Researchers warn that many Linux and Unix systems contain a Samba vulnerability that could eventually lead to attacks...

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

similar to WannaCry or worse, if IT pros don't remediate quickly.

According to the Samba security advisory, the vulnerability (CVE-2017-7494) affects versions 3.5 (released March 1, 2010) and newer. The Samba vulnerability is remotely exploitable and could allow "a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it."

Nick Bilogorskiy, senior director of threat operations at Cyphort, said although there are no active exploits in the wild, the damage from this Samba vulnerability could be steep.

"Because this vulnerability allows remote code execution, attackers will have full control over a compromised machine, and any payload is possible," Bilogorskiy told SearchSecurity. "For example, [an attacker could] drop a backdoor, steal data from the system, spy on the user, attack other systems or try to encrypt all data for a ransom."

Nick Bilogorskiy Nick Bilogorskiy

Lane Thames, senior security researcher at Tripwire, said exploiting the Samba vulnerability "is a little more difficult than the SMB vulnerability targeted by WannaCry."

"For example, to exploit CVE-2017-7494 an attacker must find a vulnerable system, then find the path of an appropriate file share on the system, and the attacker must be either authenticated with the vulnerable Samba server or the share must be available to be written to without authentication," Thames told SearchSecurity. "Regardless, enterprises should move fast to patch this vulnerability and ensure that no unnecessary Samba services are exposed to the internet."

Samba vulnerability remediation Research from Rapid7 Labs said attacks on this Samba vulnerability could come over the same port 445 used to access SMB on Windows machines, but port 139 could also expose endpoints to attack. Rapid7 suggested "organizations should review their firewall rules to ensure that SMB/Samba network traffic is not allowed directly from the internet to their assets." A patch has been released and the Samba advisory also noted a potential workaround for those who can't patch right away. Samba said adding the argument "nt pipe support = no" to the global section of the Samba configuration file will mitigate the threat, but could have the added consequence of disabling "some expected functionality for Windows clients." Lane Thames Lane Thames Thames said the enterprise space will be "concerned with their file and print server systems running on top of Linux and Unix operation systems that use Samba," but warned that storage solutions "can also pose significant risks." "Most of these storage devices use embedded Linux and Samba for their file sharing functionalities. Moreover, it is these types of devices that are likely to be the most troublesome for us with this vulnerability," Thames said. "Enterprise server vendors are moving fast to push out patches to enterprise customers for this Samba vulnerability. However, [network-attached storage] vendors might not move so quickly on this and in some cases they might not even issue patches for this."