CVE-2017-7494

What Is Samba?

Samba is the open-source implementation of the SMB/CIFS protocol for Linux, Unix, and macOS, enabling file and print sharing with Windows networks. Samba runs on hundreds of millions of NAS devices, Linux servers, embedded systems, and cloud instances. Because Samba mediates file sharing between systems, a Samba server compromise gives access to all shared files and the underlying host OS. CVE-2017-7494 became known as "SambaCry" — named after EternalBlue/WannaCry — because it exploits a similar SMB-based attack vector to achieve remote code execution on Linux/Unix systems.

Overview

CVE-2017-7494 (SambaCry/EternalRed) is a critical remote code execution vulnerability in Samba (versions 3.5.0 through 4.6.3, 4.5.9, and 4.4.14). A malicious SMB client can upload a shared library to a writable Samba share and then cause the Samba server to load and execute the library — achieving code execution as the Samba daemon's process user (often root on NAS devices). The attack requires a writable file share and knowledge of the server-side path where the uploaded library lands. Fixed in Samba 4.6.4, 4.5.10, and 4.4.14 (May 2017). CISA added CVE-2017-7494 to the KEV catalog in March 2023, reflecting confirmed ransomware exploitation of Samba-based file servers.

Affected Versions

Technical Details

Root Cause: Shared Library Loading from Writable Share

CVE-2017-7494 is a code injection vulnerability (CWE-434) exploiting Samba's pipe IPC mechanism. The attack chain:

1. Writable share identified: Attacker finds or creates a Samba share with write access — either through anonymous write access, guest access, or valid credentials
2. Shared library upload: Attacker uploads a malicious shared library (.so file) to the writable share via standard SMB file write operations
3. Server-side path determination: The attacker must know the absolute server-side filesystem path where the uploaded .so file is stored; this is often deterministic or discoverable via Samba information leakage
4. IPC pipe invocation: The attacker opens an IPC connection to Samba and requests a named pipe that matches the path of the uploaded .so file; Samba's pipe processing code calls dlopen() on the named pipe path, loading and executing the .so as a Samba module
5. Code execution: Library constructor functions execute in the context of the smbd process — typically root on NAS devices, or file server user on Linux

Attack Characteristics

Discovery

Discovered by Stealth Mole and independently by others; Samba published the fix in May 2017. The nickname "SambaCry" was coined because the exploit was discovered in the immediate wake of the WannaCry/EternalBlue outbreak, sharing the Linux/NAS SMB exploitation theme.

Exploitation Context

• NAS cryptomining campaigns: Within days of the May 2017 patch, attackers launched automated campaigns targeting internet-facing Samba servers with writable shares — particularly NAS devices (Synology, QNAP, Western Digital) — deploying Monero cryptocurrency miners (SHELLBIND and EternalRed malware families)
• Ransomware targeting file servers: Samba file servers hold organizational file shares; ransomware operators specifically target Samba to encrypt network-accessible file stores, maximizing damage; CVE-2017-7494 provides initial access to Linux file servers that back Windows network shares
• NAS device persistence: NAS devices run Samba with root privileges and are rarely monitored with security tools; crypto-miners and backdoors installed via CVE-2017-7494 can persist for months
• Long exploitation tail: CISA's March 2023 KEV addition — nearly 6 years after the patch — reflects that Samba exploitation campaigns continued to be observed through 2023, particularly against unpatched NAS devices running EOL firmware
• CISA KEV (2023): Added March 30, 2023 following confirmed ransomware and cryptominer exploitation

Remediation

1. Upgrade Samba — update to Samba 4.6.4+, 4.5.10+, or 4.4.14+ to patch CVE-2017-7494; update NAS device firmware which includes the Samba update; use the OS package manager on Linux servers.

2. Add nt pipe support = no as interim workaround — if immediate upgrade is not possible, add this to the [global] section of smb.conf to disable the IPC pipe loading mechanism:

   nt pipe support = no
   

   Note: this may break certain client functionality.

3. Remove public/anonymous write access from shares — remove any anonymous or guest write permissions from Samba shares; require authentication for all write operations; CVE-2017-7494 exploitation requires writable share access.

4. Restrict Samba to the local network — block TCP port 445 at the internet perimeter; Samba should not be directly accessible from the internet; use a VPN or dedicated NAS management network for remote access.

5. Apply NAS firmware updates — NAS device vendors (Synology, QNAP, Western Digital, Netgear ReadyNAS) released firmware updates addressing CVE-2017-7494; apply the latest firmware for all NAS devices on the network.