Asia's Source for Enterprise Network Knowledge

Sunday, June 25th, 2017


Patch the Samba bug before a network worm exploits it

First iOS trojan exploiting Apple DRM design flaws infects any iOS device

Software will always have bugs. The challenge is finding and closing them before attackers figure out what kind of damage they can cause by exploiting them. In the case of the Samba networking utility, the remote code execution bug can be potentially exploited by a network worm, which means the addressing this vulnerability just shot to the top—or nearly to the top—of the sysadmin’s to-do list.

Samba is an implementation of the SMB/CIFS protocol that lets Unix and Linux systems access Windows file and print services, as well as interoperate with Windows networking features such as Active Directory and Windows Server Domain. Many home and corporate network storage systems run Samba, and it’s very straightforward to enable the Samba service on any Linux endpoint.

A malicious client can “upload a shared library to a writable share, and then cause the server to load and execute it,” the Samba maintainers wrote in an advisory. Samba is currently at version 4.6.4; the vulnerability was introduced seven years ago in version 3.5.0.

Basically, if there is a vulnerable version of Samba running on a system, such as an NAS or any other network storage device, and the attacker has the ability to upload files onto that vulnerable device, then exploitation is trivial, requiring just a single line of code. An attacker can exploit the flaw to target the data stored on the file-share or the storage device. Considering the number of devices that use Samba and how long the vulnerability has been present, the potential for a fast-moving network worm is very high, and the damage could be widespread.

[Related: -->Why Linux users should worry about malware]

Organizations around the world saw firsthand with WannaCry and its sibling variants how quickly attackers can package exploits and release them in attacks. WannaCry ransomware and the newer EternalRocks worm highlighted how criminals take advantage of the lag time between when software updates are released and when they are actually deployed. These network worms spread rapidly because they were able to exploit the SMBv1 flaw in unpatched Windows systems

“Many NAS environments are used as network backup systems. A direct attack or worm would render those backups almost useless,” said Bob Rudis, lead data scientist at Rapid7. “We advise that organizations create an offline copy of critical data as soon as possible if patching cannot be done immediately.”

The Samba maintainers have released a patch, but it only applies to more recent versions of Samba, specifically 4.6, 4.5, and 4.4. Anyone running versions between 3.5 and 4.3 remain vulnerable as those versions are no longer supported. Version 4.4 was released March 2016, so any system more than a year old and has not been updated to 4.4 or later does not have an available patch at this time.

“Organizations should be reviewing their official asset and configuration management systems to immediately identify vulnerable systems and then perform comprehensive and regular full network vulnerability scans to identify misconfigured or rogue systems,” Rudis said.

Rapid7 Labs looked at Project Sonar’s daily results, which contains scanning data for the entire IPv4 address space, and discovered more than 104,000 endpoints exposed on the Internet that appear to be running vulnerable versions of Samba. While some of these are servers and gateways into the organization’s networks, a number of these would also be home networking gear and Internet of Things (IoT) devices. In those cases, the vendors would have to take charge of updating their devices to fix the flaw, and the update process is not as simple as just running Windows Update on a computer.

Nearly 90 percent of devices running a vulnerable version of Samba are potentially running version for which there is no direct patch—meaning they are likely running versions older than 4.4. The patching challenge gets even more complex if they are IoT devices, many of which don’t even have an update mechanism.

The vulnerability exists in the networking utility’s remote procedure call (RPC) server component (CVE-2017-7494). The RPC server allowed pipe names that include a “/” character, which could let attackers craft directory traversal attacks. The patch blocks a connection in this case, and requires a regexp to be used instead. HD Moore, vice president of research and development at Atredis Partners and founder of Metasploit penetration testing framework, said on Twitter that he could exploit the flaw on a system running Ubuntu Linux 16.04 and Synology NAS. A Metasploit module for some systems is already available.

While there is no sign of this Samba flaw being used in active attacks, the fact that it can be “wormable” makes it very dangerous for business networks. Don’t focus on how many vulnerable devices are directly accessible from the Internet. The biggest danger will come from the vulnerable devices internally. All the attacker has to do is get a foothold in the network—not so hard to do—and it can easily spread all throughout the network.

And that’s not even considering the malicious payload the worm may be delivering. WannaCry was ransomware, but other versions included a cryptocurrency miner and a remote-access Trojan. No one knows what EternalRocks will do as it has yet to dump a payload. Considering Samba is used on fileshares and backups, imagine the damage it can cause if combined with ransomware. Such a worm can be devastating, bringing the whole organization to a standstill.

If the device has Samba and can be updated, make sure to run it. If an update mechanism is missing, but there is a way to manually apply the patch, do it. There is a workaround—adding nt pipe support = no to the [global] section of the smb.conf file and restarting smbd—so if that is an option, do that. The workaround will prevent clients from fully accessing network computers.  If none of this is possible, make sure the data is available offline, just in case. Beef up other security measures to protect the vulnerable devices. Criminals will chain together multiple exploits, so don’t neglect other defense-in-depth measures. Considering the kind of damage an attack targeting this flaw could cause, it’s highly likely attackers will soon begin actively targeting it.