We have seen many critical vulnerabilities recently. First, there was WannaCry, then WannaCry 2.0 and now we have SambaCry. The Samba team released a patch for a critical remote code execution vulnerability (CVE-2017-7494) in Samba, the most popular file sharing service for all Linux systems. It is a new seven-year-old RCE vulnerability (CVE-2017-7494) that is affecting Samba versions 3.5.0 and higher. SambaCry is similar to WannaCry because the vulnerability affects the SMB protocol in Linux.
Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4 version is vulnerable. It allows remote authenticated users to upload a shared library to a writable shared folder, and perform code execution attacks to take control of servers that host vulnerable Samba services. The vulnerability can be exploited with just a few lines of code, requiring no interaction from the end user.
Many corporate IOT devices, home routers, and network storage systems (NAS) run Samba for file sharing. Some of them are accessible only from within the network, while others are also accessible from the internet. At the moment there are almost 112,000 internet accessible devices that appear to be running vulnerable versions of Samba. Every device with weak credentials and running Samba with writable file shares is at risk. These devices can be exploited by attackers to hold entire file servers for ransom, exfiltrate data or move laterally inside a network.
At present to mitigate this issue you have to add the parameter “nt pipe support = no” to the [global] section of your smb.conf and restart smbd demon
Authored By - Indrajeet Singh
TCS Cyber Security Practice