Samba vulnerability could lead to the next WannaCry
A security vulnerability in the popular Samba networking utility could leave unpatched machines open to an attack similar to WannaCry. A single line of code is all that’s needed to exploit the vulnerability, but it is reliant on a number of prerequisites.
The vulnerability has been assigned the ID CVE-2017-7494 and is described as "remote code execution from a writable share" which could allow "malicious clients [to] upload and cause the smbd server to execute a shared library from a writable share." Security researchers say that the flaw is very easy to exploit, and tens of thousands of machines have been found to be running versions of Samba for which a patch does not exist.
While the vulnerability is not exactly new, it was not thought to be particularly serious or likely to be exploited. The impact of WannaCry, however, showed that it was much more likely than first expected. One of the requirements for the vulnerability to become exploitable is that port 445 must be exposed, and researchers have found that this is true for hundreds of thousands of computers.
A patch has been made available, but the problem also affects versions of Samba that are no longer supported. In a security advisory, the Samba team says:
All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
A patch addressing this defect has been posted to
Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible.
For anyone running a version of Samba for which there is not currently a patch, there is a workaround. The Samba teams says:
Add the parameter:
nt pipe support = no
to the [global] section of your smb.conf and restart smbd. This prevents clients from accessing any named pipe endpoints.
There is the warning, however, that "this can disable some expected functionality for Windows clients."
Image credit: wk1003mike / Shutterstock