Right as the world gets a grasp of the WannaCry ransomware, which attacked Microsoft Windows SMB services; a new exploit is rearing its ugly head.

"Hey, 2008 called and wanted it's SMB vulns back."

Deemed SambaCry (iseewhattheydidthere), the vulnerability allows a bad dude to upload bad stuff to a writable file share, then execute that same bad stuff. This allows them to own the Samba server. Full disclosure details can be viewed here. CVE-2017-7494.

Hold my beer

It is bad.

And it affects nearly all versions of Sambas since 2010 (3.5.0 and up).

To make matters worse, consider where Samba is found and what it is used for. Many organizations would use Samba for file sharing services which are tied to Active Directories and the such for user/group membership. This grants an attacker a likely attack path to query, and elevate privileges with relative ease.

This would likely affect many Network Attached Storage (NAS) devices and various Vendor products which includes Samba running under the hood with other open source components. It isn't likely these hosts are part of routine patch management programs, so SambaCry could be here for the foresee-able future.

Exploit

The Metasploit folks were quick to polish up a Metaploit module, making this a trivial attack.

MSFMODULE

Patch

Samba released 4.6.4, 4.5.10 and 4.4.14 to correct the defect. Samba has released patches for many versions available at http://www.samba.org/samba/security/.

Scan

Conduct internal scans to identify and weed out hosts that might be running vulnerable versions of Samba.

Firewall

Restricting which internal assets can communicate with SMB services using access control lists is another way to reduce the impact of this vulnerability.

Workaround

Add to the [global] section of your smb.conf and restart smbd. This prevents clients from accessing any named pipe endpoints. Note this can disable some expected functionality for Windows clients.

nt pipe support = no

Since this vulnerability affects nearly ever version of Samba since 2010 and system architectures (x86/64/ARM/etc) and likely touches system not part of traditional patch management programs (including vendor products), I think we'll be talking about SambaCry for the foreseeable future.

-Travis