System security is a key factor to maintain the secure and stable running of services. As the network offensive and defensive confrontation heats up, more and more attack forms emerge, such as large-scale automated attacks, worms, ransomware, mining programs, and Advanced Persistent Threats (APTs). This brings great challenges to system security.

An automatically installed system has the following security flaws, which make the system vulnerable to intrusions:
  • Improper system configurations
    • Unnecessary ports opened: Some opened services and applications are unnecessary, which increases the attack surface.
    • Weak passwords: They are vulnerable to brute-force attacks, which causes intrusions into systems.
    • Improper policy configurations: System security policies are weak or not configured.
  • System vulnerabilities or necessary patches not installed
    • Command execution vulnerability: This type of vulnerability can be exploited to execute arbitrary commands, which causes intrusions into systems.
    • DoS vulnerability: A system under DoS attacks rejects normal service requests, which results in service interruptions.
    • Data breach vulnerability: Sensitive or confidential data is breached.

Case: RCE vulnerability in Samba

Samba is the software that implements the Server Message Block (SMB) protocol on Linux and UNIX operating systems. Samba allows computers to share resources such as files and printers with each other.

A remote code execution (RCE) vulnerability is detected in Samba. This vulnerability allows a client to upload a specified library file to a writable shared directory on a server, which causes the server to load and execute the library file.

CVE: CVE-2017-7494

Impact scope:
  • Linux or UNIX operating system on which Samba is installed
  • Samba versions: 4.6.4, 4.5.10, and 4.4.14.
Major impact:
  • Command execution: Servers are compromised, and data is breached due to remote code execution.
  • Service interruption: A worm, named SambaCry, can exploit this vulnerability and spread. This worm mines cryptocurrency on compromised servers, which occupies a large number of computing resources on the servers. This may affect service availability or cause service interruptions.

Case: RCE vulnerability in an SMB server

The SMB server is a server protocol component that is automatically installed on Windows operating systems. An RCE vulnerability is detected on the SMB server. This vulnerability allows an attacker to send specially crafted packets to the SMBv1 server and remotely execute code.

CVE: CVE-2017-0143

Impact scope:
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012 Gold
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2008 R2 SP1
  • Microsoft Windows Server 2008 SP2
Major impact:
  • Command execution: Servers are compromised, and data is breached due to remote code execution.
  • Data loss: Worms, such as WannaCry, can exploit this vulnerability and spread. These worms encrypt files on compromised servers and cause data breaches.

How to use Cloud Firewall to prevent intrusions into systems

The Alibaba Cloud security team continuously tracks and studies system vulnerabilities and their preventive measures, and has accumulated rich experience in intrusion prevention. The prevention rules formulated based on the experience greatly enhance the system security defense of Cloud Firewall.

To ensure that a system can run as expected, Cloud Firewall provides multi-point prevention against all the risks that the system encounters.
  • Brute-force attacks: The threat intelligence feature of Cloud Firewall can detect network-wide attacks and block scans or intrusions in advance.
  • System vulnerabilities: Cloud Firewall prevents high-risk vulnerabilities of operating systems.
  • Other attacks: The basic protection feature of Cloud Firewall detects other system attacks, such as reverse shells and system file breaches, and blocks the attacks in real time.

Procedure

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Intrusion Prevention > Prevention Configuration.
  3. In the Threat Engine Mode section of the Prevention Configuration page, select an option for Block Mode.
  4. In the Basic Protection section of the Prevention Configuration page, turn on Basic Policies.
  5. In the Virtual Patches section of the Prevention Configuration page, turn on Patches.