Samba network filesystem administrators are being urged to patch a seven-year-old remote execution vulnerability as soon as possible.
For the vulnerability (CVE-2017-7494) to cause any issues, three conditions must be met. First, port 445 must be open. Second, shared files must have write privileges. And third, those files must have easily guessable or known paths.
The confluence of those three preconditions creates a perfect storm for a malicious attacker. As explained by Samba in a security advisory:
“All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.”
It doesn’t even take that much to exploit the flaw. In fact, a single-line of code is enough to abuse it.
Re: Samba bug, the metasploit one-liner to trigger is just: simple.create_pipe(“/path/to/target.so”)
— HD Moore (@hdmoore) May 24, 2017
Several years old? Located in a popular server message block (SMB) protocol affecting port 445? Sounds a lot like the Microsoft vulnerability that WannaCry leveraged to infect more than 200,000 victims in over 150 countries beginning on 12 May. Dan Goodin explains in an article for Ars Technica that some in the industry even fear the new bug might be “wormable,” i.e. self-propagating and requiring little-to-no user interaction:
“A malicious spam message that successfully compromised a single computer on a corporate network, for instance, could use the Samba flaw to spread virally to other computers. Given the ease of exploiting the vulnerability, it could quickly infect large numbers of machines. Researchers said the vulnerability could also open home networks with network-attached storage devices to attacks as well.”
Fortunately, there’s a crucial difference between WannaCry’s Microsoft vulnerability and CVE-2017-7494. Ransomware attackers exploited the former via the use of DoublePulsar, attack code developed specifically for that flaw by the National Security Agency and leaked online by the Shadow Brokers. No exploit code exists for CVE-2017-7494… at least, none which we know.
But now that the vulnerability is publicly known, it remains to be seen whether bad actors will incorporate the flaw into future malware campaigns.
With that said, administrators should update their software to Samba versions 4.6.4, 4.5.10 and 4.4.14. If that’s not possible, they can prevent clients from accessing known pipe endpoints by adding the parameter
nt pipe support = no to the
[global] section of the smb.conf and restarting it. Be warned, though, as it could disable some Windows functionality.