Attacks/Breaches

5/25/2017
04:28 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Samba Bug Dangerous But No WannaCry

The administrators of the open-source Samba software have fixed a newly discovered vulnerability that lets attackers upload malicious files to vulnerable systems and servers.

The recent WannaCry attack that impacted hundreds of thousands of Windows systems worldwide was a powerful reminder of the need for organizations to properly secure their file-sharing services against access from the Internet. Now there is even more incentive to do so.

Multiple versions of Samba, the open source file- and print-sharing utility for Linux and Unix systems, have a critical remote code execution vulnerability (CVE-2017-7494) that gives attackers a way to upload malicious files to vulnerable systems and take control of them.

Attackers who gain access to a vulnerable system can upload a shared library to a writable share and get the server to upload and execute it, the maintainers of Samba warned in an alert Wednesday. All versions of Samba from 3.5.0, released back in March 2010, are vulnerable.

Patches are available for all supported versions of Samba as well as for older versions. In addition, the Samba organization has issued Samba 4.6.4, 4.5.10, and 4.4.14 as security releases to correct the vulnerability.

"Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible," the alert noted.

The US-CERT echoed similar urgency in an alert that urged users and administrators to review Samba's security alert and either apply the patches or work with their Linux or Unix vendors to patch vulnerable systems.

As with WannaCry, systems running vulnerable versions of Samba that are directly accessible via the Internet are the most at risk. As of Thursday, there are some 627,000 systems running Samba that are accessible via the Internet over Port 445, according to the Shodan search engine.

Security vendor Rapid7 estimated that about 104,000 endpoint devices are exposed on the Internet running vulnerable versions of Samba. Of that, close to 93,000 or nearly 90%, appear to be running versions of Samba for which no patch is available.

"Version 3.5 of Samba, released in March of 2010, introduced a flaw in the way Samba interacted with shared libraries," says Josh Feinblum, vice president of information security at Rapid7. "If a malicious actor uploads a shared library to the system using something like a writable share, they can force the server to load and execute the malicious code."

Attackers can use this vulnerability to gain control of any impacted device. If that device happens to run Samba frequently, it will likely have sensitive files, which would then become accessible to the attacker, Feinblum says.

"Additionally, attackers can also use this vulnerability to take control of impacted devices to launch further attacks against an organization, which is why it's critically important that no device with this vulnerability be Internet-facing." Attacking the vulnerability is extremely easy and takes little more than a single line of code, he adds.

There are some mitigating circumstances, however. In order for an attacker to be able to execute code on the server, he or she would first need to be able to upload the file to be executed, says Johannes Ullrich, dean of research at the SANS Institute. That means they need to be authenticated first, he says.

Samba is a Linux implementation of the SMB protocol used by Windows for file sharing. Linux systems in mixed Windows/Linux environments often use Samba. Samba is commonly used in network-connected disk storage devices to allow Windows hosts to access files on these devices, Ullrich says. Many enterprise SMB servers that were not affected by WannaCry could be vulnerable to the Samba flaw, he notes.

"It would be highly unusual to have a Windows share that would allow a user without authentication to upload files. But once that is allowed, exploitation of this flaw is trivial," he noted.

Just as with WannaCry, mitigation requires that port 445 be blocked to both inbound and outbound traffic. Samba administrators have also published a workaround to turn off a "pipe support" capability on Samba servers. "But this workaround may break some features," Ullrich says.

Vulnerabilities in network services such as Samba are particularly scary because of how easy they are to exploit, adds Lane Thames, senior security researcher at Tripwire. From that standpoint, administrators should move quickly to patch affected systems or to implement the recommended workaround of disabling support for pipes.

But this particular Samba vulnerability is unlikely to have the kind of impact that WannaCry did for a couple of reasons, he says. An attacker would need to be authenticated to the Samba server and know the path of an appropriate file share in order to exploit the flaw. Or the network share must be available to be written to without authentication, Thames says.

"For me, the more concerning part of this vulnerability is the widespread use of inexpensive storage solutions such as Network Attached Storage (NAS) devices," he says.

Many of these devices use embedded Linux with Samba. "Unlike enterprise class vendors such as Redhat, NAS vendors might not necessarily roll out patches for this vulnerability quickly, if at all," he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/30/2017 | 7:45:47 AM
Not Patching for NAS
It's disturbing that NAS vendors may not supply a patch for their embedded systems. What do they recommend in lieu of a patch to mitigate the risk for their environments?
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.