samba-remote-code-exploit.png

On 26, May 2017 Samba.org in cooperation with SerNet released a security advisory for all versions of Samba.

Versions of Samba from 3.5.0 onwards are susceptible to a remote code execution vulnerability. This vulnerability could allow a potential attacker to upload a shared library to a writeable site, and cause the server to execute it.

Developers issued a patch and have made it available at:

http://www.samba.org/samba/security/

Patches for older versions are available at:

http://samba.org/samba/patches/

It's advised that all editions have patches applied to avoid another worm outbreak like WannaCry.

An interim fix is to add the command:

nt pipe support = no

to the [global] section of your smb.conf file and restart the smbd. It's important to note that this may break existing functionality for Windows clients.

About Samba

Samba is a suite of interoperability libraries that allows Windows, Unix, and Linux to share data and network resources. Established in 1992 Samba has worked to provide file and print services using the Server Message Block / Common Internet File System (SMB/CIFS) protocol, and is an important component for *nix integration with Active Directory.

It is also important to note that Samba comes pre-installed on many widely used consumer wireless routers. These will pose the largest difficulty for the Internet if infected as many of these devices do not have mechanisms to patch their Samba instances.

SambaCry is a currently developing threat that is expected to have a similar impact to the WannaCry worm. ThreatSTOP is monitoring this potential threat and, if appropriate, will develop further tools and recommendations to keep our customers protected.