Having worked in and around the service provider space for most of my career when I heard about the Linux variant of WannaCry, SambaCry last week, I thought to myself that it had the potential to be fairly impactful given there would be significant numbers of systems that use Samba for file services in the wild. In fact this post from GuardiCore puts the number at approximately 110,000 and I know that a lot of the storage appliances I use for my labs have Samba services that are exposed to the exploit.

The Samba team released a patch on May 24 for a critical remote code execution vulnerability in Samba, the most popular file sharing service for all Linux systems. Samba is commonly included as a basic system service on other Unix-based operating systems as well.

This vulnerability, indexed CVE-2017-7494, enables a malicious attacker with valid write access to a file share to upload and execute an arbitrary binary file which will run with Samba permissions.

The flaw can be exploited with just a few lines of code, requiring no interaction on the part of the end user. All versions of Samba from 3.5 onwards are vulnerable.

It’s worth reading the GuardiCore post in detail as it lists the differences between WannaCry and SambaCry and why potentially the linux exploit has more potential for damage due to the fact it targets weak passwords that allow lateral movement. They have written an NMAP script to easily detect vulnerable Samba servers.

Apart from upgrading to the lastest builds there is a workaround in place…If your Samba server is vulnerable and patching or upgrading is not an option, add the following line to the Samba configuration file (smb.conf):

nt pipe support = no

Then restart the network’s SMB daemon (smbd)

Pretty simple workaround to stop systems potentially being impacted. Again to service providers out there, if you haven’t already done so, put out an advisory to your tenant’s to ensure they upgrade or put in the workaround! Also for all those homelab users out there, as Anton Gostev pointed out in his weekly Veeam Forum Digest, older NAS devices and even routers might be impacted and those are the type of devices that won’t get updates and generally those are the devices that hold valuable personal information…so again make sure everything is checked and the workaround put into play.