A remote code execution vulnerability in Samba has potentially exposed a large number of Linux and UNIX machines to remote attackers. The code vulnerability (CVE-2017-7494) affects all machines with Samba versions newer than the 3.5.0 released last March 2010, making it a 7-year old flaw in the system.
Samba is a software that runs on most of the operating systems used today like Windows, UNIX, IBM, Linux, OpenVMS, and System 390. Due to its open source nature resulting from the reimplementation of the SMB (Server Message Block) networking protocol, Samba enables non-Windows operating systems like Mac OS X or GNU/Linux to give access to folders, printers, and files with Windows OS.
All affected machines can be remotely controlled by uploading a shared library to a writable program. Another command can then be used to cause the server to execute the code. This allows hackers access Linux PC remotely according to the published advisory by Samba last Wednesday, May 24.
A repeat of the EternalBlue Exploit?
EternalBlue is the name of the software used in the controversial WannaCry ransomware that has affected a large number of computers in the past. Since the software used for Linux and UNIX today is Samba, critics have dubbed the incident a repeat of history.
There have been many reports associated with this incident. The Shodan search engine shows that there are 485,000 Samba enabled devices with exposed port 445. Research by Rapid7 also show that there are 104,000 exposed computers running vulnerable Samba versions with 92,000 of these using unsupported versions. Considering this, the flaw can undoubtedly be exploited at a large scale.
The flaw was discovered in the way the shared libraries are managed by the software. Attackers can access computers remotely by loading a shared library and editing it using a writable share. Once the code is executed, a number of exploit routes are presented. Just this one line of code is required in order to make the link: simple.create_pipe(“/path/to/target.so”)
Flaw Mitigation
A new patch to mitigate the flaw that allowed hackers access Linux PC remotely has already been released by Samba in their new versions 4.6.4/4.5.10/4.4.14. The company is urging those who are using a vulnerable version to install the patch to avoid further risks.
For those who cannot upgrade immediately, you can prevent the vulnerability by adding the following line to your configuration file smb.conf: nt pipe support = no. The new patch will remove full client access to network machines, as well as remove some functions connected to Windows systems.
While mitigation is under way, the greatest risk lies in NAS (network-attached storage) devices that cannot be updated immediately. Currently, there are only firmware fixes for ReadyNAS products running OS 6.X. It is good news though that Samba has also made patches for their older and unsupported versions.
