Black Arrow Cyber Advisory – Trend Micro Disclose Samba (SMB) Remote Code Execution Bug

Executive Summary

Trend Micro, a large player in the security product market, have disclosed a bug this month in the Samba (SMB) protocol that allows attackers to remotely execute code on affected systems. Samba operates in almost every environment, most often found on network storage devices like QNAP, Synology or Windows file shares. The bug received a 9.9 on the CVSS scale, primarily due to the remote root or administrator capabilities of an attacker if exploited.

What’s the risk to me or my business?

Samba is an extremely common protocol and is often the default solution when configuring a file share, meaning the likelihood it exists in your environment is high. While the bug is not noted to be widely exploited at this time, attackers will leverage anything they can when compromising a network, and it may only be a matter of time now the bug has been made public. The risk will primarily come from a failure to patch the flaw, which may be easy to overlook.

What can I do?

A patch has been released by Samba to address the issue. The bug affects all instances of Samba before version 4.13.17, and it is advised that network administrators patch as soon as possible.

Technical Summary

A new bug disclosed by Trend Micro allows attackers to remotely exploit Samba installations prior to version 4.13.17. The exploit can be conducted without authentication and leverages the parsing of EA metadata in the Samba server daemon, smbd. Using an out-of-bounds heap manipulation, an attacker can execute code in the context of root, thus granting low level access to the system.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Previous
Previous

Black Arrow Cyber Threat Briefing 02 February 2022

Next
Next

Our latest published article, How Contracts Can Manage Your Risk In A Cyber Incident, Black Arrow with Sean Cheong