If you’ve got the time (and I hope you do) take a second to review this advisory from Samba: https://www.samba.org/samba/security/CVE-2017-7494.html. It affects all versions of Samba from 3.5.0 onwards and patches a vulnerability to remote code execution – one that can be executed with a single line of code as long as a few simple steps are taken beforehand.
This issue was noted by fellow Austenite HD Moore on twitter and followed with an Arstechnica article about the topic. Rapid7 has also published a great article that encourages you to take immediate action: https://community.rapid7.com/community/infosec/blog/2017/05/25/patching-cve-2017-7494-in-samba-it-s-the-circle-of-life.
I’ll second that.
If the Wannacry ransomware debacle showed us anything, keeping current with critical patching should trump most reasons not to patch. I won’t reiterate what was talked about in either of the above articles – they both did a good job of covering the issue. I will point out that the Shodan results are not startling. (110K possible vulnerable computers is actually a low count, but still enough to cause serious havoc.)
There is good proof of concept, although we have no noted reports of it being exploited in the wild at the moment. Keep in mind that can change at the drop of a hat.
- Apply the appropriate patches or workarounds provided by Samba after testing them. If you need the link: https://www.samba.org/samba/history/security.html
- Run software as a non-privileged user (no admin permissions). This can potentially contain the damage that can occur from a successful attack.
- Train and educate. Remind users not to follow untrusted links or visit unknown websites and inform them of the risks from threats that enter via email or attachments.
For those who like code, metasploit has data on this exploit in their github repository: https://github.com/rapid7/metasploit-framework/pull/8450.
More snapshots and updated material on the twitter feed: https://twitter.com/hdmoore