Another younger sibling for the sensational vulnerability WannaCry(EternalBlue) appeared. 7-year-old critical remote code execution vulnerability in Samba networking software, allowing a hacker to remotely take full control of a vulnerable Linux and Unix machines.
Who is Affected?
Many corporate network storage systems (NAS), home routers and other IOT devices run Samba for file sharing. Some are accessible only from within the network, while others also exposed to the internet.
SambaCry is a vulnerability in the Samba server service, which provides SMB/CIFS capability in Linux and Unix-based systems. SMB/CIFS is, basically a file and printer-sharing protocol that Windows uses. Linux systems are capable of using several file sharing protocols, but Samba is often used in mixed environments because Windows has a hard time reading Network File System (NFS) shares.
How it will work?
When a Linux server is running Samba, folders called CIFS shares will appear as a network folder for Windows users. Linux and Mac users can see these shares as well, but they must be running an SMB client. (Samba can serve as both a server and client.)
The SambaCry vulnerability allows a remote user to send executable code to the server hosting the CIFS share, and execute arbitrary code. That code can encrypt a file system and hold it for ransom, for instance. Needless to say, this was a big problem that had to be taken care of pronto.
Once deployed on the targeted machine, the malware establishes communication with the attackers’ command and control (C&C) server located in East Africa, and modifies firewall rules to ensure that it can communicate with its server.
After successfully establishing a connection, the malware grants the attackers access to the infected device and provides them with an open command shell in the device, so that they can issue any number and type of system commands and eventually take control of the device.
What you should do to protect your network?
- Normally, devices like NAS appliances manufacturers can be slow to provide updates. However, this vulnerability strikes at the core of NAS functionality, and major NAS providers have already offered patches to their operating systems.
- If you own a NAS, I highly recommend taking the time to update your NAS’s software immediately. If you don’t already have it enabled, enable automatic updates so that future vulnerabilities can be patched.
- Samba already patched the issue in Samba versions 4.6.4/4.5.10/4.4.14, so you are advised to patch your systems against the vulnerability as soon as possible.
Just make sure that your system is running updated Samba version.