DE|EN

WannaCry uses security holes in Samba

An SMB gap under Windows systems was the open barn door for the spread of the encryption Trojan WannaCry. Meanwhile, a similar gap exists in the open-source Samba server for seven years. Are Linux systems exposed to Cryptotrojaner infection?

The newly discovered, seven-year-old gap in the file server service Samba (version 3.5.0 up) allows attackers to execute arbitrary code (CVE-2017-7494). A similar gap on the Windows side of the software strongly supported the spread of the encryption Trojan WannaCry. So the current gap in the Linux community was christened with SambaCry. Meanwhile there are updates for Samba, which are already distributed by many Linux distributions. However, since the software also runs on many embedded systems and NAS devices that will not be patched for the foreseeable future, many systems are still vulnerable.

Is your own network at risk?

For the gap exists a proof-of-concept, as well as a module for the Pentesting toolkit Metasploit and it is relatively easy for attacks to be exploited. Thus, it can be assumed that the gap will soon be abused in large scale for attacks. Administrators should, as soon as possible, update all Samba installations on their networks. If this is not possible, the vulnerable devices should be removed from the network. Even if these two options are not applicable, it is only necessary to partition the vulnerable devices so that they are in no way accessible from the public network.
But even in the LAN, vulnerable NAS boxes and servers are a problem. The WannaCry worm had caused such a stir mainly because it had grown in internal company networks from one vulnerable computer to the next. A hypothetical Linux pest could get into the net once, like WannaCry from one vulnerable Samba system to the next. Especially vulnerable to this scenario is that Fileserver is the perfect attack target for encryption trojanians.

So you will find vulnerable systems

Security researchers are already using high-end tools to detect vulnerable systems on their own networks. This Nmap script is used to track vulnerable Samba versions. The developer works according to his own statement already on an improved version, the Metasploit module checks whether the corresponding Samba server is also really vulnerable.