This Samba new vulnerability is already being called "Sambacry", while the exploit itself mentions "Eternal Red Samba", announced in twitter (sensationally) as:
Samba bug, the metasploit one-liner to trigger is just:
simple.create_pipe("/path/to/target.so")
Potentially affected Samba versions are from Samba 3.5.0 to 4.5.4/4.5.10/4.4.14.
If your Samba installation meets the configurations described bellow, the fix/upgrade should be done ASAP as there are already exploits, other exploit in python and
metasploit modules out there.
More interestingly enough, there are already add-ons to a know honeypot from the honeynet project, dionaea both to WannaCry and SambaCry plug-ins.
Samba cry seems to be already being (ab)used to install more crypto-miners "EternalMiner" or double down as a malware dropper in the future.
honeypots set up by the team of researchers from Kaspersky Lab have
captured a malware campaign that is exploiting SambaCry vulnerability
to infect Linux computers with cryptocurrency mining software. Another
security researcher, Omri Ben Bassat, independently discovered the
same campaign and named it "EternalMiner."
The advised workaround for systems with Samba installed (which also is present in the CVE notice) before updating it, is adding to smb.conf
:
nt pipe support = no
(and restarting the Samba service)
This is supposed to disable a setting that turns on/off the ability to make anonymous connections to the windows IPC named pipes service. From man samba
:
This global option is used by developers to allow or disallow Windows
NT/2000/XP clients the ability to make connections to NT-specific SMB
IPC$ pipes. As a user, you should never need to override the default.
However from our internal experience, it seems the fix is not compatible with older? Windows versions ( at least some? Windows 7 clients seem to not work with the nt pipe support = no
), and as such the remediation route can go in extreme cases into installing or even compiling Samba.
More specifically, this fix disable shares listing from Windows clients, and if applied they have to manually specify the full path of the share to be able to use it.
Other known workaround is to make sure Samba shares are mounted with the noexec
option. This will prevent the execution of binaries residing on the mounted filesystem.
The official security source code patch is here from the samba.org security page.
Debian already pushed yesterday (24/5) an update out the door, and the corresponding security notice DSA-3860-1 samba
To verify in if the vulnerability is corrected in Centos/RHEL/Fedora and derivates, do:
#rpm -q –changelog samba | grep -i CVE
– resolves: #1450782 – Fix CVE-2017-7494
– resolves: #1405356 – CVE-2016-2125 CVE-2016-2126
– related: #1322687 – Update CVE patchset
There is now an nmap
detection script :samba-vuln-cve-2017-7494.nse
for detecting Samba versions, or a much better nmap
script that checks if the service is vulnerable at http://seclists.org/nmap-dev/2017/q2/att-110/samba-vuln-cve-2017-7494.nse , copy it to /usr/share/nmap/scripts
and then update the nmap
database , or run it as follows:
nmap --script /path/to/samba-vuln-cve-2017-7494.nse -p 445 <target>
About long term measures to protect the SAMBA service: The SMB protocol should never be offered directly to the Internet at large.
It goes also without saying that SMB has always been a convoluted protocol, and that these kind of services ought to be firewalled and restricted to the internal networks [to which they are being served].
When remote access is needed, either to home or specially to corporate networks, those accesses should be better done using VPN technology.
As usual, on this situations the Unix principle of only installing and activating the minimum services required does pay off.
Taken from the exploit itself:
Eternal Red Samba Exploit -- CVE-2017-7494.
Causes vulnerable Samba server to load a shared library in root context.
Credentials are not required if the server has a guest account.
For remote exploit you must have write permissions to at least one share.
Eternal Red will scan the Samba server for shares it can write to.
It will also determine the fullpath of the remote share.
For local exploit provide the full path to your shared library to load.
Your shared library should look something like this
extern bool change_to_root_user(void);
int samba_init_module(void)
{
change_to_root_user();
/* Do what thou wilt */
}
It is also known systems with SELinux enabled are not vulnerable to the exploit.
See 7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely
According to the Shodan computer search engine, more than 485,000
Samba-enabled computers exposed port 445 on the Internet, and
according to researchers at Rapid7, more than 104,000 internet-exposed
endpoints appeared to be running vulnerable versions of Samba, out of
which 92,000 are running unsupported versions of Samba.
