- May 26, 2017 /
- by Paul Choo
In May 2017, the WannaCry ransomware cryptoworm ravaged its way through exposed systems in over 60 countries. The attack started on May 12 and spread rampantly over the next four days, exploiting a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. WannaCry sadly lived true to its name. Hospitals, businesses, metro stations, universities, operators, and other organizations were brought to their knees without access to their important shared documents and files.
The situation was so critical that Microsoft released an emergency security update for some versions of Windows that no longer receive mainstream support. Luckily, due to the swift action of Microsoft and cybersecurity experts around the world, the spread of WannaCry trickled off by May 16.
WannaCry wasn’t inevitable – it was preventable
The interesting thing is, the attack was entirely preventable. Firstly, Microsoft released a security update just a few months before the attack to address a susceptibility WannaCry exploited. Those who enabled this update were protected. Secondly, WannaCry – and a similar attack in June 2017, Petya – targeted a vulnerability found in a legacy version of the protocol, SMB1. And according to Microsoft, SMB1 is not safe. In fact, Microsoft’s own Ned Pyle wrote an entire blog post back in September 2016 begging people to stop using it!
Mr. Pyle wrote his blog post in connection with Microsoft Security Bulletin MS16-114, released September 2016. The bulletin detailed a vulnerability which “could allow remote code execution if an authenticated attacker sends specially crafted packets to an affected Microsoft Server Message Block 1.0 (SMB1) Server…The potential impact is denial of service.”
This vulnerability was discovered and reported to Microsoft by Tuxera software engineers, Oleg Kravtsov and Alexander Ovchinnikov. They stumbled upon the possible exploit while developing and testing our proprietary SMB server implementation, Tuxera SMB. The vulnerability was, in fact, so critical that Microsoft released a security update to fix it – the first of such to SMB1 since 2011 – while simultaneously imploring people to disable SMB1 altogether. Since the discovery by our engineers, 21 patches have been made to SMB1, as compared to 12 in the years preceding our discovery.
Although the vulnerability we uncovered was not directly related to the WannaCry attack (that was caused by the EternalBlue exploit), it goes to show that Microsoft already declared that SMB1 is not secure. WannaCry would not have become such a large-scale problem had people simply stopped using SMB1 in favor of the latest, most secure version, SMB3. This begs the question, why is SMB1 still in use?
Skirting the legal ambiguity of GPLv3
A big reason is that outdated versions of Samba – the open-source SMB server implementation – are used inside embedded devices, such as routers. These older versions of Samba only support SMB1. Interestingly enough, there are newer Samba versions that support SMB3, the most secure version of the protocol. But using these latest Samba versions has a catch – they are licensed under GNU General Public License Version 3 (GPLv3).
The “anti-tivoization” and patent license clauses of GPLv3 are often major concerns for hardware vendors. They want to avoid exposing their products and intellectual property to the ambiguities surrounding the legal interpretation of the GPLv3 license. Thus, hardware manufacturers resort to choosing older versions of Samba, which are not licensed under GPLv3. In turn, these versions only support SMB1 – which leads us to the crux of the issue.
These outdated Samba versions not only lack critical security features – they also come with an additional risk. If Microsoft were to completely disable SMB1 in Windows, most common embedded devices such as printers and home network-attached storages (NAS) will just disappear from your network! Embedded device manufacturers are aware of this problem, but some stick with SMB1 rather than upgrade to newer versions of Samba (due to the GPLv3 license).
What should they choose? Stay on the sinking SMB1 ship or surrender to GPLv3 license terms? This is a question our customers are often faced with. And it’s the reason we offer them an easy to adapt, secure alternative to Samba with no legal ambiguity – Tuxera SMB.