Samba Internet Exposure

Back in november 2017, a number of security vulnerabilities were disclosed impacting numerous versions of Samba software. CVE-2017-14746 is about a use-after-free issue while CVE-2017-15275 leads to a memory leak vulnerability. The former impacts all Samba versions starting from 4.0.0 while the later affects all versions starting from 3.6.0. Now, the question we may ask is: how many of this affected products can be reached from the Internet?

Samba Exposure

This question is important because, if successfully exploited, these issues may lead to the compromission of affected devices with, as a potential result, new hosts joining yet-another-botnet. By performing a simple search on ONYPHE with the string “samba”, we find around 1 million results.

The next obvious question is now: how many of these hits are using a vulnerable version of Samba? By querying for the TOP 10 versions of Samba, we obtain the following results:

80% of the TOP 10 versions are running vulnerable versions of Samba. That means a little bit more than 37,000 devices may be at risk of compromission.

Note: these results were collected at the end of November 2017.

We were specifically searching for Samba 3.6.x and 4.x. Now, those versions may not be the most prevalent on the Internet, so what about querying for the most seen results for a Samba query to list available shares? We can do that by querying for TOP 10 MD5 sums performed against collected banners.

Our results shows that only two MD5 sums are accounting for roughly 600,000 devices. For instance, if you query one of these sums, you will find more than 300,000 results:

https://www.onyphe.io/search/?query=2e01cb540184e4f68b756c839b217822 

In fact, if you check for distinct IP addresses resulting from those two hashes, you will find around 300,000 unique addresses. That’s because those devices are exposing Samba through both ports 139/tcp and 445/tcp.

They are all Samba 3.2.15 hosted at Emirates Telecommunications Corporation organization. It is the exact same product behind this Samba version: D-Link DIR850L. The good news is it is not impacted by the previously discussed CVEs. Unfortunately, if you search for vulnerabilities impacting this given product, you find a blogpost dating back from Septembre 2017 describing a fair number of issues:

http://securityaffairs.co/wordpress/62937/hacking/d-link-dir-850l-zero-day.html

Conclusion

The results shown here were presented at the latest Botconf security conference in Montpellier, France during a lightning talk. We showed that Samba is quite heavily exposed on the Internet and may be abused to build a botnet, just like many other vulnerable products.

If you are interested in querying our data, you can register for free to get your API key and have access to ONYPHE queries.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.