SambaCry in the wild


#1

"The OS patch has already been released for this vulnerability, which may limit the number of victims. Attackers also need to have writable access to a shared location in the target system to deliver the payload—another limiting factor that might stem the rate of infection.

Since this vulnerability was patched in May, users who regularly update have no issue. However, Unix or Linux based devices (which comprise most IoT devices) are harder to protect. If Samba is enabled and the manufacturers have not sent out patches, then the devices are vulnerable. Users should proactively update or consult with the specific manufacturers."

expect MyCloud users, they beg for an update since May.


#2

As you already know … this is probably “falling on deaf ears”. It seems WD is not worried about our data integrity/vulnerability and doesn’t even acknowledge what has been patched or not-patched in its’ firmware. Their security updates are far too infrequent.


#3

I couldn’t help myself and opened a support case. I am prepared for useless support questions like “send us your log” etc


#4

FYI this vulnerability appears to have been previously mentioned (and discussed) in the following thread from late May…

https://community.wd.com/t/samba-vulnerability-discovered-actually-not-wds-fault/206408

It is unknown if WD patched the vulnerabilities previously mentioned in other threads unrelated to the CVE-2017-7494. And considering how long it took WD to issue an update after being notified of those past vulnerabilities expect to wait four or more months for an update that might (or might not) fix CVE-2017-7494.


#5

… and d_fens posted five times on that thread. I’m sure they’re aware of the thread…


#6

I suppose we should all be doing that; flood their support system with demands for patches.

Just in the vague hope that somebody, somewhere in WD is paying attention to support requests.

I won’t hold my breath.

Sometimes I wish I’d never come here. I might be happily using my MyCloud, with remote access, blissfully unaware of the security vulnerabilities… Until I get pwned, that is…


#7

I started another thread because it’s actively exploited now.
I am sure WD’s Security Response Team is now working their butts off to deliver a patch asap :wink:


#8

I suspect that ‘team’ only has one butt. And a very part time butt at that…

And apparently sitting around on it most of the time.


#9

This bulletin has a possible workaround.


Adding the argument “nt pipe support = no” to the global section of the smb.conf file and restarting the service will also mitigate the threat.

CVE-2017-7494.html:

====================================================================
== Subject: Remote code execution from a writable share.

== CVE ID#: CVE-2017-7494

== Versions: All versions of Samba from 3.5.0 onwards.

== Summary: Malicious clients can upload and cause the smbd server
== to execute a shared library from a writable share.

====================================================================

===========
Description

All versions of Samba from 3.5.0 onwards are vulnerable to a remote
code execution vulnerability, allowing a malicious client to upload a
shared library to a writable share, and then cause the server to load
and execute it.

==================
Patch Availability

A patch addressing this defect has been posted to

http://www.samba.org/samba/security/

Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround

Add the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restart smbd. This
prevents clients from accessing any named pipe endpoints. Note this
can disable some expected functionality for Windows clients.

=======
Credits

This problem was found by steelo knownsteelo@gmail.com. Volker
Lendecke of SerNet and the Samba Team provided the fix.


#10

reply from WD:
"I understand that you are experiencing concerns regarding the security of your WD My Cloud device. We do regret any inconveniences you may have experienced so far.

Please rest assured that WD takes the safe and secure use of our products seriously.

The reported issue is currently under the investigation by our vulnerability assessment teams.

Any and all product announcements regarding software, firmware updates and release notes will be posted to the WD Community Forum.
"


#11

Has anyone tried this? Please share your experience.

Thanks!