A 7-year-old Critical Remote Code Execution vulnerability has been found in Samba networking software that could allow a remote attacker to take control of an affected Linux and Unix machines. Samba is the defacto standard for providing Windows-based file and print services on Unix and Linux systems. Many systems run Samba and it is usually installed by default on many Linux systems. It is also possible that some users are running Samba without realizing it. It is the Samba that makes it possible for Unix and Linux systems to share files the same way Windows does.
CVE-2017-7494 was assigned to a newly discovered remote code execution vulnerability in Samba and it affects all versions of Samba from 3.5.0 onwards. The flaw is due to Samba loading shared modules from any path in the system leading to RCE.
An attacker could use Samba’s arbitrary module loading vulnerability to upload a shared library to a writable share and then cause the server to load and execute malicious code. This vulnerability is very easy to exploit. It can be reliably exploited with just one line of code to execute malicious code, as long as following conditions are met,
(a) make file- and printer-sharing port 445 reachable on the Internet,
(b) configure shared files to have write privileges, and
(c) use known or guessable server paths for those files.
If the above-mentioned conditions are satisfied, remote attackers can upload any file with the malicious code and cause the server to execute it with possibly root privileges depending on the vulnerable platform.
Since Samba is the SMB protocol implemented on Linux and UNIX systems, some researchers believe it is “Linux version of EternalBlue,” used by the WannaCry ransomware. Also, the ease of exploiting this vulnerability, just one line of code to execute malicious code on the affected system makes it more adverse.
Is CVE-2017-7494 successor to WannaCry?
This Samba vulnerability is not as much capable as WannaCry. Samba isn’t as widely used as Microsoft’s implementation of SMB. Also, it’s a client-to-server attack that depends on additional clients to interact with the server. It’s not as easy to carry out an attack on this vulnerability as it was with WannaCry which was a client-to-client attack. Another key difference here is the absence of any equivalent to DoublePulsar-backdoor which made capitalizing on the Windows flaw easy for WannaCry.
Nothing to Worry?
Risks exist as there are other potential attack scenarios that wouldn’t require the victim to be exposed on the Internet. If a malicious spam message successfully compromises a single computer on any network, it could use this Samba flaw to spread virally to other computers. It could quickly infect large numbers of machines. Researchers believe vulnerability could also open home networks with network-attached storage devices to attacks as well.
Who is affected?
As per researchers with security firm Rapid7, more than 110,000 devices are exposed on the Internet which appears to run vulnerable versions of Samba while as 92,500 of them appear to run unsupported versions of Samba for which no patch is available. All latest versions of Samba are affected by this bug, including Samba versions 4.6.x prior to 4.6.4, 4.5.x prior to 4.5.10 and 3.5.0 through 4.4.13.
The vulnerability has been patched in the latest versions of Samba, 4.6.4, 4.5.10 and 4.4.14. Also, patches for older and unsupported versions of Samba have been released by Samba maintainers and are available here.
Although if it’s not possible to upgrade to the latest versions of Samba immediately, a workaround is also available. As a workaround any of the followings can be employed:
- SELinux is available on most Linux flavors and enabled by default, configure SELinux not to load modules from outside of samba’s module directories and therefore blocks the exploit.
- Mount the filesystem which is used by samba for its writable share using “noexec” option.
- Adding the following line to Samba configuration file smb.conf, which will prevent clients from fully accessing some network machines, as well as disable some expected functions for connected Windows systems.
nt pipe support = no
This prevents clients from accessing any named pipe endpoints, also this change can disable some expected functionality for Windows clients.
All these updates can be easily remediated through SecPod Saner. Install Saner to detect and remediate these type of threats and stay secure.