Today, a new vulnerability affecting the widely used Samba software was released. Samba is the SMB/CIFS protocol commonly used in *NIX operating systems. CVE-2017-7494 has the potential to impact many systems around the world. This vulnerability could allow a user to upload a shared library to a writeable share on a vulnerable Samba server and result in the server executing the uploaded file.  This would allow an attacker to upload an exploit payload to a writeable Samba share, resulting in code execution on any server running an affected version of the Samba package.  This currently affects all versions of Samba 3.5.0 (released March of 2010) and later. To emphasize the severity and low complexity: a metasploit one-liner can be used to trigger this vulnerability.

A patch has already been released to address the issue.  Additionally, there is a mitigation available within the configuration of Samba itself. Adding the argument “nt pipe support = no” to the global section of the smb.conf file and restarting the service will also mitigate the threat.  This threat is only beginning to be recognized by potential attackers with POC code having already been released on the Internet. It is only a matter of time before adversaries begin to use it more widely to compromise additional systems, both externally and internally.



Talos Group

Talos Security Intelligence & Research Group