Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/25/2017
04:28 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Samba Bug Dangerous But No WannaCry

The administrators of the open-source Samba software have fixed a newly discovered vulnerability that lets attackers upload malicious files to vulnerable systems and servers.

The recent WannaCry attack that impacted hundreds of thousands of Windows systems worldwide was a powerful reminder of the need for organizations to properly secure their file-sharing services against access from the Internet. Now there is even more incentive to do so.

Multiple versions of Samba, the open source file- and print-sharing utility for Linux and Unix systems, have a critical remote code execution vulnerability (CVE-2017-7494) that gives attackers a way to upload malicious files to vulnerable systems and take control of them.

Attackers who gain access to a vulnerable system can upload a shared library to a writable share and get the server to upload and execute it, the maintainers of Samba warned in an alert Wednesday. All versions of Samba from 3.5.0, released back in March 2010, are vulnerable.

Patches are available for all supported versions of Samba as well as for older versions. In addition, the Samba organization has issued Samba 4.6.4, 4.5.10, and 4.4.14 as security releases to correct the vulnerability.

"Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible," the alert noted.

The US-CERT echoed similar urgency in an alert that urged users and administrators to review Samba's security alert and either apply the patches or work with their Linux or Unix vendors to patch vulnerable systems.

As with WannaCry, systems running vulnerable versions of Samba that are directly accessible via the Internet are the most at risk. As of Thursday, there are some 627,000 systems running Samba that are accessible via the Internet over Port 445, according to the Shodan search engine.

Security vendor Rapid7 estimated that about 104,000 endpoint devices are exposed on the Internet running vulnerable versions of Samba. Of that, close to 93,000 or nearly 90%, appear to be running versions of Samba for which no patch is available.

"Version 3.5 of Samba, released in March of 2010, introduced a flaw in the way Samba interacted with shared libraries," says Josh Feinblum, vice president of information security at Rapid7. "If a malicious actor uploads a shared library to the system using something like a writable share, they can force the server to load and execute the malicious code."

Attackers can use this vulnerability to gain control of any impacted device. If that device happens to run Samba frequently, it will likely have sensitive files, which would then become accessible to the attacker, Feinblum says.

"Additionally, attackers can also use this vulnerability to take control of impacted devices to launch further attacks against an organization, which is why it's critically important that no device with this vulnerability be Internet-facing." Attacking the vulnerability is extremely easy and takes little more than a single line of code, he adds.

There are some mitigating circumstances, however. In order for an attacker to be able to execute code on the server, he or she would first need to be able to upload the file to be executed, says Johannes Ullrich, dean of research at the SANS Institute. That means they need to be authenticated first, he says.

Samba is a Linux implementation of the SMB protocol used by Windows for file sharing. Linux systems in mixed Windows/Linux environments often use Samba. Samba is commonly used in network-connected disk storage devices to allow Windows hosts to access files on these devices, Ullrich says. Many enterprise SMB servers that were not affected by WannaCry could be vulnerable to the Samba flaw, he notes.

"It would be highly unusual to have a Windows share that would allow a user without authentication to upload files. But once that is allowed, exploitation of this flaw is trivial," he noted.

Just as with WannaCry, mitigation requires that port 445 be blocked to both inbound and outbound traffic. Samba administrators have also published a workaround to turn off a "pipe support" capability on Samba servers. "But this workaround may break some features," Ullrich says.

Vulnerabilities in network services such as Samba are particularly scary because of how easy they are to exploit, adds Lane Thames, senior security researcher at Tripwire. From that standpoint, administrators should move quickly to patch affected systems or to implement the recommended workaround of disabling support for pipes.

But this particular Samba vulnerability is unlikely to have the kind of impact that WannaCry did for a couple of reasons, he says. An attacker would need to be authenticated to the Samba server and know the path of an appropriate file share in order to exploit the flaw. Or the network share must be available to be written to without authentication, Thames says.

"For me, the more concerning part of this vulnerability is the widespread use of inexpensive storage solutions such as Network Attached Storage (NAS) devices," he says.

Many of these devices use embedded Linux with Samba. "Unlike enterprise class vendors such as Redhat, NAS vendors might not necessarily roll out patches for this vulnerability quickly, if at all," he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/30/2017 | 7:45:47 AM
Not Patching for NAS
It's disturbing that NAS vendors may not supply a patch for their embedded systems. What do they recommend in lieu of a patch to mitigate the risk for their environments?
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6513
PUBLISHED: 2019-05-21
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.
CVE-2019-12270
PUBLISHED: 2019-05-21
OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configure excessive permissions by default on Windows. During installation, a displaylistcache file share is created on the Windows server with full read and write permissions for the Everyone group at both the NTFS and Share levels. The ...
CVE-2019-12269
PUBLISHED: 2019-05-21
Enigmail before 2.0.11 allows PGP signature spoofing: for an inline PGP message, an attacker can cause the product to display a "correctly signed" message indication, but display different unauthenticated text.
CVE-2019-12189
PUBLISHED: 2019-05-21
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.
CVE-2019-12190
PUBLISHED: 2019-05-21
XSS was discovered in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.747 via the testacc/fileManager2.php fm_current_dir or filename parameter.