Samba is an open source SMB/CIFS implementation that allows interoperability between Linux and Windows hosts via file and print sharing. A remote code execution vulnerability has been discovered in versions 3.5.0 onwards that may allow an attacker to upload and execute code as the root user.
To achieve this, the attacker must already have authenticated write access to the Samba share.
Security Best Practices
If an organization has followed security best practices, the exploitability and/or severity of the issue may have been significantly reduced or indeed nullified:
- Do not expose unnecessary services to the Internet
- Use the principle of least privilege when granting others access to systems
- Use mandatory access controls whenever possible
Samba should not be used for sharing files over the Internet, and credential-based access (rather than “open” shares) should always be in place.
For businesses utilizing Samba for internal file sharing, this vulnerability potentially gives an increased attack surface for insider threats. That is, a legitimate user who has write access to a share on an unpatched Samba server will have the ability to upload and execute code.
A further threat to business is if they are using any commercial file and print sharing solutions or appliances (such as NAS drives) that utilize Samba. It may be more difficult to obtain patches for these devices, or to access their low-level configuration for the purpose of mitigating the threat. In these cases, the best course of action is to limit or cut off access to the device (if possible) and to contact the vendor
Patches are already available from the Samba project, and from most major Linux distributions. If possible, patching is the primary recommended solution. If patching can’t be performed, the following are mitigations against the attack:
- The simplest way to ensure the vulnerability has been mitigated is to add the following line to the [global] section of the Samba configuration file (typically found at /etc/samba/smb.conf):
- nt pipe support = no
- In the case of RHEL hosts, if SELinux is enabled then Red Hat’s default policy prevents the loading of modules from outside of Samba's module directories. This prevents the exploit from working.
- Ensure that the filesystem used by the Samba share is mounted with the “noexec” option.
- The Samba project have provided patches for versions 4.4 onwards, and a workaround for older versions and installations that cannot be upgraded
- Red Hat have patched the vulnerability in RHEL 7, RHEL 6, and RHEL 5 ELS
- The Debian project have patched the vulnerability in Debian 8, Debian 7, and in the “unstable” branch