A few days ago I wrote about the WannaCry virus that could, unfortunately, be run within WINE. How anybody who isn’t the family IT guy’s grandma could fall for this would baffle me, but I digress. Named in reference to the WannaCry ransomware virus, the vulnerability in this case is unrelated to the one exploited by WannaCry. Coded as CVE-2017-7494, the vulnerability would allow an unauthorized person to remotely execute code as root in Samba packages with version number 3.5.0 and higher.
Samba itself is a *nix focused implementation of the Microsoft SMB/CIFS network storage and print service (input/output, and paper printing) protocol supporting Active Directory and Windows NT domains. Following its initial release in 1992 (yes, 25 years ago as of this year) it allowed Unix and Unix-like systems such as Linux and any of the BSD variants to access and use Windows SMB shares. SMB shares are just one example of the ability to share resources openly through a network.
This vulnerability is particularly damaging because of how easy it is to exploit. It lies within the way that shared libraries were handled by the Samba package. The attacker could use this vulnerability to upload shared libraries to a read-write share that the Samba server would then load and execute the malicious code. According to The Hacker News the exact piece of code that would be used follows:
Thankfully, the vulnerability has already been patched and there are methods to install the path from all the major distro repositories. These methods can be found here but if you can’t yet update the package, you’re at the very least forced to restart the service.
/etc/samba/smb.conf you’ll want to set
nt pipe support = no in the
[global] section although this will prevent some clients from accessing certain capabilities of some network machines.
Although the vulnerability has been mitigated in major Linux distros, there still exists the danger of this being exploited in many NAS machines as it’s much more difficult to access the shell within them to upgrade the Samba package it uses. This means that this vulnerability “has the potential to be the first large-scale Linux ransomware worm,” according to Craig Williams of Cisco. This is because once access is gained on one machine within a given network, it could spread itself to any of the other machines within that same network that haven’t been patched, wreaking havoc on any Linux-using business or home by encrypting files like WannaCry did.
If your distro’s repositories haven’t been updated to include the patch (4.2.14 for debian-based distros and 4.4.4 for RedHat-based distros) then you can find and build the patched versions from the Samba patches page.
Header Image Credit: omri9741