Samba CVE-2017-7494 Remote Code Execution Vulnerability

  • Post author:
  • Reading time:5 mins read


A 7-year-old Critical Remote Code Execution vulnerability has been found in Samba networking software that could allow a remote attacker to take control of an affected Linux and Unix machines. Samba is the defacto standard for providing Windows-based file and print services on Unix and Linux systems. Many systems run Samba, which vendors typically install on numerous Linux systems by default. It is also possible that some users are running Samba without realizing it and a Linux Samba Exploit can happen. The Samba makes it possible for Unix and Linux systems to share files the same way Windows does. Vulnerabilities can easily be patched by using a patch management tool.

CVE-2017-7494 was assigned to a newly discovered remote code execution vulnerability in Samba. It affects all versions of Samba from 3.5.0 onwards. The flaw is due to Samba loading shared modules from any path in the system leading to RCE. These flaws can be prevented by utilizing a vulnerability management software.

Linux Samba Exploit uses Samba’s arbitrary module loading vulnerability to upload a shared library to a writable share and then cause the server to load and execute malicious code. This vulnerability is very easy to exploit. If it meets the following conditions, an attacker can reliably exploit it with just one line of code to execute malicious code.
(a) make file- and printer-sharing port 445 reachable on the Internet,
(b) configure shared files to have write privileges, and
(c) use known or guessable server paths for those files.

If the system meets the above-mentioned conditions, remote attackers can upload any file containing malicious code and make the server execute it, possibly with root privileges depending on the vulnerable platform

Since Samba is the SMB protocol implemented on Linux and UNIX systems, some researchers believe it is “Linux version of EternalBlue,” used by the WannaCry ransomware. Also, the ease of exploiting this vulnerability, just one line of code to execute malicious code on the affected system makes it more adverse in Linux Samba Exploit.
    simple.create_pipe(“/path/to/target.so”)

Is CVE-2017-7494 successor to WannaCry?

This Samba vulnerability is not as much capable as WannaCry. Samba isn’t as widely used as Microsoft’s implementation of SMB. Also, it’s a client-to-server attack that depends on additional clients to interact with the server. It’s not as easy to carry out an attack on this vulnerability as it was with WannaCry which was a client-to-client attack. Another key difference here is the absence of any equivalent to DoublePulsar-backdoor which made capitalizing on the Windows flaw easy for WannaCry.

Nothing to Worry?

Other potential attack scenarios, which don’t necessitate the victim’s exposure on the Internet, pose risks. If a malicious spam message successfully compromises a single computer on any network, it could use this Samba flaw to spread virally to other computers. It could quickly infect large numbers of machines. Researchers believe vulnerability could also open home networks with network-attached storage devices to attacks as well.

Linux Samba Exploit affects whom?

As per researchers with security firm Rapid7, exposing more than 110,000 devices on the Internet appears to run vulnerable versions of Samba, while 92,500 of them appear to run unsupported versions of Samba for which no patch is available. This bug affects all the latest versions of Samba, including Samba versions 4.6.x before 4.6.4, 4.5.x before 4.5.10, and 3.5.0 through 4.4.13.

Solution to Linux Samba Exploit

The vulnerability has been patched in the latest versions of Samba, 4.6.4, 4.5.10 and 4.4.14. Also, Samba maintainers released patches for older and unsupported versions of Samba, which are available here.

Workaround

Although if it’s not possible to upgrade to the latest versions of Samba immediately, a workaround is also available. To employ a workaround, you can use any of the following methods:

  • SELinux is available on most Linux flavors and enabled by default. Configure SELinux not to load modules from outside of samba’s module directories and therefore blocks the exploit.
  • Mount the filesystem, which Samba uses for its writable share, using the “noexec” option.
  • Adding the following line to Samba configuration file smb.conf, which will prevent clients from fully accessing some network machines. It will also disable some expected functions for connected Windows systems.
                       nt pipe support = no
    This prevents clients from accessing any named pipe endpoints, also this change can disable some expected functionality for Windows clients.

SanerNow easily remediates all these updates. Install Saner to detect and remediate these type of threats and stay secure.