As organizations recover and patch from the recent WannaCry ransom ware outbreak affecting the Microsoft Windows Server Message Block (SMB) protocol, a new vulnerability was disclosed which potentially is equally as devastating affecting UNIX.
Samba, a standard in file sharing services on UNIX systems was identified to have a critical remote code execution vulnerability which allows a bad guy to upload a malicious content to a writable share, and then cause the server to load and execute that content. This can lead to complete take-over of the server, its data, and connected systems. To make matters worse, many Samba servers rely on Active Directory integration to handle users and group memberships, this can make lateral movement to other systems trivial.
Exploits have been identified in the wild; exploitation is deemed trivial.
Are you affected by this?
The vulnerability has been identified in all version of Samba since 2010 (3.5.0 and up).
- Is Samba running on any internal systems?
- Are there UNIX systems on the network?
- Do your vendor products run Samba under the hood? Note: This is common.
- Do you have any Network Attached Storage (NAS), Internet of Things (IoT) devices that offer file sharing?
Organizations should consult their asset management to identify potentially vulnerable systems and conduct internal vulnerability scans to aid in identification. Consult with your vendors to ensure their products are patched and not affected by this vulnerability.
Samba released 4.6.4, 4.5.10 and 4.4.14 to correct the defect. Samba has released patches for many versions available at http://www.samba.org/samba/security/.
Conduct internal scans to identify and weed out hosts that might be running vulnerable versions of Samba.
Restricting which internal assets can communicate with SMB services using access control lists is another way to reduce the impact of this vulnerability.
Add the parameter to your smb.conf file on affected systems:
nt pipe support = no
Add to the [global] section of your smb.conf and restart smbd. This prevents clients from accessing any named pipe endpoints. Note: This can disable some expected functionality for Windows clients.
More Info and Help
More information is available at https://www.samba.org/samba/security/CVE-2017-7494.html. Contact Wipfli’s cybersecurity consultants if you need assistance with identification and mitigation techniques for this vulnerability.