Share this article on:
A worldwide cyberattack in a similar vein to the WannaCry ransomware attacks on Friday 12, May could be repeated using a different Windows Server Message Block vulnerability. US-CERT has issued a security alert about the SMB flaw advising organizations to apply a patch as soon as possible to fix the vulnerability.
The vulnerability, which is being tracked as CVE-2017-2764, affects Samba 3.5.0 and later versions. Samba provides Windows-style file and print services for Linux and Unix servers and is based on the Windows SMB file-sharing protocol.
US-CERT says the flaw is a remote code execution vulnerability that could be exploited by “a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.” If the flaw is exploited, an attacker could run arbitrary code with root-level permissions.
Ars Technica says the flaw can only be exploited on un-patched computers if port 445 is open to the Internet and if a machine permits permanent write privileges from a shared file with a known or guessable server path.
A patch has been issued to fix the vulnerability in Samba versions 4.4 and later, although organizations that are unable to apply the patch can fix the vulnerability without applying the patch. The workaround involves adding “nt pipe support = no” to the global section of smb.conf and restarting the smbd daemon.
The fix prevents clients from accessing named pipe endpoints, although US-CERT warns that the workaround may also disable some functionality for Windows clients.
Samba is also used on NAS devices, often without users’ knowledge. NAS environments are commonly used to store backup files. If the flaw was exploited in a similar fashion to the May 12 attacks and ransomware is installed, backups could be rendered useless. Organizations should therefore ensure that at least one copy of a backup file is stored on an offline, unnetworked device.
The wormable-code execution bug has existed for 7 years and there are currently more than 104,000 Internet-exposed devices that are vulnerable to attack according to cybersecurity firm Rapid7. A proof-of-concept exploit is believed to be available, although no attacks have been detected to date.