Samba Vulnerability Could be Exploited in WannaCry Style Attacks

A Samba vulnerability has been discovered that could potentially be exploited and used in network worm attacks akin to those used to deliver WannaCry ransomware on May 12.

Samba is used on Unix and Linux systems to add Windows file and print sharing services as well as on many NAS devices. Samba can also be used as an Active Directory server for access control on Windows networks.

Samba uses a protocol based on Windows Server Message Block (SMB) with the vulnerability allowing malicious actors to execute arbitrary code with root-level permissions. The Samba flaw is also easy to exploit, requiring just a single line of code.

The Samba vulnerability has existed since 2010 and is present in Samba 3.5.0 and later versions. A security alert about the open source Samba project indicates the remote code execution vulnerability allows “a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.” The Samba vulnerability can only be exploited if there is an open SMB share on port 445.

Xavier Mertens, a freelance security researcher working with the SANS Internet Storm Center said “if you are exposing writable SMB shares for your users, be sure to restrict access to authorized people/hosts and do NOT share data across the Internet. They are risks that bad guys are already scanning the whole Internet.”

US-CERT has recently issued a security alert advising all organizations that use Samba to update to the latest version. Samba has released a patch for versions 4.4 and above which is available on this link: https://www.samba.org/samba/security/CVE-2017-7494.html.

While a patch has not been issued for unsupported versions of Samba – 3.5.0 to 4.4 – it is possible to address the vulnerability using a workaround.

Samba says adding the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restarting smbd will protect users from attack.

The workaround will stop clients from accessing any named pipe endpoints, although using the workaround may disable certain functionality for Windows clients.

While there have been no reports of any attacks to date, now that details of the flaw have been made public it is probable that hackers will try to exploit the flaw. Currently there are more than 100,000 systems that have yet to fix the flaw according to cybersecurity firm Rapid7.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news