Samba Exploit Could Lead To Next WannaCry Outbreak, Update Now

Hackers do not ever seem to take a day off. Just days removed from the WannaCry ransomware threat that was thwarted when a security researcher inadvertently discovered and engaged a kill switch, the U.S. Department of Homeland Security announced a new vulnerability, one that is commonly used in networking software that leaves tens of thousands of computers potentially susceptible to a similar attack.

The flaw exists in Samba, a protocol based on the Windows server message block (SMB) that provides Windows-based file and print services for Unix and Linux systems. If an attacker is able to exploit the flaw, he or she could run malicious code on a compromised device and gain root-level access permissions.

Hacking

"All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it," Samba.org stated in a security alert on its website.

The good news here is that despite the potential to wreak havoc, there does not appear to be any related attacks at this point.

"The internet is not on fire yet, but there's a lot of potential for it to get pretty nasty," Jen Ellis, a vice president at Rapid7, stated in a security alert. "If there is a vulnerable version of Samba running on a device, and a malicious actor has access to upload files to that machine, exploitation is trivial."

Eillis went on to explain that many home and corporate network storage systems run Samba, which is often installed by default on many Linux systems. Because of this, there are users out there who are running Samba without even realizing it.

There already exists working proof-of-concept exploits that have been demonstrated on Ubuntu systems and network-attached storage (NAS) appliances by Synology, a popular player in the NAS market. It's said that exploiting the vulnerability is rather easy—it took a mere 15 minutes to code a proof-of-concept. [UPDATE: Synology released a system update for DSM 6.1 and DSM 6.0 to solve this issue on May 25th. Synology tells HotHardware that users are encouraged to log in and make sure their device is running the latest version of DSM. For more info and instructions, go here.]

Like WannaCry, it's possible that this latest exploit could spread in a worm-like fashion to infect devices with malware. However, that has not happened yet. Furthermore, Samba.org has issued a patch for Samba versions 4.4 and newer that can be found here. For older versions, Samba says patches can be found by going here.