Please be aware there is a Samba remote code execution vulnerability that has been published today in Metasploit and mass exploitation is likely to follow or be used to self-propagate in the form of a worm.

The vulnerability affects all versions of Samba over the past 7 years, the open source Unix/Linux implementation of the Microsoft File and Print Sharing service, and a patch was released yesterday.

The vulnerability is triggered by connecting to a writeable file share (it can be abused as an anonymous user or with credentials) then uploading a Unix .so shared object file which is then executed on the server.

Many Linux and Unix based operating systems are vulnerable, as are products like NAS (Network Attached Storage) file servers such as Synology, mediacentres and modems etc.

CVE-2017-7494 has been assigned to this issue and reports indicate over 100,000 internet accessible systems are currently vulnerable.
​
If you are unable to patch immediately, the vulnerable feature can be disabled by setting the 'nt pipe support = no' directive within the /etc/samba/smb.conf file and restarting the service.

The words ‘Security’ and ‘Cheap’ often instantly arouse suspicion. It will quickly make people question if the product/service being advertised really will secure their assets, as needed. This article however, is not trying to necessarily sell any product, but more just to give advice on what companies can do to mitigate threats to their organisation no matter their financial state.

User Level Security:
For years good practices have been talked about and encouraged in organisations; however, in reality people still don’t follow these recommendations. The best example of this is passwords. Passwords are difficult enough to remember when they’re just a passphrase with a 1 on the end, so when it comes to a random series of different numbers, letters, upper and lower-case characters, it becomes almost impossible to remember. So what is the next logical solution? To write the password down on a sticky note on your computer. All this has done is changed the threat from IT Security to Physical Security. The recommendation for this would be a password vault stored on the user’s computer such as LastPass or KeePass, so that you can store passwords without having to write them down. Be careful to keep an eye out for the latest threats to these programs, and keep them regularly updated, to minimise threats.

Hire a Professional:
This immediately sounds expensive, as industry rates can range from $2000 - $4000 per day. But keep an eye out as there are other companies around that offer competitive rates to this, and still offer a quality service. Using existing IT Staff to look for issues is not as ideal as hiring a Security Expert, but it is definitely not a bad idea. Asking IT Staff to keep systems updated, to shutdown unused ports, and to monitor traffic are all good methods of this.

Software:
Not all good software is expensive. In fact a lot of good open-source security tools can be found online, and installed on a variety of operating systems. If Linux is not an issue to use Kali Linux by Offensive Security, and the Security Onion are great Linux distributions, containing collections of useful open-source security software. Kali Linux comes with lots of software geared at testing security by attempting to break it, while the Security Onion comes with software geared at monitoring and detecting such behaviour.

These are just some of the ways you can mitigate threats to your organisation, no matter the size or the budget. Security is not for the rich, it’s for whoever desires it, and is willing to take steps to improve the security for themselves, or for their organisation.

By default the Play! Framework web service will disclose the version number used which can aid an attacker in conducting targeted attacks using known vulnerabilities.

To hide the version number, modify the conf/application.conf file and set the directive http.exposePlayServer to equal ‘false’.

The HTTP Strict-Transport-Security standard (HSTS) is a HTTP server header sent by SSL/TLS enabled websites to prevent communication over HTTP in order to protect content and authentication cookies from interception or alteration.

To enable this header on the nginx web server, modify the nginx.conf file. Within the server block, find and edit the location block and set the "add_header" directive with a value of e.g. Strict-Transport-Security "max-age=31536000"; (for 365 days).

E.g:

server {
 location / {
  add_header Strict-Transport-Security "max-age=31536000";
​ }
​}

Dear clients,

This is a quick email to alert you about a newly disclosed vulnerability that affects all Microsoft operating systems from Windows 7 to Server 2016.

The vulnerability is present within the Malware Protection engine that runs as the SYSTEM superuser.
The detailed vulnerability report by the Google Security team is now public with proof of concept code. To summarise, the vulnerability results in remote code execution and can be triggered on any system which scans a vulnerability triggering text string or file.
Exploitation scenarios include:

• Exchange receiving an incoming or outgoing email.
• Reading an email on a desktop.
• Visiting a website.
• The malicious file being uploaded to a server (such as Sharepoint, FTP, IIS webserver or network File Share)
• Opening the file or saving it to disk.

Products affected include:

• Microsoft Forefront Endpoint Protection 2010
• Microsoft Endpoint Protection
• Microsoft Forefront Security for SharePoint Service Pack 3
• Microsoft System Center Endpoint Protection
• Microsoft Security Essentials
• Windows Defender for Windows 7
• Windows Defender for Windows 8.1
• Windows Defender for Windows RT 8.1
• Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703
• Windows Intune Endpoint Protection

Microsoft has released Security Update for Microsoft Malware Protection Engine to address this issue.

Ensure the Microsoft Malware Protection Engine is able to receive the latest updates and threat definitions to resolve this issue.
​
It is also worth mentioning that another Microsoft vulnerability has been found by the Google Security team which has not yet been made public or patched. The issue is rumoured to affect all versions of Microsoft Windows and is remotely exploitable and wormable and may affect the TCP/IP implementation which would also bypass the Windows firewall.
We will send another alert when details become public.