CVE-2017-7494: Dancing with the Samba Vulnerability

CVE-2017-7494: Dancing with the Samba Vulnerability

Samba is an open source SMB/CIFS implementation that allows interoperability between Linux and Windows hosts via file and print sharing. A remote code execution vulnerability has been discovered in versions 3.5.0 onwards that may allow an attacker to upload and execute code as the root user.

To achieve this, the attacker must already have authenticated write access to the Samba share.

Security Best Practices

If an organization has followed security best practices, the exploitability and/or severity of the issue may have been significantly reduced or indeed nullified: 

  • Do not expose unnecessary services to the Internet
  • Use the principle of least privilege when granting others access to systems
  • Use mandatory access controls whenever possible

Samba should not be used for sharing files over the Internet, and credential-based access (rather than “open” shares) should always be in place.

Insider Threats

For businesses utilizing Samba for internal file sharing, this vulnerability potentially gives an increased attack surface for insider threats. That is, a legitimate user who has write access to a share on an unpatched Samba server will have the ability to upload and execute code.

A further threat to business is if they are using any commercial file and print sharing solutions or appliances (such as NAS drives) that utilize Samba. It may be more difficult to obtain patches for these devices, or to access their low-level configuration for the purpose of mitigating the threat. In these cases, the best course of action is to limit or cut off access to the device (if possible) and to contact the vendor 

Mitigations

Patches are already available from the Samba project, and from most major Linux distributions. If possible, patching is the primary recommended solution. If patching can’t be performed, the following are mitigations against the attack: 

  • The simplest way to ensure the vulnerability has been mitigated is to add the following line to the [global] section of the Samba configuration file (typically found at /etc/samba/smb.conf):
  • nt pipe support = no
  • In the case of RHEL hosts, if SELinux is enabled then Red Hat’s default policy prevents the loading of modules from outside of Samba's module directories. This prevents the exploit from working. 
  • Ensure that the filesystem used by the Samba share is mounted with the “noexec” option. 

Patches 

Watch a 3 Minute Demo of the Black Duck Hub

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

What MongoDB Can Tell Us About Security Awareness

| Jan 31, 2017

In recent weeks Bitcoin has risen to prices not seen since late 2013. Coincidently, there have been a number of ongoing attacks targeting insecure deployments of various open source database technologies (such as Mongo DB) . Is there a connection? Hacking groups are leveraging open source

| MORE >

Learning About The 5 Levels Of Open Source Security At Black Hat

| Aug 5, 2016

At Black Hat 2016 I had the pleasure of attending a briefing presented by Jake Kouns of Risk Based Security and Christine Gadsby of Blackberry. Their presentation titled: “OSS Security Maturity: Time to Put On Your Big Boy Pants” explored the definition of OSS (Open Source Software) and the usage

| MORE >