Hackers Access Thousands of Linux PCs Remotely Through 7 years old Samba Flaw
By Prempal Singh
A 7-year-old critical remote code execution vulnerability has recently been uncovered in Samba networking software that could allow a remote attacker to take control of an afflicted Linux and Unix machines.
Samba is an open-source software (re-implementation of SMB networking protocol) that runs on the vast majority of operating systems currently available, including Windows, Linux, UNIX, IBM System 390, and OpenVMS.
Samba allows non-Windows operating systems, like Linux or Mac OS X, to talk about network shared folders, files, and printers with Windows operating system.
The newly uncovered remote code execution susceptibility (CVE-2017-7494) influences all variations newer than Samba 3. 5. 0 that was launched on March 1, 2010.
“All versions of Samba from 3. 5. 0 onwards are susceptible to a web-based code execution vulnerability, allowing a malicious client to publish a shared library to a writable share, and then cause the server to load and perform it, ” Samba had written in an advisory posted Wednesday.
According to the Shodan computer internet search engine, more than 485, 000 Samba-enabled computers exposed port 445 on the Internet, and according to researchers at Rapid7, more than 104, 000 internet-exposed endpoints seemed to be running vulnerable versions of Samba, out of which 92, 000 are working unsupported versions of Samba.
Since Samba is the SMB protocol implemented on Linux and UNIX systems, so some experts are saying it is “Linux version of EternalBlue, employed by the WannaCry ransomware…. or should I say SambaCry?
… or should I say SambaCry?
Keeping in mind the number of susceptible systems and ease of exploiting this vulnerability, the Samba flaw could be exploited at large level with workable capabilities.
Home networks with network-attached storage space (NAS) devices could also be vulnerable to this flaw.
Exploit Code Unveiled! (Bonus: Metasploit Module)
The flaws actually resided in the way Samba managed shared libraries. A web-affiliated attacker could use this Samba arbitrary module launching vulnerability to upload a shared library to a writable share and then cause the server to load and execute harmful code.
The vulnerability is hell easy to use. Just one line of code is required to execute malicious code on the damaged system.
simple. create_pipe(“/path/to/target. so”)
Nevertheless, the Samba exploit had been ported to Metasploit, a transmission testing framework, enabling experts as well as cyber criminals to exploit this defect easily.
Patch and Mitigations
The maintainers of Samba has already patched the issue in their new versions Samba versions 4. 6. 4/4. 5. 10/4. 4. 14, and are urging those by using a susceptible version of Samba to install the patch as soon as possible.
Yet, if you can not upgrade to the latest versions of Samba immediately, you can work around the vulnerability by including our following line to your Samba configuration data file smb. conf:nt {tube|water pipe|water line} support = no
nt pipe support = no
When added, restart the network’s SMB daemon (smbd) and you are done. This kind of change will prevent clients from fully accessing some network machines, as well as disable some expected functions for linked windows systems.
While Linux division vendors, including Red Hat and Ubuntu, have already released patched versions for its users, the huge risk is that from NAS device consumers that may not be updated as quickly.
Craig Williams of Cisco said that given the fact that most EM devices run Samba and have very valuable data, the vulnerability “has potential to be the first large-scale Linux ransomware worm.
Meanwhile, Netgear unveiled a security advisory for CVE-2017-7494, saying a huge number of its routers and NAS product models are damaged by the flaws because they use Samba version 3.5.0 or later.
Source: thehackernews.com