TR-49 - CVE-2017-7494 - A critical vulnerability in Samba - remote code execution from a writable share

Overview

A critical remote code execution vulnerability was found in Samba. An authenticated Samba client (with write access) can execute arbitrary code with elevated privileges (usually root). CVE-2017-7494

Vulnerable systems

  • Samba (version 3.5.0 and onwards)

Samba is included, by default, in many integrated devices or operating system distributions like

Non-vulnerable systems

  • Systems running Samba (below version 3.5.0) are not vulnerable to this specific vulnerability. Nevertheless, if you run such an outdated version, we strongly recommend to update to the latest version.
  • CIFS implementation not relying on Samba code base like Microsoft Windows are not vulnerable to this specific vulnerability.

Details on the Vulnerability

The vulnerability is located in rpc_server/srv_pipe.c where pipe names can include “/” values inside. smb_probe_module() (line 484) is used to load a pipename containing a library previously uploaded to the writeable share. The issue lies on the ability to load shared backend modules in Samba using smb_probe_module().

The vulnerability was corrected in the following commit.

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 39f5fb4..f79fbe2 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -481,6 +481,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
 {
        NTSTATUS status;
 
+   if (strchr(pipename, '/')) {
+       DEBUG(1, ("Refusing open on pipe %s\n", pipename));
+       return false;
+   }
+
        if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
                DEBUG(10, ("refusing spoolss access\n"));
                return false;

Getting Version of Samba

If you have terminal access to the system, smbd -V will give the version of the Samba installed.

If you cannot get terminal access to the system, you can use nmap -p445 --script=smb-os-discovery <IP of the Samba Server>

nmap -p445 --script=smb-os-discovery <IP of the Samba Server>

Starting Nmap 6.40 ( http://nmap.org ) at 2017-05-26 08:22 CEST
Nmap scan report for <IP of the Samba Server>
Host is up (0.00099s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery: 
|   OS: QTS (Samba 4.4.9)
|   Computer name: yourSamba
|   NetBIOS computer name: YOURSAMBA
|   Domain name: 
|   FQDN: yoursamba 
|_  System time: 2017-05-26T08:22:43+02:00

Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds

Fixing, remediation and mitigation

Patches are available for several but not all platforms. Where patches are not available, it is strongly suggested to apply the following recommendations.

The impact of the vulnerability can be limited if SELinux is enabled. SELinux limits the loading of Samba modules to a specific directory. Even if you have SELinux enabled, we strongly recommend to update Samba. We also recommend to review the logs of SELinux for any suspicious activities for the Samba processes.

If your NAS (Network Attached Storage) has CIFS enabled and the protocol is not required, we strongly recommend to disable the CIFS service in any cases.

If you cannot update Samba, disabling the pipe support in Samba is also an option. This can be done in smb.conf by adding the following line:

[global]
nt pipe support = no

Disable NT pipe support might causes issues with software relying on the functionality.

Disclaimer: at the time of writing we’re uncertain if the following is applicable for this vulnerability. Another proposed generic option is to mount the file-system as noexec option on the ones used by Samba writeable shares.

Investigations

If you have suspicions that the vulnerability has been used against your systems running Samba, we strongly recommend to investigate the system at a forensic level (file-system, memory). The vulnerability is easy to exploit as long as an accessible and writeable CIFS share is active.

References

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.1 - TLP:WHITE - QNAP, Netgear, asustor added - 27 May 2017
  • Version 1.0 - TLP:WHITE - First version - 26 May 2017