Samba remote code execution targeting IoT and NAS devices

CERT.be Advisory #2017-003

CVE ID: cve-2017-7494
Version: 1.0
Affected software: Samba version 3.5.0 and onwards

Risks

Attackers exploit this vulnerability to obtain root access and to take control of the device.

Summary

New malware is using the same vulnerability to the SMB protocol as Wannacry however now specifically targeting Internet of Things (IoT) and Network Attached Storage (NAS) devices. It also targets other architectures as MIPS, ARM and PowerPC.
The vulnerability allows an actor to upload a file to a writable share and causes the server to load and execute it. If leveraged successfully, an attacker could open a command shell on a vulnerable device and take control of it.
This vulnerability was already fixed in May 2017, however if Samba is enabled and the specific manufacturers have not sent out patches, then the devices are vulnerable and users should proactively update or consult with the specific manufacturers.

Recommended actions

A patch addressing this defect has been posted to https://www.samba.org/samba/security/CVE-2017-7494.html
Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/
A possible workaround would be adding the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restart smbd. This prevents clients from accessing any named pipe endpoints. Note this can disable some expected functionality for Windows clients.