Facebook Google Plus Twitter LinkedIn YouTube RSS Menú Buscar Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Detecting SambaCry CVE-2017-7494

We’ve seen several critical vulnerabilities lately. First there was WannaCry, and then WannaCry 2.0 (EternalRocks), and now do we have WannaCry 3.0? Well, not really. But a new seven-year-old remote code execution vulnerability (CVE-2017-7494) that is affecting Samba versions 3.5.0 and higher is making news this week. The vulnerability is billed as the WannaCry equivalent for Linux, and some are even calling it SambaCry since it affects the SMB protocol implementation in Linux and is potentially wormable. To be clear, this new vulnerability is unrelated to the SMB exploits that were released by the Shadow Brokers group and used by WannaCry ransomware to infect a large number of systems. SambaCry is similar only because the vulnerability affects the SMB protocol in Linux. The Tenable research team is always on top of these news-worthy vulnerabilities, and this latest Samba weakness is no different. You’ll find multiple detection tools in your Tenable feed, ready to use in your scan program.

What’s the attack surface?

Samba is an open source re-implementation of the SMB/CIFS networking protocol, which provides file and print services for various Microsoft Windows clients. It runs on most Unix, OpenVMS and Unix-like systems, such as Linux, Solaris, and AIX and is standard in most Linux distributions. As a result, it's available on a large variety of Unix-like systems.

A quick Shodan search shows over 475,000 Samba-enabled hosts are accessible over the internet. However, it isn’t clear how many of them are running vulnerable versions of Samba.

Shodan search

The vulnerability itself can be exploited with a single line of code. A malicious client can upload and cause the smbd server to execute a shared library from a writable share. Exploit modules are already available from Metasploit to exploit this issue.

What steps can you take?

The first step is to patch vulnerable versions of Samba right away. Tenable has several tools to help you detect affected Samba versions.

Nessus

Tenable has released multiple credentialed Nessus® plugins to check for vulnerable Samba versions, and will continue to release more plugins as patches become available for other Linux distributions.

Plugin ID

Nessus Plugin

100388

Samba 4.4.x < 4.4.14 / 4.5.x < 4.5.10 / 4.6.x < 4.6.4 Shared Library RCE

100389

Slackware 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : samba (SSA:2017-144-01)

100390

Debian DLA-951-1 : samba security update

100391

Debian DSA-3860-1 : samba - security update

100393

FreeBSD : samba -- remote code execution vulnerability (6f4d96c0-4062-11e7-b291-b499baebfeaf)

100394

openSUSE Security Update : samba (openSUSE-2017-613)

100396

Oracle Linux 6 / 7 : samba (ELSA-2017-1270)

100397

Oracle Linux 6 : samba4 (ELSA-2017-1271)

100400

RHEL 6 / 7 : samba (RHSA-2017:1270)

100401

RHEL 6 : samba4 (RHSA-2017:1271)

100402

Scientific Linux Security Update : samba4 on SL6.x i386/x86_64

100403

Scientific Linux Security Update : samba on SL6.x, SL7.x i386/x86_64

100404

SUSE SLES11 Security Update : samba (SUSE-SU-2017:1391-1)

100405

SUSE SLED12 / SLES12 Security Update : samba (SUSE-SU-2017:1392-1)

100406

SUSE SLED12 / SLES12 Security Update : samba (SUSE-SU-2017:1393-1)

100407

SUSE SLES12 Security Update : samba (SUSE-SU-2017:1396-1)

100411

Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : samba vulnerability (USN-3296-1)

100412

Ubuntu 12.04 LTS : samba vulnerability (USN-3296-2)

For example, here are results similar to what you might see after running plugin #100388 to detect vulnerable Samba versions:

Nessus SambaCry plugin

Tenable has also released a remote banner check to identify vulnerable Samba versions. The check only runs in paranoid mode because vendors have historically backported Samba patches and hence can result in false positives. Make sure that the following setting is checked when you create a new scan:

Settings > Assessment > General > Show Potential False Alarms

Next, check results for Nessus plugin 42411 to determine if there are any SMB shares which provide access to unprivileged users. If you find any instances, fix the permissions on those shares.

PVS

Note: Passive Vulnerability Scanner (PVS) is now Nessus Network Monitor. To learn more about this application and its latest capabilities, visit the Nessus Network Monitor web page.

The Passive Vulnerability Scanner® (PVS™) is also capable of actively detecting vulnerable versions of SMB affected by SambaCry with plugin #700127.

PVS SambaCry plugin

SecurityCenter 

The SecurityCenter® SambaCry Vulnerability Detection dashboard is developed and tailored to identify Linux hosts that may be susceptible to the SambaCry vulnerability. The dashboard uses the methods of detection described in this blog and places them into an easy-to-use and understand location. The matrix in the upper left hand corner uses CVEs and plugin name strings to identify possible at-risk hosts vs. confirmed vulnerable hosts. The dashboard also uses many similar components used in the Detecting WannaCry and Eternal Rocks dashboard, and provides an overview of patching across all operating systems, to help you understand the current progress in patch deployments.

SecurityCenter SambaCry dashboard

What if you can’t patch?

And finally, it's not possible to apply the patches, update smb.conf as a workaround. Add the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restart smbd. This prevents clients from accessing any named pipe endpoints.

Note: This can disable some expected functionality for Windows clients.

Follow Tenable

Tenable strives to enhance visibility into your network systems and potential vulnerabilities, helping you proactively manage risk on a regular basis. Subscribe to the Tenable Blog as we share more tips and tools to add to your cyber arsenal.

Thanks to the Tenable research team for their contributions to this blog.