May 25, 2017

Overview

Today, a new vulnerability affecting the widely used Samba software was released. Samba is the SMB/CIFS protocol commonly used in *NIX operating systems. CVE-2017-7494 has the potential to impact many systems around the world. This vulnerability could allow a user to upload a shared library to a writeable share on a vulnerable Samba server and result in the server executing the uploaded file. This would allow an attacker to upload an exploit payload to a writeable Samba share, resulting in code execution on any server running an affected version of the Samba package. This currently affects all versions of Samba 3.5.0 (released March of 2010) and later. To emphasize the severity and low complexity: a metasploit one-liner can be used to trigger this vulnerability.


A patch has already been released to address the issue. Additionally, there is a mitigation available within the configuration of Samba itself. Adding the argument "nt pipe support = no" to the global section of the smb.conf file and restarting the service will also mitigate the threat. This threat is only beginning to be recognized by potential attackers with POC code having already been released on the Internet. It is only a matter of time before adversaries begin to use it more widely to compromise additional systems, both externally and internally.


This is likely to affect numerous servers, storage devices such as NAS systems, and anything else running the version of Samba that is vulnerable to this attack. Users are urged to contact their vendor to obtain patched firmware or recommendations for addressing this threat. In the meantime the above workaround may help. In accordance with best practices, it is highly recommended that users do not allow direct SMB, Samba, CIFS, NFS, etc. access from the Internet to systems within their network.


http://blog.talosintelligence.com/20...n-details.html