Hello, welcome to the Friday, May 26, 2017 edition of the Sandsenet Storm Center's Stormcast. My name is Johannes Ulrich,

and the I'm recording from Jacksonville, Florida. And well, it's just barely a week after one a crypt,

and we already have another important SMB vulnerability. Now, this one isn't quite as bad as the one that

led to that famous ransomware warm outbreak but still pretty bad if you are running

Samba. Samba is the open source implementation of the SMPP, often found on Linux-based systems.

And the problem here is that NetHacker that can upload a file to your system is then able

to execute that file. So first of all, the attacker has to be able to upload a file, which

typically means that the attacker needs credentials in order to upload a file, which typically means that the

attacker needs credentials in order to accomplish that.

So that's a little bit more of a hurdle than what we had with the Wanacript exploit that

did not require any authentication.

The bug is actually pretty simple here.

In SMB, we have the opportunity to connect to named pipes.

Now, if the named pipe is actually, if the name of that pipe contains a path, then that particular file is executed.

So really what they forgot here is they forgot to check for the slash in the pipe name.

And this is really what this patch does.

All recent versions of Samba, meaning 3.5 and up are vulnerable.

Now, if you are a Windows shop and typically don't run Linux, then this may be less of interest to you. But remember,

if you have any of these network storage devices like QNAP, Synology, and the like, they typically

do use Samba in order to share files with Windows systems. So you may be affected. I've seen a patch

from Synology. I haven't really looked

at the other manufacturers yet if they already came up with something. Billy Ross, who has looked

...