How Bad Is It, Really?

Samba is an open source network application that provides the same functionality as Microsoft Server Message Block (SMB). SMBv1 was the target of the EternalBlue exploit, which runs on Microsoft systems. However, Samba is not the same application. Because Samba is added to Unix systems for file share compatibility to Microsoft systems, it is often not running out of the box. Granted, it’s on nearly every Linux distribution, but not everyone uses it. Samba is also used on many network appliances and devices, as these devices often use Linux as their internal operating system. Therefore, Linux systems and many network appliances are potentially vulnerable.

The vulnerability requires the following conditions:

1. smbd must be running on a port accessible to the attacker (tcp/445)
2. the “nt pipe support” setting must be enabled (on by default) in smb.conf
3. the attacker must have access to a writeable share

Notably, the attacker does not have to have authenticated access if they can write to the writable share anonymously.

In order to exploit the vulnerability, the attacker would upload a shared object file to the writeable share and issue a simple command to cause smbd to execute the shared object.

This will cause the smbd process to execute the code contained in the target.so file with its level of privilege, which is usually root. The Metasploit exploit module allows the attacker to choose the payload. An attacker who is in a position to leverage this vulnerability will have full access to the entire system with root level privileges.

Threat Scope

A shodan.io query of “port:445 !os:windows” shows approximately one million non-Windows hosts that have tcp/445 open to the Internet, more than half of which exist in the United Arab Emirates (36%) and the U.S. (16%).