Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: Critical Vulnerability in Samba from 3.5.0 onwards - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Critical Vulnerability in Samba from 3.5.0 onwards

Developers of Samba[1] disclosed a critical vulnerability that affects the file sharing component. Samba is a suite of tools that helps in the interoperability between UNIX with Microsoft Windows. The vulnerable component is the daemon that offers file sharing capabilities.

As reported by HD Moore on his Twitter account[2], it's trivial to trigger the vulnerability (just a one-liner exploit). An attacker has to find an open SMB share (TCP/445), upload a shared library to the writable share, and then cause the server to load and execute it. All versions of Samba from 3.5.0 onwards are vulnerable. The vulnerability is described in CVE-2017-7494[3]. The developers of Samba already released a patch which addresses this vulnerability[4].

In the meantime, a workaround is available. Add the parameter:

nt pipe support = no

to the "[global]" section of your smb.conf and restart smbd.

Samba is a very popular tool and used on many corporate networks, it is also a core component in many residential products like NAS. Many vendors could be affected (Synology, WD, Qnap, DLink, ...). Some vendors like Synology[5] already communicated about this issue and are working on a patch but others might take more time to react. Home users do not patch their products and many NAS could remain vulnerable for a long time.

As always, if you are exposing writable SMB shares for your users, be sure to restrict access to authorised people/hosts and do NOT share data across the Internet. They are risks that bad guys are already scanning the whole Internet.

[1] https://www.samba.org/
[2] https://twitter.com/hdmoore/status/867446072670646277
[3] https://www.samba.org/samba/security/CVE-2017-7494.html
[4] http://www.samba.org/samba/security/
[5] https://www.synology.com/en-global/support/security/Important_Information_Regarding_Samba_Vulnerability_CVE_2017_7494

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

305 Posts
ISC Handler
:) thank you
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!