Hello All. Well it was only a matter of time before the 7-year old Samba remote code execution vulnerability bubbled to the surface, given the craziness with Wannacry. For those of you who do not know what Samba is, it is an open-source software package that provides file and print services to SMB/CIFS clients.
This flaw, referred to by CVE-2017-7494, can be exploited if the vulnerable hosts make port TCP/445 reachable via the Internet and have configured shared files to have write privileges, and use known or guessable server paths for those files. When those requirements are met, a remote attacker could potentially upload any code of their choosing and cause the server to execute it, possibly with root privileges, depending on the vulnerable platform.
As per Ars, “When the Windows vulnerability was first disclosed in April, many security experts assumed it would be hard to exploit because few computers would expose file- and print-sharing capabilities on the Internet. The rapid spread of WCry quickly dashed those assumptions. Dan Tentler, founder of security firm Phobos Group, told Ars that more than 477,000 Samba-enabled computers exposed port 445, although it wasn’t clear how many of them were running a vulnerable version of the utility. Tentler cited figures returned by the Shodan computer search engine.
There are also clear differences between the Windows and Samba vulnerabilities. For starters, Samba isn’t as widely used as Microsoft’s implementation of SMB. Another key difference is the absence of any equivalent to “DoublePulsar,” the advanced weaponized backdoor developed by the National Security Agency and leaked by a mysterious group calling itself the Shadow Brokers. DoublePulsar made capitalizing on the Windows flaw easy for WCry.”
Rapid7 has an exploit available for Metasploit and has also provided some good stats – https://community.rapid7.com/community/infosec/blog/2017/05/25/patching-cve-2017-7494-in-samba-it-s-the-circle-of-life
Heads on a swivel everyone….heads on a swivel.