SMBLoris: Remote Denial-of-Service Against Samba
Was this information helpful?
Red Hat Product Security has been made aware of a vulnerability affecting the versions of Samba package shipped with Red Hat Enterprise Linux and Red Hat Gluster Storage. The vulnerability has not been assigned a CVE yet and is being named as SMBLoris. This issue was publicly disclosed on 3-Aug-2017 and has been rated as Moderate.
Background Information
Samba is the suite of programs that allow machines to share files, printers, and other information. This package provides an SMB/CIFS server that can provide network services to SMB/CIFS clients.
SMBLoris is a remote denial-of-service attack that exploits a flaw in the Server Message Block (SMB) network protocol implementation. The attack causes Samba servers to allocate large amounts of memory, which ultimately leads to OOM (Out-Of-Memory) conditions.
Red Hat Product Security has rated this vulnerability as having a security impact of Moderate.
Impacted Products
The following Red Hat product versions are impacted:
- Red Hat Enterprise Linux (all versions)
- Red Hat Gluster Storage
Attack Description and Impact
SMBLoris is a remote denial-of-service attack that exploits a flaw in the Server Message Block (SMB) network protocol implementation. The attack causes Samba servers to allocate large amounts of memory which ultimately leads to OOM (Out-Of-Memory) conditions.
Diagnose your vulnerability
Take Action
There is currently no upstream fix for this issue. The Red Hat Product Security Team advises customers to use the Mitigation provided to resolve this security flaw. If an appropriate upstream patch is available, this issue shall be revisited.
Updates for Affected Products
Product | Package | Advisory/Update |
---|---|---|
Red Hat Enterprise Linux 6 | samba4 | None |
Red Hat Enterprise Linux 6 | samba | None |
Red Hat Enterprise Linux 7 | samba | None |
Red Hat Gluster Storage 3.2 | samba | None |
Mitigation
- Using the following mitigation (in /etc/samba/smb.conf) can effectively stop the attack:
max smbd processes (G) This parameter limits the maximum number of smbd(8) processes concurrently running on a system and is intended as a stopgap to prevent degrading service to clients in the event that the server has insufficient resources to handle more than this number of connections. Remember that under normal operating conditions, each user will have an smbd(8) associated with him or her to handle connections to all shares from a given host. Default: max smbd processes = 0 Example: max smbd processes = 1000
- Limit the exposure of TCP port 445 to only include trusted networks and exclude all untrusted networks.
Ansible Playbook
An Ansible playbook is available. This playbook will set a value for the max smbd processes configuration parameter. You will be prompted for a value to use for this setting. The playbook will then reconfigure and reload the Samba service if the service was running or enabled.
The playbook runs against a variable named HOSTS, and can be invoked as follows (assuming 'hostname' is defined in your inventory file):
# ansible-playbook -e HOSTS=hostname smbloris_mitigation.yml
Comments