Samba.org, which distributes Samba open-source software that provides Windows file sharing access to non-Windows machines, just disclosed a critical remote code execution vulnerability1 that has existed for 7 years. That number was jaw dropping last month when Intel’s AMT vulnerability was released, but between this latest vulnerability and WannaCry, the security industry may be getting numb to shocking discoveries.
Samba is an open source network application that provides the same functionality as Microsoft Server Message Block (SMB). SMBv1 was the target of the EternalBlue exploit, which runs on Microsoft systems. However, Samba is not the same application. Because Samba is added to Unix systems for file share compatibility to Microsoft systems, it is often not running out of the box. Granted, it's on nearly every Linux distribution, but not everyone uses it. Samba is also used on many network appliances and devices, as these devices often use Linux as their internal operating system. Therefore, Linux systems and many network appliances are potentially vulnerable.
The vulnerability requires the following conditions:
Notably, the attacker does not have to have authenticated access if they can write to the writable share anonymously.
In order to exploit the vulnerability, the attacker would upload a shared object file to the writeable share and issue a simple command to cause smbd to execute the shared object.
This will cause the smbd process to execute the code contained in the target.so file with its level of privilege, which is usually root. The Metasploit exploit module allows the attacker to choose the payload. An attacker who is in a position to leverage this vulnerability will have full access to the entire system with root level privileges.
A shodan.io query of "port:445 !os:windows" shows approximately one million non-Windows hosts that have tcp/445 open to the Internet, more than half of which exist in the United Arab Emirates (36%) and the U.S. (16%).
While many of these may be running patched versions, have SELinux protections, or otherwise don't match the necessary criteria for running the exploit, the possible attack surface for this vulnerability is large.
Because exploit code is available, and the exploit itself is reasonably simple, the likelihood that this might be integrated into various malware and ransomware toolkits is very high. There is also the possibility that this will be used in a worm-like fashion, such as we saw with WannaCry just two weeks ago.
It’s also worth noting that we’re heading into a holiday weekend for the U.S., which is a prime “strike when everyone’s out” time for attackers.
Network + Remote Code Execution + Root = Drop What You’re Doing and Patch. Snarky-ness aside, there are several standard fixes and mitigations to consider:
MODIFIED: Jul 11, 2017