Samba users urged to patch 7-year-old remote code execution flaw ASAP

Not the first vulnerability of its kind…

David bisson
David Bisson

Samba users urged to patch 7-year-old remote code execution flaw ASAP

Samba network filesystem administrators are being urged to patch a seven-year-old remote execution vulnerability as soon as possible.

For the vulnerability (CVE-2017-7494) to cause any issues, three conditions must be met. First, port 445 must be open. Second, shared files must have write privileges. And third, those files must have easily guessable or known paths.

The confluence of those three preconditions creates a perfect storm for a malicious attacker. As explained by Samba in a security advisory:

Sign up to our free newsletter.
Security news, advice, and tips.

“All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.”

It doesn’t even take that much to exploit the flaw. In fact, a single-line of code is enough to abuse it.

Several years old? Located in a popular server message block (SMB) protocol affecting port 445? Sounds a lot like the Microsoft vulnerability that WannaCry leveraged to infect more than 200,000 victims in over 150 countries beginning on 12 May. Dan Goodin explains in an article for Ars Technica that some in the industry even fear the new bug might be “wormable,” i.e. self-propagating and requiring little-to-no user interaction:

“A malicious spam message that successfully compromised a single computer on a corporate network, for instance, could use the Samba flaw to spread virally to other computers. Given the ease of exploiting the vulnerability, it could quickly infect large numbers of machines. Researchers said the vulnerability could also open home networks with network-attached storage devices to attacks as well.”

Fortunately, there’s a crucial difference between WannaCry’s Microsoft vulnerability and CVE-2017-7494. Ransomware attackers exploited the former via the use of DoublePulsar, attack code developed specifically for that flaw by the National Security Agency and leaked online by the Shadow Brokers. No exploit code exists for CVE-2017-7494… at least, none which we know.

But now that the vulnerability is publicly known, it remains to be seen whether bad actors will incorporate the flaw into future malware campaigns.

With that said, administrators should update their software to Samba versions 4.6.4, 4.5.10 and 4.4.14. If that’s not possible, they can prevent clients from accessing known pipe endpoints by adding the parameter nt pipe support = no to the [global] section of the smb.conf and restarting it. Be warned, though, as it could disable some Windows functionality.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

3 comments on “Samba users urged to patch 7-year-old remote code execution flaw ASAP”

  1. Richie

    What about Samba on all the home routers (such as D-Link) that support external shared file storage and/printing? (No one is going to release patches to all of these bits of kit…)

    1. Karl · in reply to Richie

      You need to be able to write to a samba share.
      To mediate this users should turn off all shares from routers, and other devices not upgradeable.

  2. Fit for purpose


    They should…

    Somebody (Homeland Security?, Consumer Protection?) should crawl the web looking for all Open Source firmware releases for all the vendors of these vulnerable devices and clearly identify which remain unpatched.

    Publicly name and shame.

    Product recall – similar to car airbags if the vendor cannot release a downloadable update.

    Hit them in the hip pocket.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.