In a security announcement, Samba, the open-source file- and print-sharing software service for Linux/Unix, detailed a rather dangerous vulnerability (CVE-2017-7494). Affecting versions 3.5 and beyond, CVE-2017-7494 is a vulnerability that allows for an attacker to perform remote code execution that can lead to hijacking of the device. The specific vulnerability, which is a mind-boggling seven years old, results from how, according to Rapid7’s Josh Feinblum, “Samba interacted with shared libraries… if a malicious actor uploads a shared library to the system using something like a writable share, they can force the server to load and execute the malicious code.”
The code in question is easy to use for the inexperienced skiddie and well-trained black hat:
That is all it takes when attempting to exploit via the open SMB port (sounds a bit like WannaCry, right?), and as of now Rapid7 estimates that there are 104,000 systems on the Internet with this flaw. The danger is obvious, but what will keep this from becoming as catastrophic as WannaCry is that, in order to attack, the user must be authenticated. The authentication factor reduces the amount of potential attackers when compared against other SMB vulnerabilities like those involved in WannaCry.
Make no mistake, however, this flaw is dangerous and must be dealt with as soon as possible.
The patch for CVE-2017-7494 is available here, and Samba recommends that admins act with exigency to install the patch. If for some reason you are unable to install the patch, the security announcement from Samba details a temporary workaround, which is the following:
“Add the parameter:
nt pipe support = no
to the [global] section of your smb.conf and restart smbd. This prevents clients from accessing any named pipe endpoints. Note this can disable some expected functionality for Windows clients.”
In attempting to mitigate, admins should also block all traffic (inbound and outbound) for port 445. Before this gets out of hand, get to patching everything as soon as you can.
Photo credit: Pixabay