Skip navigation
Despite WannaCry, Open SMB Ports Persist

Despite WannaCry, Open SMB Ports Persist

Even after WannCry wrecked havoc last month, there are millions of public facing open SMB ports.

If I didn't already know better, with all the press the WannaCry ransomware received last month, I would've thought that by now everyone would have battened down the hatches and locked down potentially dangerous ports -- at least those vulnerable to the malware of the hour, even if it has already been patched. According to two separate reports, that's not the case. While it's true that many of the vulnerable devices are in the hands of consumers who might be forgiven for their ignorance, it's a good bet that the majority are servers running in data centers, whether on premise or in a carrier hotel.

On Wednesday, security firm Rapid7 issued its annual National Exposure Index report, the result of scans of over three billion IP-addressable, public internet devices, checking for exposed services on 30 different ports. It found 160 million devices with open ports that shouldn't be exposed to the internet according to accepted best practices. For file-sharing SMB port 445, the port associated with WannaCry, it found 5.5 million devices with the port exposed. About 800,000 of those were on Windows systems -- meaning they're directly vulnerable to the cryptoworm.

Apparently somebody -- or many somebodies -- are not paying attention. In last year's report, before all of the WannaCry brouhaha, only 4.6 million connected devices had port 445 open.

This follows another metric released last week from John Matherly, the founder the Shodan search engine that collects data by device type. He found more than 2,300,000 internet connected devices with open SMB ports. More disturbingly, 42 percent of these -- or almost 970,000 devices -- are configured for "guest access," which means the data shared by way of the SMB file-sharing protocol is available to anyone, with no authentication required. In both Windows and Samba, guest access is disabled by default, meaning admins have intentionally enabled the feature. Go figure.

While some solace might be found in the fact that there are patches available to stop WannaCry, best security practices would dictate putting controls in place on the malware's way inside -- just in case. And I figure it's a dollars-to-doughnuts bet that with these ports standing wide open, that in most cases the patches haven't been applied either.

According to Matherly, of the devices running with guest access enabled, 90 percent are running Samba, the Linux file-sharing application that enables Linux servers to interface with Windows clients. The good news here, maybe, is that half of those are located on the network of Etisalat, a UAE-based provider that operates in 17 countries across Asia, the Middle East and Africa. Matherly evidently sees this as a good thing, because at least they're all on a single network and the fault probably lies with the company's administrators. I'm not convinced this is necessarily a plus.

Although the Linux machines running Samba can't be targeted by EternalBlue, the exploit believed to have been developed by the NSA upon which WannaCry is based, they're not necessarily safe either. Since late May, Samba with open SMB ports has been known to be vulnerable to an exploit called SambaCry in which a hacker can upload a shared library to a writable share, and then cause the server to load and execute it. That exploit has also been patched, but again, with everything else going on I wouldn't bet there aren't a considerable number of vulnerable Samba instances still running.

Sadly, there's nothing new here. You might remember that in January there was a big ransomware attack against public facing instances of MongoDB which eventually spread to include include Hadoop and CouchDB installations. The attack against Mongo was made possible because the database had shipped with a default setting that made it publicly available with no password needed. Sound familiar? Although the developers had fixed that problem two years earlier, there were still enough older instances running with the default setting that, the last time I counted, 34,000 MongoDB servers were hit.

Unfortunately, improperly secured devices -- even servers -- is only business as usual, and as large as the numbers cited here are, they're not really as large as they seem. Given the scope of the internet, even if we look at only servers, a number as large as a couple of million is still just a drop in the bucket. A quick Google reveals that in 2014 there were an estimated 75 million servers online -- a number that's guaranteed to have grown tremendously since then.

All this means is that there's a small percentage of organizations or people who either just aren't paying attention, don't really understand the situation, or don't have the skills necessary to keep their devices secure. While it's true that they make the internet less secure for everyone, I don't think there's anything that can be done about that.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.