X
Tech

It's not just Windows anymore: Samba has a major SMB bug

First, it was Microsoft's turn to deal with a terrible SMB security hole, WannaCry. Now, it's the open-source SMB server Samba's turn.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

The other week, Microsoft got its security teeth kicked in when an old SMB security hole was exploited by the WannaCry ransomware attack. This week, it's the turn of Samba, the popular open-source SMB server.

Like the WannaCry security hole, the good news is the Samba file-sharing bug has already been fixed. The bad news is you may be using Samba without knowing it. In this case, there may be no way for you to patch it.

Where? How? If you have a network-attached storage (NAS) device holding your accounts payable, document archives, or just your kid's high-school graduation photos, chances are you're running Samba, the open-source file and print server. It's commonly used in these devices, and the vendors that make them are not known for patching their systems quickly, or sometimes, at all.

Worse still, the hole, CVE-2017-7494, is seven-years old. The bug dates back to Samba 3.5.0, which was released on March 10, 2010. All versions since then -- I repeat, all versions -- including the latest, 4.6.4, are vulnerable to this remote code execution vulnerability.

The bad news doesn't stop there. While Samba 4.6.4, 4.5.10, and 4.4.14 have been issued as security releases to correct the defect, you'll need to manually patch older Samba versions.

This hole enables an attacker to upload a shared library to a writable drive share. Once in, a hacker can make the server load and execute a malicious payload as the root user. What kind of payload? Pretty much anything goes.

Exploiting the server appears to be trivial. HD Moore, VP Research & Development at security company Atredis Partners, claims "metasploit one-liner to trigger is just:

simple.create_pipe("/path/to/target.so")

This remote code execution flaw is tailor-made to be used by script-kiddies. There's no need for any mastermind hackers to exploit it. In a day or two, at most, anyone will be able to use it.

The security company Rapid7 reports, "the internet is not on fire yet, but there's a lot of potential for it to get pretty nasty. If there is a vulnerable version of Samba running on a device, and a malicious actor has access to upload files to that machine, exploitation is trivial."

How bad is it really? In a Project Sonar, Rapid7 Labs reports finding more than 104,000 internet-exposed endpoints that appear to be running vulnerable versions of Samba on port 445. "Of those, almost 90 percent (92,570) are running versions for which there is currently no direct patch available."

If you're running Samba on a Linux or Unix server, you need to patch it now. If you're running a version of Samba that isn't patched yet, upgrade it to a newer, patched edition as soon as possible. If for some reason you can't do that either, you must edit your smb.conf file. This is the Samba server's master configuration file.

To do that, add the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restart smbd, the Samba daemon. This prevents clients from accessing any named pipe endpoints and thus making use of the hole. Unfortunately, resetting this parameter may also impact how Windows clients access files and directories on a Samba-based shared drive.

How exactly? Good question. We don't know yet. Isn't that fun?

Let's say though that you can't patch it. Yes, the major Linux distributors have already made it easy to fix your servers. The NAS vendors ... not so much.

So what can you do? Here's how to protect yourself whether you're in charge of your enterprise's server farm or you just have a NAS with your Loony Tunes cartoon collection.

First, make sure none of your Samba shares are public. By enabling anyone on your network to write to it, you're also enabling them to plant malware.

Next, if you've let people visit your Samba-storage over the internet by keeping port 445 open, stop it. Now. Block the port with your firewall. This port should never be open to the world.

For now, no one seems to be attacking this hole. I don't believe for one minute this period of grace is going to last for long. It's too easy to attack and the potential for damage is too high. Patch it, fix it, block access to the unwashed masses to it, do what you can to protect your Samba server today, or you'll regret it tomorrow.

Related Stories:

Editorial standards