Samba Flaw give access to hackers to thousands of Linux PCs Remotely
A 7-year-old Samba critical remote execution vulnerability has been discovered in Samba networking software that could allow a remote hacker to take control of an affected Linux/Unix OS.
Samba is open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available today, including Windows, Linux, UNIX, IBM System 390, and OpenVMS.
Samba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to share network shared folders, files, and printers with Windows operating system.
“All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it” -Samba wrote in an advisory published Wednesday.
Linux version of EternalBlue Exploit?
Exploit Code Released (Metasploit Module)
The flaw is actually in the way that Samba handled shared libraries. A hacker could use this Samba arbitrary module loading vulnerability (POC code) to upload a shared library to a writable share and then cause the server to load and execute malicious code.
The vulnerability is very very easy to exploit. Just one line of code is required to execute malicious code on the affected system.
The Samba exploit has already been ported to Metasploit, a penetration testing framework, enabling researchers as well as hackers to exploit this flaw easily.
Patch and Mitigations
The team of Samba has already patched the issue in their new versions Samba versions 4.6.4/4.5.10/4.4.14, and are urging those using a vulnerable version of Samba to install the patch as soon as possible, so please check you Samba version immediately: on your server terminal…
But if you can’t upgrade to the latest versions of Samba immediately, you should work around the vulnerability adding the following line to your Samba configuration file smb.conf:
nt pipe support = no
Once added, restart the network’s SMB daemon (smbd) and you are done. This change will prevent clients from fully accessing some network machines, as well as disable some expected functions for connected Windows systems.
While Linux distribution vendors, including Red Hat and Ubuntu, have already released patched versions for its users, the larger risk is that from NAS device consumers that might not be updated as quickly.
Craig Williams of Cisco said that given the fact that most NAS devices run Samba and have very valuable data, the vulnerability “has potential to be the first large-scale Linux ransomware worm.”
Meanwhile, Netgear released a security advisory for CVE-2017-7494, saying a large number of its routers and NAS product models are affected by the flaw because they use Samba version 3.5.0 or later.