Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/25/2017
04:28 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Samba Bug Dangerous But No WannaCry

The administrators of the open-source Samba software have fixed a newly discovered vulnerability that lets attackers upload malicious files to vulnerable systems and servers.

The recent WannaCry attack that impacted hundreds of thousands of Windows systems worldwide was a powerful reminder of the need for organizations to properly secure their file-sharing services against access from the Internet. Now there is even more incentive to do so.

Multiple versions of Samba, the open source file- and print-sharing utility for Linux and Unix systems, have a critical remote code execution vulnerability (CVE-2017-7494) that gives attackers a way to upload malicious files to vulnerable systems and take control of them.

Attackers who gain access to a vulnerable system can upload a shared library to a writable share and get the server to upload and execute it, the maintainers of Samba warned in an alert Wednesday. All versions of Samba from 3.5.0, released back in March 2010, are vulnerable.

Patches are available for all supported versions of Samba as well as for older versions. In addition, the Samba organization has issued Samba 4.6.4, 4.5.10, and 4.4.14 as security releases to correct the vulnerability.

"Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible," the alert noted.

The US-CERT echoed similar urgency in an alert that urged users and administrators to review Samba's security alert and either apply the patches or work with their Linux or Unix vendors to patch vulnerable systems.

As with WannaCry, systems running vulnerable versions of Samba that are directly accessible via the Internet are the most at risk. As of Thursday, there are some 627,000 systems running Samba that are accessible via the Internet over Port 445, according to the Shodan search engine.

Security vendor Rapid7 estimated that about 104,000 endpoint devices are exposed on the Internet running vulnerable versions of Samba. Of that, close to 93,000 or nearly 90%, appear to be running versions of Samba for which no patch is available.

"Version 3.5 of Samba, released in March of 2010, introduced a flaw in the way Samba interacted with shared libraries," says Josh Feinblum, vice president of information security at Rapid7. "If a malicious actor uploads a shared library to the system using something like a writable share, they can force the server to load and execute the malicious code."

Attackers can use this vulnerability to gain control of any impacted device. If that device happens to run Samba frequently, it will likely have sensitive files, which would then become accessible to the attacker, Feinblum says.

"Additionally, attackers can also use this vulnerability to take control of impacted devices to launch further attacks against an organization, which is why it's critically important that no device with this vulnerability be Internet-facing." Attacking the vulnerability is extremely easy and takes little more than a single line of code, he adds.

There are some mitigating circumstances, however. In order for an attacker to be able to execute code on the server, he or she would first need to be able to upload the file to be executed, says Johannes Ullrich, dean of research at the SANS Institute. That means they need to be authenticated first, he says.

Samba is a Linux implementation of the SMB protocol used by Windows for file sharing. Linux systems in mixed Windows/Linux environments often use Samba. Samba is commonly used in network-connected disk storage devices to allow Windows hosts to access files on these devices, Ullrich says. Many enterprise SMB servers that were not affected by WannaCry could be vulnerable to the Samba flaw, he notes.

"It would be highly unusual to have a Windows share that would allow a user without authentication to upload files. But once that is allowed, exploitation of this flaw is trivial," he noted.

Just as with WannaCry, mitigation requires that port 445 be blocked to both inbound and outbound traffic. Samba administrators have also published a workaround to turn off a "pipe support" capability on Samba servers. "But this workaround may break some features," Ullrich says.

Vulnerabilities in network services such as Samba are particularly scary because of how easy they are to exploit, adds Lane Thames, senior security researcher at Tripwire. From that standpoint, administrators should move quickly to patch affected systems or to implement the recommended workaround of disabling support for pipes.

But this particular Samba vulnerability is unlikely to have the kind of impact that WannaCry did for a couple of reasons, he says. An attacker would need to be authenticated to the Samba server and know the path of an appropriate file share in order to exploit the flaw. Or the network share must be available to be written to without authentication, Thames says.

"For me, the more concerning part of this vulnerability is the widespread use of inexpensive storage solutions such as Network Attached Storage (NAS) devices," he says.

Many of these devices use embedded Linux with Samba. "Unlike enterprise class vendors such as Redhat, NAS vendors might not necessarily roll out patches for this vulnerability quickly, if at all," he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/30/2017 | 7:45:47 AM
Not Patching for NAS
It's disturbing that NAS vendors may not supply a patch for their embedded systems. What do they recommend in lieu of a patch to mitigate the risk for their environments?
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.