In recent weeks, Microsoft has been launching endless security updates for an old SMB vulnerability from the WannaCry ransomware attack. In our publications we found that there were many who proudly mentioned in comments on Facebook, or on the site, that it was not up to them why they were using Linux…
This week, Samba is the popular SMB open source server.
The good news is, of course, that the Samba file sharing error has already been corrected. The bad news is that you may be using Samba without knowing it. In this case, there may be no way to fix the vulnerability.
Where? How? If you have a networked storage device (NAS) for storing your files, documents, paid bills, or family photos, you're likely to run Samba, the open-source file and print server. It is commonly used on these devices and the companies that manufacture them are not known for their quick updates. Sometimes they don't and they don't at all…
Here we have to mention that security gap CVE-2017-7494has been there for seven years now. The error started from Samba 3.5.0, which was released on 10 March of 2010. All versions since then (including all versions) including the latest 4.6.4 are vulnerable to this error that gives remote code execution access to intruders.
Bad news does not stop here. While Samba 4.6.4, 4.5.10, and 4.4.14 have already been released as security versions to fix the problem, you will need to manually correct the older versions of Samba.
The application security gap allows an attacker to load a shared library into a recordable share disk. Μόλις εισέλθει ο havker μπορεί να τρέξει τον server και να εκτελέσει τουλάχιστον ένα κακόβουλο archive as root.
Το exploit του διακομιστή φαίνεται να είναι ασήμαντο. Η HD Moore, VP Research & Development στην εταιρία ασφάλειας Atredis Partners, ισχυρίζεται ότι το “metasploit one-liner to trigger” είναι απλό: simple.create_pipe(“/path/to/target.so”)
This bug has been customized to tools and can be used comfortably and by script-kiddies.
Security company Rapid7 says that "the internet has not yet caught fire, but there are specs to start something very big".
How dangerous is it really?
In a Rapid7 Labs Project Sonar the company reports that over 104.000 endpoints were found exposed to the internet and appear to be running vulnerable versions of Samba on door 445. “Of these nearly 90% (92.570) are running versions for which no patch is currently readily available.”
If you are running Samba on a Linux or Unix server, you will need to fix it now. If you are running a version of Samba that has not been updated, upgrade it to a more recent version as soon as possible. If for some reason you can not do this, you will need to edit the smb.conf file, the master configuration file of the Samba server.
To do this, add the parameter:
nt pipe support = no
in the [global] section of smb.conf and restart smbd, the Samba daemon. This will prevent clients from accessing identifiable pipe endpoints and thus will not be able to exploit the vulnerability. Unfortunately, this setting can affect how Windows client computers access files or folders on a shared unit based on Samba.
But let's say you can not fix it. Yes, the most important Linux distributors give you rights to fix your servers. But NAS vendors?
What can you do; How can you protect yourself if you are responsible for the server farm of your business or just have a NAS?
First, make sure none of the Samba share toy is public. If you grant write permissions to anyone in your network, you can install malicious programs.
Then, if you have given access to Samba-storage users to visit it via the Internet by keeping 445 open, stop it immediately. Now. Exclude the port directly with the firewall you are using.
