Newsletter #1

We have been working on onyphe portal to bring new additions.

One of them is the preparation of the commercial launch of the service along with the user API and the other one is the addition of an abuse field for some categories of data.

The pricing model will be disclosed at a later time, when we will be ready to launch the commercial service.

 

1. Abuse email address field added to inetnum category

Following a request from a user of the service, we have added the extraction of abuse email addresses from RIR data (RIPE, for instance). You will be able to lookup abuse email addresses for a given IP address. The field’s name is “abuse”.

Example: https://www.onyphe.io/search/?query=217.139.151.65

Of course, this field is now available from the inetnum API. It may be composed of multiple addresses, so expect it to be a multi-valued one.

Should you have requests for addition, you can reach us at support[at]onyphe.io

 

2. Limitation of the number of requests

We are working on the capability to sell the service, and before we go to the market, we have to be able to limit the number of queries a user can do on a monthly-basis.

For now, it is set to 0, meaning it is still unlimited. We will activate the limitation on the number of queries when we are ready to launch the commercial service.

 

3. New API: user

The user API gives you information about your user account. For instance, you will be able to make a free query to know how much credits are remaining.

The field giving this information is named “credits”. More information about this new API is available at the documentation page.

 

Conclusion

You can test the service for free, just register to get access to your free API and receive updates via our newsletter:

https://www.onyphe.io/login/#register

Samba Internet Exposure

Back in november 2017, a number of security vulnerabilities were disclosed impacting numerous versions of Samba software. CVE-2017-14746 is about a use-after-free issue while CVE-2017-15275 leads to a memory leak vulnerability. The former impacts all Samba versions starting from 4.0.0 while the later affects all versions starting from 3.6.0. Now, the question we may ask is: how many of this affected products can be reached from the Internet?

Samba Exposure

This question is important because, if successfully exploited, these issues may lead to the compromission of affected devices with, as a potential result, new hosts joining yet-another-botnet. By performing a simple search on ONYPHE with the string “samba”, we find around 1 million results.

The next obvious question is now: how many of these hits are using a vulnerable version of Samba? By querying for the TOP 10 versions of Samba, we obtain the following results:

80% of the TOP 10 versions are running vulnerable versions of Samba. That means a little bit more than 37,000 devices may be at risk of compromission.

Note: these results were collected at the end of November 2017.

We were specifically searching for Samba 3.6.x and 4.x. Now, those versions may not be the most prevalent on the Internet, so what about querying for the most seen results for a Samba query to list available shares? We can do that by querying for TOP 10 MD5 sums performed against collected banners.

Our results shows that only two MD5 sums are accounting for roughly 600,000 devices. For instance, if you query one of these sums, you will find more than 300,000 results:

https://www.onyphe.io/search/?query=2e01cb540184e4f68b756c839b217822 

In fact, if you check for distinct IP addresses resulting from those two hashes, you will find around 300,000 unique addresses. That’s because those devices are exposing Samba through both ports 139/tcp and 445/tcp.

They are all Samba 3.2.15 hosted at Emirates Telecommunications Corporation organization. It is the exact same product behind this Samba version: D-Link DIR850L. The good news is it is not impacted by the previously discussed CVEs. Unfortunately, if you search for vulnerabilities impacting this given product, you find a blogpost dating back from Septembre 2017 describing a fair number of issues:

http://securityaffairs.co/wordpress/62937/hacking/d-link-dir-850l-zero-day.html

Conclusion

The results shown here were presented at the latest Botconf security conference in Montpellier, France during a lightning talk. We showed that Samba is quite heavily exposed on the Internet and may be abused to build a botnet, just like many other vulnerable products.

If you are interested in querying our data, you can register for free to get your API key and have access to ONYPHE queries.