Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Critical Vulnerability in Samba from 3.5.0 onwards

Published: 2017-05-25
Last Updated: 2017-05-25 06:13:32 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

Developers of Samba[1] disclosed a critical vulnerability that affects the file sharing component. Samba is a suite of tools that helps in the interoperability between UNIX with Microsoft Windows. The vulnerable component is the daemon that offers file sharing capabilities.

As reported by HD Moore on his Twitter account[2], it's trivial to trigger the vulnerability (just a one-liner exploit). An attacker has to find an open SMB share (TCP/445), upload a shared library to the writable share, and then cause the server to load and execute it. All versions of Samba from 3.5.0 onwards are vulnerable. The vulnerability is described in CVE-2017-7494[3]. The developers of Samba already released a patch which addresses this vulnerability[4].

In the meantime, a workaround is available. Add the parameter:

nt pipe support = no

to the "[global]" section of your smb.conf and restart smbd.

Samba is a very popular tool and used on many corporate networks, it is also a core component in many residential products like NAS. Many vendors could be affected (Synology, WD, Qnap, DLink, ...). Some vendors like Synology[5] already communicated about this issue and are working on a patch but others might take more time to react. Home users do not patch their products and many NAS could remain vulnerable for a long time.

As always, if you are exposing writable SMB shares for your users, be sure to restrict access to authorised people/hosts and do NOT share data across the Internet. They are risks that bad guys are already scanning the whole Internet.


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Jaff ransomware gets a makeover
May 24th 2017
1 day ago by Brad (2 comments)

What did we Learn from WannaCry? - Oh Wait, We Already Knew That!
May 23rd 2017
2 days ago by Rob VandenBrink (1 comment)

Investigating Sites After They are Gone; And a Case of Uber Phishing With SSL
May 22nd 2017
2 days ago by Johannes (0 comments)

Typosquatting: Awareness and Hunting
May 20th 2017
5 days ago by Xme (2 comments)

My Little CVE Bot
May 18th 2017
1 week ago by Xme (2 comments)

View All Diaries →

Latest Discussions

What bot is that?
created May 5th 2017
2 weeks ago by Visi (2 replies)

Curious Phishing Email
created Apr 27th 2017
4 weeks ago by Rich (0 replies)

Preventing outside sources accessing the local network via open ports on a networked printer.
created Mar 28th 2017
1 month ago by mrectek (2 replies)

Very High DNS traffic
created Mar 26th 2017
1 month ago by Anonymous (0 replies)

Abnormal DNS Volumes
created Mar 26th 2017
1 month ago by Anonymous (3 replies)

View All Forums →

Latest News

View All News →

Top Diaries

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
3 weeks ago by Bojan (6 comments)

Massive wave of ransomware ongoing
May 15th 2017
1 week ago by Xme (9 comments)

Malspam with password-protected Word documents
Mar 21st 2017
2 months ago by Brad (13 comments) DDoS Attack
Oct 21st 2016
7 months ago by Johannes (9 comments)

Microsoft Patch Tuesday Delayed
Feb 18th 2017
3 months ago by Johannes (7 comments)