Last week, the world was alerted to flaws in Microsoft’s implementation of SMB (Server Message Block) that were being exploited by the WannaCry ransomware worm. As it turns out, there was also a potentially exploitable vulnerability in the open-source Samba server that also provides SMB services.
The Samba project on May 24 issued a high-severity advisory for a remote code execution vulnerability identified as CVE-2017-7494. Unlike the Microsoft SMB flaw, which was allegedly discovered by the NSA and then stolen by the Shadow Brokers hacker group, the Samba flaw was responsibly reported to Samba by a third party researcher using the alias ‘steelo.’
There are already patches available for the issue, with the new release of Samba 4.6.4, 4.5.10 and 4.4.10. There are also patches available for older Samba 3.x versions.
“All versions of Samba from 3.5.0 onward are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it,” the Samba project advisory states.
For those that can’t update, there is a simple one-line parameter that will eliminate the risk
Add the parameter:
nt pipe support = no to the [global] section of your smb.conf and restart smbd.
The flaw currently can only execute against publicly internet accessible samba shares that are writeable. HD Moore, the original author of the open-source Metasploit penetration testing framework is already working on module to let security researchers test the CVE-2017-7494 vulnerability.
While Linux vendors, including Red Hat and Ubuntu have already provided users with updated patches, the larger risk is that from consumer Network Attached Storage (NAS) devices that might not be updated as quickly.
Craig Williams, security outreach manager at Cisco wrote in a Twitter message that, given the fact hat most NAS devices run Samba and have very valuable data this has potential to be the first large scale linux ransomware worm.”
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.