Samba server

Samba is a software package for UNIX systems that provides file and printer sharing services via the SMB and CIFS protocols. Samba allows Linux, Mac, FreeBSD users to set up shared folders and access shared folders on Windows computers, acting as a liaison between the UNIX and Windows SMB protocol implementations.

According to an advisory released yesterday, Samba software released in the last seven years is vulnerable to a remote code execution vulnerability that allows an attacker to upload and execute code on the user's machine. Depending on the attacker's skill, he can easily take over vulnerable devices.

The issue, tracked as CVE-2017-7494, affects all versions of Samba from 3.5.0 onwards, and was fixed yesterday when the Samba team released Samba 4.6.4, 4.5.10 and 4.4.14 to patch the issue.

Attacks can be scripted and automated

According to HD Moore, VP of Research & Development at Atredis Partners, the issue could be exploited via one line of code using a Metasploit module, currently under development. This means that CVE-2017-7494 attacks can be scripted and added to automated scanners.

This is a big issue because cyber-security firm Rapid7 said it discovered more than 104,000 Internet-exposed machines that appear to be running vulnerable versions of Samba software.

Some of these are major Linux distros, such as Red Hat, where Samba is installed as a default service that starts during the boot-up process.

Alternative mitigation exists for unupgradeable systems

Patches are available only for the 4.4.x, 4.5.x, and 4.6.x branches. For users that cannot update their systems to Samba 4.4 and higher due to various incompatibilities or hardware limitations, the Samba Team recommends an alternative workaround by adding the following parameter to Samba's smb.conf file and restarting the smbd daemon.

nt pipe support = no

This parameter prevents an attacker from opening a "pipe" that allows him to upload malicious code to a Samba installation. This workaround, however, will disable some Samba functionality when interacting with Windows computers.

NAS and backup servers are in danger

Rapid7 also warns that many enterprise backup systems use Samba to send data to NAS or other types of backup servers.

"A direct attack or worm would render those backups almost useless, so if patching cannot be done immediately, we recommend creating an offline copy of critical data as soon as possible," Rapid7's Jen Ellis writes.

For example, Qihoo's 360 team says Synology NAS devices are vulnerable to this exploit. The 360 team also has a technical write-up of the bug here [in Chinese].

UPDATE [May 26]: Synology, Ubuntu and some Debian versions have received updates to address this flaw.

Related Articles:

Z-Shave Attack Could Impact Over 100 Million IoT Devices

Verge Cryptocurrency Network Falls Victim to Same Attack Even After Hard-Fork

BMW Fixes Security Flaws in Several Well-Known Car Models

Google and Microsoft Reveal New Spectre Attack

DrayTek Router Zero-Day Under Attack