7-year-old SAMBA flaw prompts new concerns (and patches)

Posted by Robert Vamosi on Monday, June 5, 2017

7-year-old SAMBA flaw prompts new concerns (and patches)
With just one line of code, a malicious attacker can exploit a recently disclosed seven-year-old vulnerability in SAMBA. Known as CVE-2017-7494, the vulnerability affects Linux and Unix systems that:

Are running SAMBA 3.5.0 or later
Provide file- and printer-sharing on port 445
Are addressable from the internet
Contain shared files
Include write privileges
Involve guessable server paths

Under these circumstances a remote attacker could upload malicious code, execute it, and, depending on the platform, gain root privileges to the network.

This vulnerability has drawn comparisons by some to the Windows Server Message Block (SMB) protocol vulnerability. Disclosed a few weeks ago, this vulnerability also allowed for the Wanna Cry ransomware outbreak. However, there is no direct comparison. True, the SMB flaw in Windows was more than five years old, and used file sharing capabilities on a network. But, in order to spread quickly, WannaCry needed a few exploits (DoublePulsar and Eternal Blue) which don’t yet exist for Linux and Unix systems.

Old flaw, new concern

Samba 3.5.0 was released in March 2010. The vulnerability was found by a researcher identified only as “steelo.” There was no mention how the flaw came to be discovered.

“All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it,” according to a Samba advisory published in late May.

Samba

The Samba SMB protocol is fundamental to computer networking. Created in 1991, it was designed to help servers running Unix-based operating systems (such as Linux) share files, printers, and other resources with other Unix systems. Later, Samba provided the means to share these resources with Windows systems. The current vulnerability doesn’t affect Windows versions of Samba.

Samba has also been in the news recently. In early 2016, the much publicized Badlock vulnerability affected the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols in Samba for Windows. One of the associated vulnerabilities is CVE-2015-5370.

Foundations need support

Attackers have been poking around at the foundations of the internet, and they’re finding success in new vulnerabilities. Often an old protocol is enlisted for a new task. Many original protocols, such as Samba, were designed for more intimate networking scenarios.

The early protocols originally lacked security because interconnectivity beyond a local system wasn’t a main concern and not part of the threat landscape. Getting the “concept” of an internet to work was the real priority.

Internet not built for security

“We didn’t focus on how you could wreck this system intentionally,” said Vinton G. Cerf, who in the 1970s and ’80s designed key building blocks of the internet. “You could argue with hindsight that we should have, but getting this thing to work at all was non-trivial.” Indeed, the idea of three billion people accessing an internet was a bit aspirational back then.

Another pioneer, Paul Mockapetris, said “The Wright Brothers didn’t have a drink cart or bathroom in their first plane.” Mockapetris is responsible for creating the Domain Name Service (DNS), a system that resolves common names for websites into their internet addresses. This is a system that has functioned for nearly 40 years. A system that was not originally designed with security in mind.

Patches

Linux and Unix users running Samba should check with their operating system vendor for available patches. Since the disclosure, many have appeared including the following:

SAMBA
Cisco products
Debian
Red Hat

And a workaround

If a system doesn’t yet have a patch, a workaround does exist for the vulnerability by adding a line to the Samba configuration file:

nt pipe support = no

Then, restart the network’s SMB daemon.

Note that after doing so, some clients may not be able to access fully some network computers after this change. The change may also disable some Windows machine functionality as well. The workaround is better, however, than having someone remotely pwn your machine.