All versions of Samba from 3.5.0 onwards are susceptible to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. This advisory warning was released by Samba maintainers on Wednesday, urging Samba vendors and administrators of the networking utility to install a patch on any affected version as soon as possible.
Samba provides file and print services for clients using the SMB protocol (yes, same protocol leveraged in the WannaCry attacks) including Windows and Linux.
The vulnerability – CVE-2017-7494 – could give an attacker the ability to execute arbitrary code on a device with root-level privileges.
Samba notes this might disable some expected functionality for Windows clients. Additionally, older devices may not be receiving a patch for the firmware or operating system. If workarounds are not possible, devices should be considered insecure.
Given the ease and reliability of exploits, as we have seen with WannaCry attacks, this hole is worth plugging as soon as possible. It’s only a matter of time until attackers begin actively targeting this vulnerability.
How are WannaCry, EternalRocks (WannaCry 2.0) and this Samba alert related?
Windows has had a vulnerability in Server Messaging Block (SMB or Samba), which is an integral service related to network file sharing, since 2008. The NSA developed a tool to exploit this vulnerability called ETERNALBLUE. ETERNALBLUE is the attack agent used to spread WannaCry/EternalRocks.
When the exploit was released to the public by the ShadowBrokers crew a month ago, Microsoft acted very quickly and released the MS17-010 patch to address it. Those who have MS17-010 installed are, and continue to be safe from the issue.
This US-CERT alert is for the Linux/UNIX version of Samba. It’s evident that the maintainers of this codebase took lessons learned from WannaCry and realized that their version of SMB service is susceptible to a similar but not equivalent problem.