The recent WannaCry attack that impacted hundreds of thousands of Windows systems worldwide was a powerful reminder of the need for organizations to properly secure their file-sharing services against access from the Internet. Now there is even more incentive to do so.
Multiple versions of Samba, the open source file- and print-sharing utility for Linux and Unix systems, have a critical remote code execution vulnerability (CVE-2017-7494) that gives attackers a way to upload malicious files to vulnerable systems and take control of them.
Attackers who gain access to a vulnerable system can upload a shared library to a writable share and get the server to upload and execute it, the maintainers of Samba warned in an alert Wednesday. All versions of Samba from 3.5.0, released back in March 2010, are vulnerable.
Patches are available for all supported versions of Samba as well as for older versions. In addition, the Samba organization has issued Samba 4.6.4, 4.5.10, and 4.4.14 as security releases to correct the vulnerability.
"Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible," the alert noted.
The US-CERT echoed similar urgency in an alert that urged users and administrators to review Samba's security alert and either apply the patches or work with their Linux or Unix vendors to patch vulnerable systems.
As with WannaCry, systems running vulnerable versions of Samba that are directly accessible via the Internet are the most at risk. As of Thursday, there are some 627,000 systems running Samba that are accessible via the Internet over Port 445, according to the Shodan search engine.
Security vendor Rapid7 estimated that about 104,000 endpoint devices are exposed on the Internet running vulnerable versions of Samba. Of that, close to 93,000 or nearly 90%, appear to be running versions of Samba for which no patch is available.
"Version 3.5 of Samba, released in March of 2010, introduced a flaw in the way Samba interacted with shared libraries," says Josh Feinblum, vice president of information security at Rapid7. "If a malicious actor uploads a shared library to the system using something like a writable share, they can force the server to load and execute the malicious code."
Attackers can use this vulnerability to gain control of any impacted device. If that device happens to run Samba frequently, it will likely have sensitive files, which would then become accessible to the attacker, Feinblum says.
"Additionally, attackers can also use this vulnerability to take control of impacted devices to launch further attacks against an organization, which is why it's critically important that no device with this vulnerability be Internet-facing." Attacking the vulnerability is extremely easy and takes little more than a single line of code, he adds.
There are some mitigating circumstances, however. In order for an attacker to be able to execute code on the server, he or she would first need to be able to upload the file to be executed, says Johannes Ullrich, dean of research at the SANS Institute. That means they need to be authenticated first, he says.
Samba is a Linux implementation of the SMB protocol used by Windows for file sharing. Linux systems in mixed Windows/Linux environments often use Samba. Samba is commonly used in network-connected disk storage devices to allow Windows hosts to access files on these devices, Ullrich says. Many enterprise SMB servers that were not affected by WannaCry could be vulnerable to the Samba flaw, he notes.
"It would be highly unusual to have a Windows share that would allow a user without authentication to upload files. But once that is allowed, exploitation of this flaw is trivial," he noted.
Just as with WannaCry, mitigation requires that port 445 be blocked to both inbound and outbound traffic. Samba administrators have also published a workaround to turn off a "pipe support" capability on Samba servers. "But this workaround may break some features," Ullrich says.
Vulnerabilities in network services such as Samba are particularly scary because of how easy they are to exploit, adds Lane Thames, senior security researcher at Tripwire. From that standpoint, administrators should move quickly to patch affected systems or to implement the recommended workaround of disabling support for pipes.
But this particular Samba vulnerability is unlikely to have the kind of impact that WannaCry did for a couple of reasons, he says. An attacker would need to be authenticated to the Samba server and know the path of an appropriate file share in order to exploit the flaw. Or the network share must be available to be written to without authentication, Thames says.
"For me, the more concerning part of this vulnerability is the widespread use of inexpensive storage solutions such as Network Attached Storage (NAS) devices," he says.
Many of these devices use embedded Linux with Samba. "Unlike enterprise class vendors such as Redhat, NAS vendors might not necessarily roll out patches for this vulnerability quickly, if at all," he says.
- 5 Security Lessons WannaCry Taught Us the Hard Way
- WannaCry Hit Windows 7 Machines Most
- Windows SMB Zero-Day Exploit On The Loose
- Badlock Bug Declared A Bust--But Patch, Anyway