a flaw in the Server Message Block (SMB) network protocol implementation. The attack causes Samba servers to allocate large amounts of memory which ultimately leads to OOM (Out-Of-Memory) conditions.

Diagnose your vulnerability

Determine if your system is vulnerable

Use the detection script below to determine if your system is currently vulnerable to this flaw.  To verify the legitimacy of the script, you can download the detached GPG signature as well.  The current version of the script is 1.0.

Take Action

There is currently no upstream patch for this issue. The Red Hat Product Security Team advises customers to use the Mitigation provided to resolve this security flaw.  When an appropriate upstream patch is available, this issue shall be revisited.


Updates for Affected Products

ProductPackageAdvisory/Update
Red Hat Enterprise Linux 6samba4Pending
Red Hat Enterprise Linux 6sambaPending
Red Hat Enterprise Linux 7sambaPending
Red Hat Gluster Storage 3.2sambaPending


Mitigation

  • Using the following mitigation (in /etc/samba/smb.conf) can effectively stop the attack:
max smbd processes (G)

    This parameter limits the maximum number of smbd(8) processes concurrently
    running on a system and is intended as a stopgap to prevent degrading
    service to clients in the event that the server has insufficient resources
    to handle more than this number of connections. Remember that under normal
    operating conditions, each user will have an smbd(8) associated with him or
    her to handle connections to all shares from a given host.

        Default: max smbd processes = 0

        Example: max smbd processes = 1000


  • Limit the exposure of TCP port 445 to only include trusted networks and exclude all untrusted networks.

Ansible Playbook

An Ansible playbook is available.  This playbook will set a value for the max smbd processes configuration parameter.  You will be prompted for a value to use for this setting. The playbook will then reconfigure and reload the Samba service if the service was running or enabled.

The playbook runs against a variable named HOSTS, and can be invoked as follows (assuming 'hostname' is defined in your inventory file):

# ansible-playbook -e HOSTS=hostname smbloris_mitigation.yml