Samba Patches Wormable Bug Exploitable With One Line Of Code

The Samba Team has patched a severe bug that leaves computers vulnerable to wormable exploit.

A patch for a critical vulnerability impacting the free networking software Samba was issued Wednesday. The flaw poses a severe threat to users, with approximately 104,000 Samba installations vulnerable to remote takeover. More troubling, experts say, the vulnerability can be exploited with just one line of code.

Samba is a popular standard for providing Windows-based file and print services. It allows for interoperability between Unix and Linux systems and Microsoft Windows. With it, Linux, Mac and FreeBSD users can set up and share folders on Windows computers using the server message block (SMB) protocol. The vulnerability (CVE-2017-7494) affects versions 3.5 (released March 1, 2010) and onwards of Samba.

“While the WannaCry ransomworm impacted Windows systems and was easily identifiable, with clear remediation steps, the Samba vulnerability will impact Linux and Unix systems and could present significant technical obstacles to obtaining or deploying appropriate remediations,” wrote Rapid7 in a security bulletin.

Comparisons are being made between the WannaCry ransomware attacks and the Samba vulnerability because like WannaCry, the Samba vulnerability could be a conduit for a “wormable” exploit that spreads quickly. Also, any exploit taking advantage of the Samba vulnerability would also take advantage of bugs in the same SMB protocol used by the NSA exploits used to spread WannaCry.

“It’s trivial to trigger the vulnerability (just a one-line exploit). An attacker has to find an open SMB share (TCP/445), upload a shared library to the writable share, and then cause the server to load and execute it,” warned security researcher Xavier Mertens, with the SANS Internet Storm Center.

As of this morning, Rapid7 said there does not appear to be any signs the vulnerability is being exploited in the wild. However, researchers said that proof-of-concept exploit code is publicly available.

“We believe these vulnerable systems are likely conduits into organization networks; but it’s also likely that many of these devices are personal, IoT devices. Many home and corporate network storage systems run Samba and it’s very straightforward to enable the Samba service on any Linux endpoint,” said Bob Rudis, lead data scientist with Rapid7.

On Wednesday, The Samba Team, a group of approximately 40 developers, released security updates that address a vulnerability in all versions of Samba from 3.5.0 onward. Additionally, there is a mitigation available within the configuration of Samba itself.

“Adding the argument “nt pipe support = no” to the global section of the smb.conf file and restarting the service will also mitigate the threat,” wrote Cisco in a bulletin posted Thursday.

According to Samba Team, the vulnerability was found by a researcher identified as “steelo” and patch was developed by Volker Lendecke of SerNet and the Samba Team.

Suggested articles