Serious Samba Flaw Threatens Networks

There is a severe, remotely exploitable vulnerability in many versions of the Samba software that has been siting unnoticed for seven years.

The vulnerability is trivial to exploit and there is proof-of-concept exploit code available for it, making it even more dangerous. The Samba maintainers have released a patch for the flaw, and researchers are warning customer to apply the fix as soon as possible, because of the ease of exploitation.

“All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it,” the Samba advisory says.

Samba is an implementation of the SMB/CIFS protocol used in a lot of UNIX-based systems, and it’s also included in many appliances, such as storage devices. Security researcher HD Moore, the creator of the Metasploit framework, has released a module for the framework that can exploit the Samba vulnerability in certain systems. The exploit is just one line of code.

One of the problematic things about this vulnerability is that it may not be immediately clear to user that Samba is present in their devices.

“It is only a matter of time before adversaries begin to use it.”

“Many home and corporate network storage systems run Samba and it is frequently installed by default on many Linux systems, making it possible that some users are running Samba without realizing it. Given how easy it is to enable Samba on Linux endpoints, even devices requiring it to be manually enabled will not necessarily be in the clear,” Jen Ellis of Rapid7 said in a post on the vulnerability.

“Samba makes it possible for Unix and Linux systems to share files the same way Windows does. While the WannaCry ransomworm impacted Windows systems and was easily identifiable, with clear remediation steps, the Samba vulnerability will impact Linux and Unix systems and could present significant technical obstacles to obtaining or deploying appropriate remediations. These obstacles will most likely present themselves in situations where devices are unmanaged by typical patch deployment solutions or don’t allow OS-level patching by the user. As a result, we believe those systems may be likely conduits into business networks.”

Rapid7 conducted a scan with its Project Sonar system, which scans the entire IPv4 address space, and found 104,000 devices that were running a vulnerable version of Samba. Nearly 90 percent of those devices are running versions for which there isn’t a patch available.

“This threat is only beginning to be recognized by potential attackers with POC code having already been released on the Internet. It is only a matter of time before adversaries begin to use it more widely to compromise additional systems, both externally and internally,” Nick Biasini of Cisco’s Talos research team said in a post.

CC By-sa license image by Sarah Joy.

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed