SambaCry Vulnerability (CVE-2017-7494) in Linux Systems


Systems Affected

Many corporate network storage systems (NAS), home routers and other IOT devices run Samba for file sharing. Some are accessible only from within the network, while others are also exposed to the internet. At the moment there are over 110,000 internet accessible devices that appear to be running vulnerable versions of Samba.

Every device running Samba with writable file shares and weak passwords is at risk. These devices can then be exploited by attackers to hold entire file servers for ransom, exfiltrate data or move laterally inside a network.

Threat Level



This vulnerability is the Linux version of WannaCry, appropriately named SambaCry. A malicious samba client that has write access to a samba share could use this flaw to execute arbitrary code typically as root.

The Samba team released a patch on May 24 for critical remote code execution vulnerability in Samba, the most popular file sharing service for all Linux systems. Samba is commonly included as a basic system service on other Unix-based operating systems as well.


This vulnerability, indexed CVE-2017-7494, enables a malicious attacker with valid write access to a file share to upload and execute an arbitrary binary file which will run with Samba permissions.

The flaw can be exploited with just a few lines of code, requiring no interaction on the part of the end user. All versions of Samba from 3.5 onwards are vulnerable.

As Samba is used as part of many organizations storage systems, we expect a ransomware attack to take advantage of the flaw in the near future.


Samba vulnerability requires the attacker to have valid credentials to a writable share, reducing the likelihood that it will be "wormable". However, a post breach attacker is likely to obtain the required credentials, providing an incredibly versatile platform for lateral movement

Solution/ Workarounds

Network, Remote Code Execution and Root = Drop what you are Doing and Patch. Snarky-ness aside, there are several standard fixes and mitigations to consider: has released patched versions of their software, including ones for older, unsupported releases. Upgrading to one of these versions and restarting smbd fixes the issue.

Adding the line "nt pipe support = no" to the smb.conf file and restarting smbd will also stop attackers from being able to exploit this vulnerability, but this can disable some expected functionality for Windows clients of the vulnerable Samba server.
System-level protections include SELinux. On Redhat, Linux SELinux is enabled by default and the default policy prevents loading of modules from outside of sambas module directories. This blocks the exploit. However, many systems administrators turn off SELinux since it can interfere with the operation of third-party software. It is important to check the status of SELinux with the getenforce command.
Disk areas meant to be shared as writeable shares via Samba, if they are partitions, can be mounted on the Linux server with the "noexec" flag, which also prevents the exploit from working.
Firewalls can be used to block access from untrusted networks to port tcp/445.



The information provided herein is on "as is" basis, without warranty of any kind.


© Copyright Sri Lanka CERT|CC. All Rights Reserved.