Samba exploit – not quite WannaCry for Linux, but patch anyway!

Samba is an open source project that is widely used on Linux and Unix computers so they can work with Windows file and print services.

Samba can work as a client that lets you connect to Windows servers, and as a server that can accept connections from Windows clients.

You can even use Samba as an Active Directory server to handle logon, authentication and access control for a Windows network.

In case you’re wondering about the name, it’s derived from SMB, short for Server Message Block, the underlying protocol used in Windows networking.

SMB, of course, has been all over the security news recently thanks to the WannaCry virus – self-spreading ransomware that wormed its way automatically from network to network thanks to a security hole in the SMB networking code in Windows.

The vulnerability that led to the WannaCry outbreak had been in Windows for many years, apparently undiscovered by everyone except the US National Security Agency (NSA).

The NSA kept that information up its sleeve under the codename ETERNALBLUE, until some time in 2016…

…when a bunch of cybercrooks somehow got hold of it in a cache of leaked, breached or stolen data, and threatened to make the information public.

What happened next is that Microsoft patched the ETERNALBLUE hole (whether Microsoft was tipped off by the NSA as a sort of public service once the breach was noticed, or found the vulnerability itself, doesn’t really matter to the story), and that ought to have been that.

But the crooks then quickly publicised the details of ETERNALBLUE, along with a raft of other stolen information, presumably realising that the window of opportunity for stirring up security trouble was shrinking as fast as the patch was being applied.

And then, as we all surely know by now, the WannaCry ransomware appeared, using the now-public ETERNALBLUE exploit to attack unpatched computers and to spread with no user intervention needed.

For those with long memories, WannaCry was an echo of numerous infamous viruses of yesteryear, such as the Internet Worm (1988), Slammer (2003) and Conficker (2008).

Not just Windows

Because of cross-platform tools like Samba, network security holes due to SMB and Windows file sharing services aren’t unique to the Windows platform.

In fact, it turns out that there’s been a remote code execution hole in Samba’s SMB implementation for several years, too.

In theory, this latest hole, dubbed CVE-2017-7494, could be used for what’s known as a “wormable attack” – that’s the jargon name for an intrusion that can be automated so that a compromised computer automatically looks for new victims, attacks them, breaks into them in turn, and so on.

Greatly simplified, the CVE-2017-7494 hole can be exploited by starting off something like this:

  • Find a writable network share on a vulnerable Samba server.
  • Copy a special sort of Linux/Unix program called a shared object (a .so file) into that writable share.

At this point, if you’re a crook with a maliciously crafted .so program file, you have already introduced your malware to the victim’s system.

But that is a far cry from actively infecting the target, because the malware is merely sitting there in a file, doing nothing.

Because of the CVE-2017-7494 bug, however, a crook operating remotely may be able to trick the Samba server into loading and running the just-uploaded .so file:

  • Guess the local filename of the uploaded file on the server you are attacking. (The remote name via the share might be \\SERVER\SHARE\; that file might end up in the server’s local directory tree as, say, /var/samba/share/
  • Send Samba a specially-malformed IPC request (interprocess communication, or computer-to-computer message) that identifies the local copy of the malware by full path name.

The malformed IPC request tricks the server into loading and running the locally-stored program file, even though that file came from an untrusted external source.

Bingo – RCE, or Remote Code Execution.

What to do?

Unlike ETERNALBLUE and WannaCry, not every vulnerable SMB service can actively be exploited, so the risk is easier to control.

Here’s what you need to know:

  • If you have Samba installed but are only using it as a client to connect out to other file shares, the exploit can’t be used because there is no listening server for a crook to connect to.
  • If you have Samba shares open but they are configured read-only (for example if you are using Samba to publish updates to Windows PCs on your network), the exploit can’t be used because the crooks can’t upload their malware file to start the attack.
  • If you have writable Samba shares but you have set the Samba configuration option nt pipe support = no, the exploit can’t be used because the crooks can’t send the malformed IPC requests to launch the malware they just uploaded.
  • If you update your Samba version to 4.6.4 (4.5.10 or 4.4.14 if you are on older release branches), the exploit can’t be used because Samba won’t accept the malformed IPC request that references the uploaded malware by its local path name.

The last point above raises a thorny question: what to do about appliances such as Network Attached Storage (NAS) devices, and home or small business routers that allow you to plug in USB drives to add shared storage?

Like many IoT devices, home routers and NAS boxes are often built down to a price, using Linux-based firmware with Samba to provide the needed connectivity.

Is your NAS box or router using Samba? What version does it have? How is it configured? Has it been patched? Where to get the patch?

Sadly, we don’t have a generic answer, because it depends on the device, the model, the vendor, and many other factors; all we can do is to suggest that you:

  • Check with the vendor of your NAS and other network storage devices whether patches are needed, and if so how to apply them (and how to verify that the update has happened).
  • Don’t open up your NAS boxes to the internet, whether by accident or by design.

Thanks to the publicity surrounding WannaCry, cybercrooks are now especially interested in SMB services that are listening out for connections on the public internet – so if you don’t check your own network to make sure you aren’t exposed unnecessarily, the crooks certainly will!

Note. Sophos products aren’t vulnerable to this attack. For details and an explanation, please see our Community Knowledge Base article entitled Samba CVE-2017-7494 exploit.