Samba: Patch Critical Bug Now, US-CERT Warns

It’s Not WannaCry, But At Least 100,000 Systems at Risk From Wormable Flaw

In the wake of WannaCry, there’s a critical new flaw in Samba, which provides Windows-based file and print services for Unix and Linux systems. Security experts say the flaw is trivial to exploit. US-CERT recommends immediate patching or workarounds.

The flaw, designated CVE-2017-7494, exists in Samba, which provides Windows-based file and print services for Unix and Linux systems. By successfully exploiting the flaw, an attacker could execute arbitrary code on a device with root-level access permissions.

“All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it,” according to a security alert published Wednesday by the Samba open source project.

Samba has released patches for versions 4.4 and newer that fix that flaw. “Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible,” its alert says.

For unsupported but still vulnerable systems – 3.5.x to 4.4.x – or any supported versions of Samba that cannot be upgraded for whatever reason, the Samba team has detailed a workaround that involves adding the “nt pipe support = no” parameter to Samba’s SMB configuration file and then rebooting the smbd daemon. “Note this can disable some expected functionality for Windows clients,” Samba’s alert says.

Security experts say the flaw should be patched as quickly as possible. “A remote attacker could exploit this vulnerability to take control of an affected system,” the U.S. Computer Emergency Response Team, US-CERT, says in a security alert. “US-CERT encourages users and administrators to review Samba’s security announcement and apply the necessary updates, or refer to their Linux or Unix-based OS vendors for appropriate patches.

Thankfully, no related attacks have yet emerged. “The internet is not on fire yet, but there’s a lot of potential for it to get pretty nasty,” Jen Ellis, a vice president at Rapid7, says in a security alert. “If there is a vulnerable version of Samba running on a device, and a malicious actor has access to upload files to that machine, exploitation is trivial.”

Samba use is widespread. “Many home and corporate network storage systems run Samba and it is frequently installed by default on many Linux systems, making it possible that some users are running Samba without realizing it. Given how easy it is to enable Samba on Linux endpoints, even devices requiring it to be manually enabled will not necessarily be in the clear,” Ellis says.

Easy to Exploit

Just one line of code can be used to exploit the Samba flaw, according to HD Moore, vice president of research and development at Atredis Partners.

Continue reading…