Wednesday, May 24, 2017

Samba remote code execution exploit: what you need to know

This is going to hurt home users with Samba shares mounted on their SoHo routers or NAS, among other things. 

Samba is a file sharing service for Linux, similar to Windows SMB file shares (yes, the same SMB that was exploited in the recent WannaCry ransomware worm). A vulnerability in Samba could enable a similar attack on Linux systems. A malicious actor with access to upload files to a Samba share, can upload malicious code and then use this vulnerability to cause the server to execute it.

Unlike SMB, Samba exists on a wide variety of systems from different makers - servers, laptops, home routers, network storage systems, media servers, and many IoT devices. And unlike Windows, those devices may not automatically install an update - even if the manufacturer provides one. 

A quick query of Internet scanner Shodan shows that nearly a half million devices running Samba are publicly accessible on the Internet. Interestingly, the large majority of those appear to be in the United Arab Emirates, leading one to wonder if Emirates Telecommunications Corporation is equipping its customers with a gateway router that has Samba enabled by default.

What can you do?



Update Samba


The best course of action is to update Samba to a non-vulnerable version (4.6.4 or newer; 4.5.10 or newer; or 4.4.14 or newer, according to the Samba Project advisory).

For most IoT devices, you are likely dependent on the manufacturer to release a firmware update that includes this fix.



Disable writable shares


This vulnerability can only be exploited using shares that allow uploading or writing files; read-only shares cannot be exploited.



Disable "named pipe endpoints" in your Samba config file


Similar to the way port numbers allow multiple layer 4 connections to the same layer 3 network address, named pipes allow multiple layer 5 (SMB) connections to the same layer 4 port (TCP 445). This is also the feature that can be exploited due to this vulnerability. Disabling named pipes prevents exploitation, though it may also disable expected functionality in some cases.

To disable named pipes, add the parameter:


nt pipe support = no


to the [global] section of your smb.conf file and restart smbd. You can modify smb.conf on a couple of IoT devices as follows:




Double-check that Samba is not exposed to the Internet


  • Browse to http://www.ipchicken.com/ to check your public Internet address
  • Browse to https://shodan.io and search for your address. You do not want to see the following - if you do, you'll need to check your router or firewall and disable public (or WAN) access to port 445:


Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen