SMBLoris: Remote Denial-of-Service Against Samba

Created Date: August 7, 2017, 11:45
Updated July 5, 2023, 08:39 - No translations currently exist.
Resolved Status

Red Hat Product Security has been made aware of a vulnerability affecting the versions of Samba package shipped with Red Hat Enterprise Linux and Red Hat Gluster Storage. The vulnerability has not been assigned a CVE yet and is being named as SMBLoris.  This issue was publicly disclosed on 3-Aug-2017 and has been rated as Moderate.

Background Information

Samba is the suite of programs that allow machines to share files, printers, and other information.  This package provides an SMB/CIFS server that can provide network services to SMB/CIFS clients.

SMBLoris is a remote denial-of-service attack that exploits a flaw in the Server Message Block (SMB) network protocol implementation. The attack causes Samba servers to allocate large amounts of memory, which ultimately leads to OOM (Out-Of-Memory) conditions.

Red Hat Product Security has rated this vulnerability as having a security impact of Moderate.

Impacted Products

The following Red Hat product versions are impacted:

  • Red Hat Enterprise Linux (all versions)
  • Red Hat Gluster Storage

Attack Description and Impact

SMBLoris is a remote denial-of-service attack that exploits a flaw in the Server Message Block (SMB) network protocol implementation. The attack causes Samba servers to allocate large amounts of memory which ultimately leads to OOM (Out-Of-Memory) conditions.

Diagnose your vulnerability

Determine if your system is vulnerable

Use the detection script below to determine if your system is currently vulnerable to this flaw.  To verify the legitimacy of the script, you can download the detached GPG signature as well.  The current version of the script is 1.0.

Download Detection Script

Take Action

There is currently no upstream fix for this issue. The Red Hat Product Security Team advises customers to use the Mitigation provided to resolve this security flaw. If an appropriate upstream patch is available, this issue shall be revisited.


Updates for Affected Products

Product
PackageAdvisory/Update
Red Hat Enterprise Linux 6samba4None
Red Hat Enterprise Linux 6sambaNone
Red Hat Enterprise Linux 7sambaNone
Red Hat Gluster Storage 3.2sambaNone


Mitigation

  • Using the following mitigation (in /etc/samba/smb.conf) can effectively stop the attack:
max smbd processes (G)

    This parameter limits the maximum number of smbd(8) processes concurrently
    running on a system and is intended as a stopgap to prevent degrading
    service to clients in the event that the server has insufficient resources
    to handle more than this number of connections. Remember that under normal
    operating conditions, each user will have an smbd(8) associated with him or
    her to handle connections to all shares from a given host.

        Default: max smbd processes = 0

        Example: max smbd processes = 1000


  • Limit the exposure of TCP port 445 to only include trusted networks and exclude all untrusted networks.

Ansible Playbook

An Ansible playbook is available.  This playbook will set a value for the max smbd processes configuration parameter.  You will be prompted for a value to use for this setting. The playbook will then reconfigure and reload the Samba service if the service was running or enabled.

The playbook runs against a variable named HOSTS, and can be invoked as follows (assuming 'hostname' is defined in your inventory file):

# ansible-playbook -e HOSTS=hostname smbloris_mitigation.yml

Comments