Facebook Google Plus Twitter LinkedIn YouTube RSS Menü Suche Ressource – BlogRessource – WebinarRessource – BerichtRessource – Veranstaltungicons_066 icons_067icons_068icons_069icons_070

Detecting SambaCry CVE-2017-7494

We’ve seen several critical vulnerabilities lately. First there was WannaCry, and then WannaCry 2.0 (EternalRocks), and now do we have WannaCry 3.0? Well, not really. But a new seven-year-old remote code execution vulnerability (CVE-2017-7494) that is affecting Samba versions 3.5.0 and higher is making news this week. The vulnerability is billed as the WannaCry equivalent for Linux, and some are even calling it SambaCry since it affects the SMB protocol implementation in Linux and is potentially wormable. To be clear, this new vulnerability is unrelated to the SMB exploits that were released by the Shadow Brokers group and used by WannaCry ransomware to infect a large number of systems. SambaCry is similar only because the vulnerability affects the SMB protocol in Linux. The Tenable research team is always on top of these news-worthy vulnerabilities, and this latest Samba weakness is no different. You’ll find multiple detection tools in your Tenable feed, ready to use in your scan program.

What’s the attack surface?

Samba is an open source re-implementation of the SMB/CIFS networking protocol, which provides file and print services for various Microsoft Windows clients. It runs on most Unix, OpenVMS and Unix-like systems, such as Linux, Solaris, and AIX and is standard in most Linux distributions. As a result, it's available on a large variety of Unix-like systems.

A quick Shodan search shows over 475,000 Samba-enabled hosts are accessible over the internet. However, it isn’t clear how many of them are running vulnerable versions of Samba.

Shodan search

The vulnerability itself can be exploited with a single line of code. A malicious client can upload and cause the smbd server to execute a shared library from a writable share. Exploit modules are already available from Metasploit to exploit this issue.

What steps can you take?

The first step is to patch vulnerable versions of Samba right away. Tenable has several tools to help you detect affected Samba versions.


Tenable has released multiple credentialed Nessus® plugins to check for vulnerable Samba versions, and will continue to release more plugins as patches become available for other Linux distributions.

Plugin ID

Nessus Plugin


Samba 4.4.x < 4.4.14 / 4.5.x < 4.5.10 / 4.6.x < 4.6.4 Shared Library RCE


Slackware 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : samba (SSA:2017-144-01)


Debian DLA-951-1 : samba security update


Debian DSA-3860-1 : samba - security update


FreeBSD : samba -- remote code execution vulnerability (6f4d96c0-4062-11e7-b291-b499baebfeaf)


openSUSE Security Update : samba (openSUSE-2017-613)


Oracle Linux 6 / 7 : samba (ELSA-2017-1270)


Oracle Linux 6 : samba4 (ELSA-2017-1271)


RHEL 6 / 7 : samba (RHSA-2017:1270)


RHEL 6 : samba4 (RHSA-2017:1271)


Scientific Linux Security Update : samba4 on SL6.x i386/x86_64


Scientific Linux Security Update : samba on SL6.x, SL7.x i386/x86_64


SUSE SLES11 Security Update : samba (SUSE-SU-2017:1391-1)


SUSE SLED12 / SLES12 Security Update : samba (SUSE-SU-2017:1392-1)


SUSE SLED12 / SLES12 Security Update : samba (SUSE-SU-2017:1393-1)


SUSE SLES12 Security Update : samba (SUSE-SU-2017:1396-1)


Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : samba vulnerability (USN-3296-1)


Ubuntu 12.04 LTS : samba vulnerability (USN-3296-2)

For example, here are results similar to what you might see after running plugin #100388 to detect vulnerable Samba versions:

Nessus SambaCry plugin

Tenable has also released a remote banner check to identify vulnerable Samba versions. The check only runs in paranoid mode because vendors have historically backported Samba patches and hence can result in false positives. Make sure that the following setting is checked when you create a new scan:

Settings > Assessment > General > Show Potential False Alarms

Next, check results for Nessus plugin 42411 to determine if there are any SMB shares which provide access to unprivileged users. If you find any instances, fix the permissions on those shares.


Note: Passive Vulnerability Scanner (PVS) is now Nessus Network Monitor. To learn more about this application and its latest capabilities, visit the Nessus Network Monitor web page.

The Passive Vulnerability Scanner® (PVS™) is also capable of actively detecting vulnerable versions of SMB affected by SambaCry with plugin #700127.

PVS SambaCry plugin


The SecurityCenter® SambaCry Vulnerability Detection dashboard is developed and tailored to identify Linux hosts that may be susceptible to the SambaCry vulnerability. The dashboard uses the methods of detection described in this blog and places them into an easy-to-use and understand location. The matrix in the upper left hand corner uses CVEs and plugin name strings to identify possible at-risk hosts vs. confirmed vulnerable hosts. The dashboard also uses many similar components used in the Detecting WannaCry and Eternal Rocks dashboard, and provides an overview of patching across all operating systems, to help you understand the current progress in patch deployments.

SecurityCenter SambaCry dashboard

What if you can’t patch?

And finally, it's not possible to apply the patches, update smb.conf as a workaround. Add the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restart smbd. This prevents clients from accessing any named pipe endpoints.

Note: This can disable some expected functionality for Windows clients.

Follow Tenable

Tenable strives to enhance visibility into your network systems and potential vulnerabilities, helping you proactively manage risk on a regular basis. Subscribe to the Tenable Blog as we share more tips and tools to add to your cyber arsenal.

Thanks to the Tenable research team for their contributions to this blog.

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management

Kostenlos für 60 Tage

Genießen Sie vollen Zugriff auf eine moderne, Cloud-basierte Schwachstellen-Management-Plattform, mit der Sie alle Ihre Assets mit unübertroffener Genauigkeit sehen und nachverfolgen können. Melden Sie sich an und lassen Sie Ihren ersten Scan in nur 60 Sekunden laufen.

Buy Tenable.io Vulnerability Management

Genießen Sie vollen Zugriff auf eine moderne, Cloud-basierte Schwachstellen-Management-Plattform, mit der Sie alle Ihre Assets mit unübertroffener Genauigkeit sehen und nachverfolgen können. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free

Kostenlos für 7 Tage

Nessus® ist der umfassendste Schwachstellen-Scanner auf dem Markt. Nessus Professional trägt dazu bei, den Schwachstellen-Scan-Prozess zu automatisieren, Zeit bei Ihren Compliance-Abläufen zu sparen und Ihr IT-Team mit einzubeziehen.