This vulnerability could lead to the next WannaCry?


A serious vulnerability in Samba could leave unpatched machines open to an attack similar to WannaCry.

The vulnerability has been assigned the CVE-2017–7494 and is described as a remote code execution from a writable share which could allow

“malicious clients to upload and cause the smbd server to execute a shared library from a writable share.”

The flaw is very easy to exploit: a single line of code is all that’s needed to exploit the vulnerability:

https://twitter.com/hdmoore/status/867446072670646277

However, some prerequisites are needed:

  • File-and-printer-sharing port 445 must be accessible
  • Almost one share with write privileges.
  • The attacker need to known (or guess) server paths of the share.

Could be the next WannaCry?

The bug appears to be a easily wormable: that means they could self-replicate from vulnerable machine to vulnerable machine quickly and without requiring end users to do anything to trigger the spread.

The security firm Rapid7 said they detected 110,000 devices exposed on the Internet that appeared to run vulnerable versions of Samba, and most of them appeared to run unsupported versions of Samba for which no patch was available:

In a Project Sonar scan run today, Rapid7 Labs discovered more than 104,000 internet-exposed endpoints that appear to be running vulnerable versions of Samba on port 445. Of those, almost 90% (92,570) are running versions for which there is currently no direct patch available. In other words, “We’re way beyond the boundary of the Pride Lands.”

Patching and mitigations

The security advisory published by Samba informed users that a patch was available at the following URL:

[embed]https://www.samba.org/samba/history/security.html[/embed]

Obviously, system administrators have to patch their versions asap, however if it is not possible for any reason there is a simple workaround, adding this line

nt pipe support = no

to the Samba configuration file and restarting the SMB daemon.

This mitigation will limit some kinds of clients from accessing the server.

“Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible.”

References

[embed]https://www.samba.org/samba/history/security.html[/embed]
[embed]https://www.samba.org/samba/history/security.html[/embed]
[embed]https://www.samba.org/samba/history/security.html[/embed]
[embed]https://www.samba.org/samba/history/security.html[/embed]