According to a rapid7 article there are some vulnerable Samba versions allowing a remote code execution on Linux systems:
While the WannaCry ransomworm impacted Windows systems and was easily identifiable, with clear remediation steps, the Samba vulnerability will impact Linux and Unix systems and could present significant technical obstacles to obtaining or deploying appropriate remediations.
All versions of Samba from 3.5.0 onwards are vulnerable to a remote
code execution vulnerability, allowing a malicious client to upload a
shared library to a writable share, and then cause the server to load
and execute it.
Possible attack scenario:
Starting from the two factors:
- The Samba vulnerability isn't fixed yet on some Linux distributions.
- There is a non-patched local privilege escalation vulnerability on some Linux kernel versions (for example, CVE-2017-7308 on the 4.8.0-41-generic Ubuntu kernel).
An attacker can access a Linux machine and elevate privileges using a local exploit vulnerability to gain the root access and installing a possible future ramsomware, similar to this mock up WannaCry ransomware for Linux.
Update
A newest article "Warning! Hackers Started Using "SambaCry Flaw" to Hack Linux Systems" demonstrate how to use the Sambacry flaw to infecte a linux machine.
The prediction came out to be quite accurate, as honeypots set up by the team of researchers from Kaspersky Lab have captured a malware campaign that is exploiting SambaCry vulnerability to infect Linux computers with cryptocurrency mining software.
Another security researcher, Omri Ben Bassat, independently discovered the same campaign and named it "EternalMiner" .
According to the researchers, an unknown group of hackers has started hijacking Linux PCs just a week after the Samba flaw was disclosed publicly and installing an upgraded version of "CPUminer," a cryptocurrency mining software that mines "Monero" digital currency.
After compromising the vulnerable machines using SambaCry vulnerability, attackers execute two payloads on the targeted systems:
INAebsGB.so — A reverse-shell that provides remote access to the attackers.
cblRWuoCc.so — A backdoor that includes cryptocurrency mining utilities – CPUminer.
TrendLab report posted on July 18, 2017: Linux Users Urged to Update as a New Threat Exploits SambaCry
How do I secure a Linux system to prevent being attacked?
Best Answer
This Samba new vulnerability is already being called "Sambacry", while the exploit itself mentions "Eternal Red Samba", announced in twitter (sensationally) as:
Potentially affected Samba versions are from Samba 3.5.0 to 4.5.4/4.5.10/4.4.14.
If your Samba installation meets the configurations described bellow, the fix/upgrade should be done ASAP as there are already exploits, other exploit in python and metasploit modules out there.
More interestingly enough, there are already add-ons to a know honeypot from the honeynet project, dionaea both to WannaCry and SambaCry plug-ins.
Samba cry seems to be already being (ab)used to install more crypto-miners "EternalMiner" or double down as a malware dropper in the future.
The advised workaround for systems with Samba installed (which also is present in the CVE notice) before updating it, is adding to
smb.conf
:(and restarting the Samba service)
This is supposed to disable a setting that turns on/off the ability to make anonymous connections to the windows IPC named pipes service. From
man samba
:However from our internal experience, it seems the fix is not compatible with older? Windows versions ( at least some? Windows 7 clients seem to not work with the
nt pipe support = no
), and as such the remediation route can go in extreme cases into installing or even compiling Samba.More specifically, this fix disable shares listing from Windows clients, and if applied they have to manually specify the full path of the share to be able to use it.
Other known workaround is to make sure Samba shares are mounted with the
noexec
option. This will prevent the execution of binaries residing on the mounted filesystem.The official security source code patch is here from the samba.org security page.
Debian already pushed yesterday (24/5) an update out the door, and the corresponding security notice DSA-3860-1 samba
To verify in if the vulnerability is corrected in Centos/RHEL/Fedora and derivates, do:
There is now an
nmap
detection script :samba-vuln-cve-2017-7494.nse
for detecting Samba versions, or a much betternmap
script that checks if the service is vulnerable at http://seclists.org/nmap-dev/2017/q2/att-110/samba-vuln-cve-2017-7494.nse , copy it to/usr/share/nmap/scripts
and then update thenmap
database , or run it as follows:About long term measures to protect the SAMBA service: The SMB protocol should never be offered directly to the Internet at large.
It goes also without saying that SMB has always been a convoluted protocol, and that these kind of services ought to be firewalled and restricted to the internal networks [to which they are being served].
When remote access is needed, either to home or specially to corporate networks, those accesses should be better done using VPN technology.
As usual, on this situations the Unix principle of only installing and activating the minimum services required does pay off.
Taken from the exploit itself:
It is also known systems with SELinux enabled are not vulnerable to the exploit.
See 7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely
See also A wormable code-execution bug has lurked in Samba for 7 years. Patch now!
Also Rapid 7 - Patching CVE-2017-7494 in Samba: It’s the Circle of Life
And more SambaCry: The Linux Sequel to WannaCry.
P.S. The commit fix in the SAMBA github project appear to be commit 02a76d86db0cbe79fcaf1a500630e24d961fa149