Samba users urged to patch 7-year-old remote code execution flaw ASAP

Not the first vulnerability of its kind…

Samba users urged to patch 7-year-old remote code execution flaw ASAP

Samba network filesystem administrators are being urged to patch a seven-year-old remote execution vulnerability as soon as possible.

For the vulnerability (CVE-2017-7494) to cause any issues, three conditions must be met. First, port 445 must be open. Second, shared files must have write privileges. And third, those files must have easily guessable or known paths.

The confluence of those three preconditions creates a perfect storm for a malicious attacker. As explained by Samba in a security advisory:

"All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it."

It doesn't even take that much to exploit the flaw. In fact, a single-line of code is enough to abuse it.

Several years old? Located in a popular server message block (SMB) protocol affecting port 445? Sounds a lot like the Microsoft vulnerability that WannaCry leveraged to infect more than 200,000 victims in over 150 countries beginning on 12 May. Dan Goodin explains in an article for Ars Technica that some in the industry even fear the new bug might be "wormable," i.e. self-propagating and requiring little-to-no user interaction:

"A malicious spam message that successfully compromised a single computer on a corporate network, for instance, could use the Samba flaw to spread virally to other computers. Given the ease of exploiting the vulnerability, it could quickly infect large numbers of machines. Researchers said the vulnerability could also open home networks with network-attached storage devices to attacks as well."

Fortunately, there's a crucial difference between WannaCry's Microsoft vulnerability and CVE-2017-7494. Ransomware attackers exploited the former via the use of DoublePulsar, attack code developed specifically for that flaw by the National Security Agency and leaked online by the Shadow Brokers. No exploit code exists for CVE-2017-7494... at least, none which we know.

But now that the vulnerability is publicly known, it remains to be seen whether bad actors will incorporate the flaw into future malware campaigns.

With that said, administrators should update their software to Samba versions 4.6.4, 4.5.10 and 4.4.14. If that's not possible, they can prevent clients from accessing known pipe endpoints by adding the parameter nt pipe support = no to the [global] section of the smb.conf and restarting it. Be warned, though, as it could disable some Windows functionality.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

3 Responses

  1. Richie

    May 30, 2017 at 9:21 am #

    What about Samba on all the home routers (such as D-Link) that support external shared file storage and/printing? (No one is going to release patches to all of these bits of kit…)

    • Karl in reply to Richie.

      May 31, 2017 at 8:32 am #

      You need to be able to write to a samba share.
      To mediate this users should turn off all shares from routers, and other devices not upgradeable.

  2. Fit for purpose

    May 30, 2017 at 12:51 pm #

    Richie,

    They should…

    Somebody (Homeland Security?, Consumer Protection?) should crawl the web looking for all Open Source firmware releases for all the vendors of these vulnerable devices and clearly identify which remain unpatched.

    Publicly name and shame.

    Product recall – similar to car airbags if the vendor cannot release a downloadable update.

    Hit them in the hip pocket.

Leave a Reply