A critical Samba flaw has been discovered that has potential to be exploited and used for network worm attacks similar to those that resulted in more than 300,000 global WannaCry ransomware infections.
Samba is used to provide Windows-like file and print services on Unix and Linux servers and is based on the Windows Server Message Block (SMB) protocol that was exploited in the recent WannaCry ransomware attacks. The wormable remote code execution vulnerability has been identified in versions 3.5.0 an above.
The Samba flaw – tracked as CVE-2017-7494 – has existed for around 7 years, although no known attacks are understood to have occurred. That may not remain the case for long.
Samba is commonly installed on enterprise Linux servers, with around 104,000 machines believed to be vulnerable, per a recent search conducted by Rapid7 researchers. The Samba flaw can be exploited easily, requiring just a single line of code.
The Samba vulnerability has been rated as critical, although the good news is Samba has already issued an update that addresses the vulnerability. The patch can be applied to versions 4.4 and above. Any organization that is using an unsupported version of Samba, or is unable to apply the patch, can use a workaround to address the Samba vulnerability and secure their Linux and Unix servers.
The workaround is straightforward, requiring the addition of the following parameter to the [global] section of your smb.conf
nt pipe support = no
After the parameter has been added, the smbd daemon must be restarted. This will prevent clients from accessing any named pipe endpoints.
US-CERT has advised all organizations to apply the patch or use the workaround as soon as possible to prevent the vulnerability from being exploited.
If a threat actor were to exploit the Samba flaw, it would allow them to “upload a shared library to a writable share, and then cause the server to load and execute it.” A malicious file could be remotely uploaded on any vulnerable device. That could be ransomware, a network worm, or any other malicious file. That file could then be executed with root access privileges.
NAS devices also use Samba and may also be vulnerable to attack. Malicious actors could target NAS devices and access or encrypt stored data. Many organizations use NAS devices to store backups. An attack on those devices, using ransomware for instance, could be devastating. Bob Rudis, chief data scientist at Rapid7, said “A direct attack or worm would render those backups almost useless. Organizations would have little choice but to pay the ransom demand.
A proof-of-concept exploit for the Samba vulnerability is available to the public. It is therefore only a matter of time before the vulnerability is exploited. The patch or workaround should therefore be applied ASAP to mitigate risk.