Samba possibly vulnerable to ‘WannaCry’-type attacks

It has been revealed that Samba might possibly be vulnerable to network worm attacks similar to those which were utilized to deliver WannaCry ransomware on the 12th of May 2017.

Unix, Linux and numerous NAS devices use Samba to add Windows file and print sharing services. Additionally, Samba may be employed as an Active Directory server on Windows networks for access control.

Samba’s protocol is based on Windows Server Message Block (SMB) with the vulnerability permitting wrong-doers to execute arbitrary code with root-level permissions. Additionally, the Samba flaw is particularly simple to exploit as it needs only a solitary line of code.

The vulnerability has has been in existence since 2010 and can be found in Samba 3.5.0 and later versions. A security warning concerning the open source Samba project has indicated that the remote code execution vulnerability permits the uploading of a shared library to a writable share, and which then causes the server to load and execute it. The vulnerability may be exploited only when port 445 has an open SMB share.

Xavier Mertens, freelance security researcher has warned that if a business is exposing writable SMB shares for its users, it must be sure to restrict access to authorized persons and never share data on the Internet.

A security alert has been published by US-CERT warning all organizations which use Samba to update to the most recent version. For its part, Samba has released a patch for versions 4.4 and above which can be found by following this link:  https://www.samba.org/samba/security/CVE-2017-7494.html.

Although such a patch has not to date been issued for unsupported versions of Samba – 3.5.0 to 4.4 – the vulnerability can be addressed by using a workaround.

Samba advises that the addition of the parameter:
nt pipe support = no
to the [global] section of a user’s smb.conf then restarting smbd should protect users from potential attack.

The workaround will prevent clients from gaining access to any named pipe endpoints, however utilising the workaround might disable certain functions for some Windows clients.

Although there have been no reported attacks as of yet, it is probable that the public disclosure of the details of the flaw will encourage, or indeed enable, hackers to attempt to exploit the flaw. According to the cybersecurity firm Rapid7, more than 100,000 systems have not yet rectified the flaw.

Author: Defensorum

Share This Post On