Samba.org, which distributes Samba open-source software that provides Windows file sharing access to non-Windows machines, just disclosed a critical remote code execution vulnerability1 that has existed for 7 years. That number was jaw dropping last month when Intel’s AMT vulnerability was released, but between this latest vulnerability and WannaCry, the security industry may be getting numb to shocking discoveries.
- CVE-2017-74942 has a CVSS Score of 7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)3.
- This vulnerability is the Linux version of WannaCry, appropriately named SambaCry. A malicious Samba client that has write access to a Samba share could use this flaw to execute arbitrary code typically as root.
- The flaw allows a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it with the privileges of smbd (typically root).
- This flaw affects all versions of Samba from 3.5.0 onwards, except for the most recent releases of Samba 4.6.4, 4.5.10 and 4.4.14.
- There's no DoublePulsar back door piece to this just yet, but working exploit code for Metasploit4 was released publicly over 24 hours ago, so expect it to be weaponized quickly.
How Bad Is It, Really?
Samba is an open source network application that provides the same functionality as Microsoft Server Message Block (SMB). SMBv1 was the target of the EternalBlue exploit, which runs on Microsoft systems. However, Samba is not the same application. Because Samba is added to Unix systems for file share compatibility to Microsoft systems, it is often not running out of the box. Granted, it's on nearly every Linux distribution, but not everyone uses it. Samba is also used on many network appliances and devices, as these devices often use Linux as their internal operating system. Therefore, Linux systems and many network appliances are potentially vulnerable.
The vulnerability requires the following conditions:
- smbd must be running on a port accessible to the attacker (tcp/445)
- the "nt pipe support" setting must be enabled (on by default) in smb.conf
- the attacker must have access to a writeable share
Notably, the attacker does not have to have authenticated access if they can write to the writable share anonymously.
In order to exploit the vulnerability, the attacker would upload a shared object file to the writeable share and issue a simple command to cause smbd to execute the shared object.
This will cause the smbd process to execute the code contained in the target.so file with its level of privilege, which is usually root. The Metasploit exploit module allows the attacker to choose the payload. An attacker who is in a position to leverage this vulnerability will have full access to the entire system with root level privileges.
A shodan.io query of "port:445 !os:windows" shows approximately one million non-Windows hosts that have tcp/445 open to the Internet, more than half of which exist in the United Arab Emirates (36%) and the U.S. (16%).