In May 2017, a critical RCE vulnerability known as SambaCry was discovered in Samba, a popular open-source software that provides file and print services for SMB/CIFS clients. The vulnerability, indexed as CVE-2017-7494, allows attackers to execute arbitrary code with root privileges on any system running an unpatched version of Samba.
In this article, we will explore the details of the vulnerability, how it can be exploited, and provide recommendations for mitigating the risk.
The Vulnerability
Similarly to a vulnerability found in Oracle E-Business Suite (CVE-2022-21587) which had an improper data validation issue (CWE-20), SambaCry suffers from a code injection weakness (CWE-94).
The vulnerability is caused by a flaw in the Samba code that handles shared libraries. The issue is caused by how the library path is handled, as it allows a client to specify a path that is outside the expected directory.
In summary, while both weaknesses are found in an application's input validation, the main difference is that CWE-94 specifically involves the injection of code that can be executed by the application.
The Exploit
To exploit the vulnerability, an attacker must send a specially crafted packet to the vulnerable Samba server, containing a payload that loads a shared library remotely. Once loaded, the shared library can then execute arbitrary code with root privileges on the target system. The attacker can use this access to install malware, steal sensitive data, or launch further attacks.
The Magnitude of CVE-2017-7949
The SambaCry vulnerability affects versions 3.5.0, 4.4.0, 4.5.0, 4.6.0, and onwards, including the latest stable release at the time of discovery, which was 4.6.4. It is important to note that this vulnerability only affects Samba servers with write access to a file share.
Considering that Samba comes pre-installed by default in some Linux distros, users who still run these versions and use Samba should make sure that they have version 4.6.4 or newer.
These are the releases that include vulnerable Samba versions:
- Ubuntu 16.04 LTS "Xenial Xerus" and earlier versions
- Debian 8 "Jessie" and earlier versions
- CentOS 7 and earlier versions
- Red Hat Enterprise Linux 7 and earlier versions
- SUSE Linux Enterprise Server 12 and earlier versions
Mitigation
The Samba team released versions 4.6.4, 4.5.10, and 4.4.14 of Samba on May 24, 2017, which issued patches for their vulnerable predecessors.
The best way to mitigate the risk of SambaCry is to update to a patched version of Samba if you haven't done so already. Otherwise, system administrators should implement the following measures:
- Block access to TCP ports 139 and 445 from external networks using a firewall or router.
- Monitor network traffic for suspicious activity, including packets targeting TCP ports 139 and 445.
- Ensure that all users of the Samba server have the minimum required permissions.
- Perform regular backups of all critical data and systems.
Conclusion
SambaCry is a critical threat with a CVSS:3.1 score of 9.8, meaning that the last thing you want to do is take things lightly. Now and then you should stop for a second and think about all the basic infrastructure that you take for granted.
DataGridSurface is collecting vulnerable devices; make sure to check if your IP addresses are by any chance vulnerable and feel free to let us know if you need help updating your infrastructure.
Subscribe to be updated on the new content!