Since Samba is
the SMB protocol implemented on Linux and UNIX systems, so some
experts are saying it is "Linux version of EternalBlue," used by the
WannaCry ransomware.
...or should I say SambaCry?
Keeping in mind the
number of vulnerable systems and ease of exploiting this
vulnerability, the Samba flaw could be exploited at large scale with
wormable capabilities.
Home networks with network-attached storage
(NAS) devices [that also run Linux] could also be vulnerable to this flaw.
See also A wormable code-execution bug has lurked in Samba for 7 years. Patch now!
The seven-year-old flaw, indexed as CVE-2017-7494, can be reliably
exploited with just one line of code to execute malicious code, as
long as a few conditions are met. Those requirements include
vulnerable computers that:
(a) make file- and printer-sharing port 445
reachable on the Internet,
(b) configure shared files to have write
privileges, and
(c) use known or guessable server paths for those
files.
When those conditions are satisfied, remote attackers can
upload any code of their choosing and cause the server to execute it,
possibly with unfettered root privileges, depending on the vulnerable
platform.
Given the ease and reliability of exploits, this hole is worth
plugging as soon as possible. It's likely only a matter of time until
attackers begin actively targeting it.
Also Rapid 7 - Patching CVE-2017-7494 in Samba: It’s the Circle of Life
And more SambaCry: The Linux Sequel to WannaCry.
Need-to-Know Facts
CVE-2017-7494 has a CVSS Score of 7.5
(CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)3.
Threat Scope
A shodan.io query of "port:445 !os:windows" shows approximately one
million non-Windows hosts that have tcp/445 open to the Internet, more
than half of which exist in the United Arab Emirates (36%) and the
U.S. (16%). While many of these may be running patched versions,
have SELinux protections, or otherwise don't match the necessary
criteria for running the exploit, the possible attack surface for this
vulnerability is large.
P.S. The commit fix in the SAMBA github project appear to be commit 02a76d86db0cbe79fcaf1a500630e24d961fa149
Best Answer
The clearest post I’ve seen on this issue is Matthew Garrett’s (including the comments).
Matthew has now released a tool to check your system locally: build it, run it with
and it will report whether AMT is enabled and provisioned, and if it is, the firmware versions (see below). The README has more details.
To scan your network for potentially vulnerable systems, scan ports 623, 624, and 16992 to 16993 (as described in Intel’s own mitigation document); for example
will scan the 192.168.1/24 network, and report the status of all hosts which respond. Being able to connect to port 623 might be a false positive (other IPMI systems use that port), but any open port from 16992 to 16995 is a very good indicator of enabled AMT (at least if they respond appropriately: with AMT, that means an HTTP response on 16992 and 16993, the latter with TLS).
If you see responses on ports 16992 or 16993, connecting to those and requesting
/
using HTTP will return a response with aServer
line containing “Intel(R) Active Management Technology” on systems with AMT enabled; that same line will also contain the version of the AMT firmware in use, which can then be compared with the list given in Intel’s advisory to determine whether it’s vulnerable.See CerberusSec’s answer for a link to a script automating the above.
There are two ways to fix the issue “properly”:
If neither of these options is available, you’re in mitigation territory. If your AMT-capable system has never been provisioned for AMT, then you’re reasonably safe; enabling AMT in that case can apparently only be done locally, and as far as I can tell requires using your system’s firmware or Windows software. If AMT is enabled, you can reboot and use the firmware to disable it (press CtrlP when the AMT message is displayed during boot).
Basically, while the privilege vulnerability is quite nasty, it seems most Intel systems aren’t actually affected. For your own systems running Linux or another Unix-like operating system, escalation probably requires physical access to the system to enable AMT in the first place. (Windows is another story.) On systems with multiple network interfaces, as pointed out by Rui F Ribeiro, you should treat AMT-capable interfaces in the same way as you’d treat any administrative interface (IPMI-capable, or the host interface for a VM hypervisor) and isolate it on an administrative network (physical or VLAN). You cannot rely on a host to protect itself:
iptables
etc. are ineffective here, because AMT sees packets before the operating system does (and keeps AMT packets to itself).VMs can complicate matters, but only in the sense that they can confuse AMT and thus produce confusing scanning results if AMT is enabled.
amt-howto(7)
gives the example of Xen systems where AMT uses the address given to a DomU over DHCP, if any, which means a scan would show AMT active on the DomU, not the Dom0...