Tenable Blog

Detecting SambaCry CVE-2017-7494

May 26, 2017 • 5 Min Read
by Mehul Revankar
Blog Home / Cyber Exposure Alerts

We’ve seen several critical vulnerabilities lately. First there was WannaCry, and then WannaCry 2.0 (EternalRocks), and now do we have WannaCry 3.0? Well, not really. But a new seven-year-old remote code execution vulnerability (CVE-2017-7494) that is affecting Samba versions 3.5.0 and higher is making news this week. The vulnerability is billed as the WannaCry equivalent for Linux, and some are even calling it SambaCry since it affects the SMB protocol implementation in Linux and is potentially wormable. To be clear, this new vulnerability is unrelated to the SMB exploits that were released by the Shadow Brokers group and used by WannaCry ransomware to infect a large number of systems. SambaCry is similar only because the vulnerability affects the SMB protocol in Linux. The Tenable research team is always on top of these news-worthy vulnerabilities, and this latest Samba weakness is no different. You’ll find multiple detection tools in your Tenable feed, ready to use in your scan program.

What’s the attack surface?

Samba is an open source re-implementation of the SMB/CIFS networking protocol, which provides file and print services for various Microsoft Windows clients. It runs on most Unix, OpenVMS and Unix-like systems, such as Linux, Solaris, and AIX and is standard in most Linux distributions. As a result, it's available on a large variety of Unix-like systems.

A quick Shodan search shows over 475,000 Samba-enabled hosts are accessible over the internet. However, it isn’t clear how many of them are running vulnerable versions of Samba.

The vulnerability itself can be exploited with a single line of code. A malicious client can upload and cause the smbd server to execute a shared library from a writable share. Exploit modules are already available from Metasploit to exploit this issue.

What steps can you take?

The first step is to patch vulnerable versions of Samba right away. Tenable has several tools to help you detect affected Samba versions.

Nessus

Tenable has released multiple credentialed Nessus® plugins to check for vulnerable Samba versions, and will continue to release more plugins as patches become available for other Linux distributions.

Plugin ID	Nessus Plugin
100388	Samba 4.4.x < 4.4.14 / 4.5.x < 4.5.10 / 4.6.x < 4.6.4 Shared Library RCE
100389	Slackware 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : samba (SSA:2017-144-01)
100390	Debian DLA-951-1 : samba security update
100391	Debian DSA-3860-1 : samba - security update
100393	FreeBSD : samba -- remote code execution vulnerability (6f4d96c0-4062-11e7-b291-b499baebfeaf)
100394	openSUSE Security Update : samba (openSUSE-2017-613)
100396	Oracle Linux 6 / 7 : samba (ELSA-2017-1270)
100397	Oracle Linux 6 : samba4 (ELSA-2017-1271)
100400	RHEL 6 / 7 : samba (RHSA-2017:1270)
100401	RHEL 6 : samba4 (RHSA-2017:1271)
100402	Scientific Linux Security Update : samba4 on SL6.x i386/x86_64
100403	Scientific Linux Security Update : samba on SL6.x, SL7.x i386/x86_64
100404	SUSE SLES11 Security Update : samba (SUSE-SU-2017:1391-1)
100405	SUSE SLED12 / SLES12 Security Update : samba (SUSE-SU-2017:1392-1)
100406	SUSE SLED12 / SLES12 Security Update : samba (SUSE-SU-2017:1393-1)
100407	SUSE SLES12 Security Update : samba (SUSE-SU-2017:1396-1)
100411	Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : samba vulnerability (USN-3296-1)
100412	Ubuntu 12.04 LTS : samba vulnerability (USN-3296-2)

For example, here are results similar to what you might see after running plugin #100388 to detect vulnerable Samba versions:

Tenable has also released a remote banner check to identify vulnerable Samba versions. The check only runs in paranoid mode because vendors have historically backported Samba patches and hence can result in false positives. Make sure that the following setting is checked when you create a new scan:

Settings > Assessment > General > Show Potential False Alarms

Next, check results for Nessus plugin 42411 to determine if there are any SMB shares which provide access to unprivileged users. If you find any instances, fix the permissions on those shares.

PVS

Note: Passive Vulnerability Scanner (PVS) is now Nessus Network Monitor. To learn more about this application and its latest capabilities, visit the Nessus Network Monitor web page.

The Passive Vulnerability Scanner® (PVS™) is also capable of actively detecting vulnerable versions of SMB affected by SambaCry with plugin #700127.

SecurityCenter

The SecurityCenter® SambaCry Vulnerability Detection dashboard is developed and tailored to identify Linux hosts that may be susceptible to the SambaCry vulnerability. The dashboard uses the methods of detection described in this blog and places them into an easy-to-use and understand location. The matrix in the upper left hand corner uses CVEs and plugin name strings to identify possible at-risk hosts vs. confirmed vulnerable hosts. The dashboard also uses many similar components used in the Detecting WannaCry and Eternal Rocks dashboard, and provides an overview of patching across all operating systems, to help you understand the current progress in patch deployments.

What if you can’t patch?

And finally, it's not possible to apply the patches, update smb.conf as a workaround. Add the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restart smbd. This prevents clients from accessing any named pipe endpoints.

Note: This can disable some expected functionality for Windows clients.

Follow Tenable

Tenable strives to enhance visibility into your network systems and potential vulnerabilities, helping you proactively manage risk on a regular basis. Subscribe to the Tenable Blog as we share more tips and tools to add to your cyber arsenal.

Thanks to the Tenable research team for their contributions to this blog.

Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments

April 18, 2024

The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.

Chris Baker

Oracle April 2024 Critical Patch Update Addresses 239 CVEs

April 17, 2024

Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.

Scott Caveza

Strengthening the Nessus Software Supply Chain with SLSA

April 16, 2024

You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.

By Blake Kizer, and Amanda Cornwell

Plugins
Vulnerability Management
Vulnerability Scanning

Tenable One Exposure Management Platform

Platform Categories

Platform Capabilities

Cloud Security

Vulnerability Management

Operational Technology
Security

Identity Exposure

Vulnerability Assessment

Business Needs

Exposure Management

Cloud Security

Vulnerability Management

Industry

Public Sector

Compliance

Resources

Research

Find a Partner

Tenable Assure Partners

Technology Partners

Support

Services

Tenable Trust

About Us

Join Us

Why Tenable

Media

Connect

Tenable Blog