The Samba Team disclosed vulnerability CVE-2017-7494: Remote code execution from a writable share.
HD Moore reported that the vulnerability is simple to exploit: on an open, writable SMB share, a shared library has to be uploaded which can then be easily executed on that server. The Samba Team has released patches and new versions (the vulnerability was introduced in version 3.5.0).
As a Brussels-based company, we are interested to understand what traction this vulnerability can get in the Internet landscape in Belgium. We took our question to Shodan.
- In Belgium, there are (at the time of writing) 628 Samba servers running with a public IP address scanned by Shodan.
- 370 of those servers require no authentication.
- 301 of those servers share disks.
- 266 of those servers use a vulnerable Samba version (we found no reported versions that include the fix).
- And finally, 77 of those servers share a disk with read-only property explicitly set to false.
Breaking these down by OS, Shodan reports:
- 38 Unix servers,
- 30 Windows 6.1 servers and
- 9 QTS servers (QNAS OS).
Several of the servers reporting as Windows 6.1 OS look to be honey pots.
If we filter these remaining servers for NAS devices (by looking at the comment of the IPC$ share), we end up with 33 servers.
All in all, a small set of potentially vulnerable devices. This analysis is solely based on Shodan data, we did not execute any scans ourselves.
Post created by:
Senior malware analyst @ NVISO