Critical Samba code execution hole plugged, patch ASAP!

The developers of Samba have plugged a critical remote code execution flaw that could allow a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

Samba code execution flaw

What is Samba?

Samba is a free and open source implementation of the SMB/CIFS networking protocol that provides Linux/Unix servers with Windows-based file and print services. It runs on most Linux, Unix and Unix-like systems, including Apple’s macOS Server and macOS client.

About the vulnerability (CVE-2017-7494)

The vulnerability affects all versions of Samba from 3.5.0 onwards, which means that it was been introduced more than seven years ago.

As explained by Dan Goodin, it can be exploited with just one line of code, as long as a few conditions are met.

“Those requirements include vulnerable computers that (a) make file- and printer-sharing port 445 reachable on the Internet, (b) configure shared files to have write privileges, and (c) use known or guessable server paths for those files.”

How many boxes with an open 445 port and vulnerable Samba installation are there? According to Rapid7’s scans, over 104,000, and of those, over 92,000 are running versions for which there is no direct patch available at the moment.

Plugging the hole

Samba maintainers have issued three versions of the utility that implement the patch: v4.6.4, 4.5.10 and 4.4.14. They have also provided patches for older Samba versions.

They advised Samba vendors and administrators running affected versions to upgrade or apply the patch as soon as possible.

There’s also a workaround that can mitigate the exploitation risk: administrators can add a short line of code to their Samba configuration file. But, the maintainers warn, this move can disable some expected functionality for Windows clients.

An exploit for the bug is expected to be added to the Metasploit framework very soon.

“Many home and corporate network storage systems run Samba and it is frequently installed by default on many Linux systems, making it possible that some users are running Samba without realizing it. Given how easy it is to enable Samba on Linux endpoints, even devices requiring it to be manually enabled will not necessarily be in the clear,” Jen Ellis, VP of Community and Public Affairs at Rapid7, has noted.

“While the WannaCry ransomworm impacted Windows systems and was easily identifiable, with clear remediation steps, the Samba vulnerability will impact Linux and Unix systems and could present significant technical obstacles to obtaining or deploying appropriate remediations. These obstacles will most likely present themselves in situations where devices are unmanaged by typical patch deployment solutions or don’t allow OS-level patching by the user.”

For example, a huge number of Netgear routers and NAS product models are affected, and firmware fixes for only some of them are currently available. Luckily, effective workarounds have been offered.

Ellis advises organizations to:

  • Review their official asset and configuration management systems to identify vulnerable systems
  • Perform full network vulnerability scans to identify misconfigured or rogue systems.
  • Review their firewall rules to ensure that SMB/Samba network traffic is not allowed directly from the internet to their assets.

“Many network-attached storage (NAS) environments are used as network backup systems. A direct attack or worm would render those backups almost useless, so if patching cannot be done immediately, we recommend creating an offline copy of critical data as soon as possible,” she added.

Don't miss