According to an advisory released yesterday, Samba software released in the last seven years is vulnerable to a remote code execution vulnerability that allows an attacker to upload and execute code on the user's machine. Depending on the attacker's skill, he can easily take over vulnerable devices.
The issue, tracked as CVE-2017-7494, affects all versions of Samba from 3.5.0 onwards, and was fixed yesterday when the Samba team released Samba 4.6.4, 4.5.10 and 4.4.14 to patch the issue.
According to HD Moore, VP of Research & Development at Atredis Partners, the issue could be exploited via one line of code using a Metasploit module, currently under development. This means that CVE-2017-7494 attacks can be scripted and added to automated scanners.
This is a big issue because cyber-security firm Rapid7 said it discovered more than 104,000 Internet-exposed machines that appear to be running vulnerable versions of Samba software.
Some of these are major Linux distros, such as Red Hat, where Samba is installed as a default service that starts during the boot-up process.
Patches are available only for the 4.4.x, 4.5.x, and 4.6.x branches. For users that cannot update their systems to Samba 4.4 and higher due to various incompatibilities or hardware limitations, the Samba Team recommends an alternative workaround by adding the following parameter to Samba's smb.conf file and restarting the smbd daemon.
nt pipe support = no
This parameter prevents an attacker from opening a "pipe" that allows him to upload malicious code to a Samba installation. This workaround, however, will disable some Samba functionality when interacting with Windows computers.
Rapid7 also warns that many enterprise backup systems use Samba to send data to NAS or other types of backup servers.
"A direct attack or worm would render those backups almost useless, so if patching cannot be done immediately, we recommend creating an offline copy of critical data as soon as possible," Rapid7's Jen Ellis writes.