Insights

Critical Vulnerability in Common File Sharing Service (Samba) CVE-2017-7494

Critical Vulnerability in Common File Sharing Service (Samba) CVE-2017-7494


May 31, 2017

As organizations recover and patch from the recent WannaCry ransom ware outbreak affecting the Microsoft Windows Server Message Block (SMB) protocol, a new vulnerability was disclosed which potentially is equally as devastating affecting UNIX.

Samba, a standard in file sharing services on UNIX systems was identified to have a critical remote code execution vulnerability which allows a bad guy to upload a malicious content to a writable share, and then cause the server to load and execute that content. This can lead to complete take-over of the server, its data, and connected systems. To make matters worse, many Samba servers rely on Active Directory integration to handle users and group memberships, this can make lateral movement to other systems trivial. 

Exploits have been identified in the wild; exploitation is deemed trivial.

Are you affected by this?

The vulnerability has been identified in all version of Samba since 2010 (3.5.0 and up).

  • Is Samba running on any internal systems?
  • Are there UNIX systems on the network?
  • Do your vendor products run Samba under the hood? Note: This is common.
  • Do you have any Network Attached Storage (NAS), Internet of Things (IoT) devices that offer file sharing?

Organizations should consult their asset management to identify potentially vulnerable systems and conduct internal vulnerability scans to aid in identification. Consult with your vendors to ensure their products are patched and not affected by this vulnerability.

Remediation

Patch
Samba released 4.6.4, 4.5.10 and 4.4.14 to correct the defect. Samba has released patches for many versions available at http://www.samba.org/samba/security/.

Scan
Conduct internal scans to identify and weed out hosts that might be running vulnerable versions of Samba.

Firewall
Restricting which internal assets can communicate with SMB services using access control lists is another way to reduce the impact of this vulnerability.

Workaround

 Add the parameter to your smb.conf file on affected systems:

         nt pipe support = no

Add to the [global] section of your smb.conf and restart smbd. This prevents clients from accessing any named pipe endpoints. Note: This can disable some expected functionality for Windows clients.

More Info and Help

More information is available at https://www.samba.org/samba/security/CVE-2017-7494.html. Contact Wipfli’s cybersecurity consultants if you need assistance with identification and mitigation techniques for this vulnerability.  

Author(s)

Kaun_Travis
Travis Kaun, CISSP, OSCP, CCNA
Senior Consultant
View Profile

Comments

Write a Comment

* = required fields

(will not be published)

(will not be published)

WipfliSecurity Blog

Subscribe to WipfliSecurity


Submit