Introduction
Samba is an open-source service that implements the SMB (Server Message Block) protocol, which has been in wide deployment for decades. Several vulnerabilities related to Samba were announced during a recent Pwn2Own event in Austin, including a heap overflow leading to a remote command execution (RCE).
The vulnerability lies within a specific VFS (Virtual File System) module called “vfs_fruit,” which provides an extra layer of compatibility with Apple file-sharing clients. This module was introduced in June 2014 and has been active since Samba version 4.2.0. While reports state this vulnerability exists in all Samba versions before 4.13.17, it seems unlikely to exist in versions before 4.2.0 when the vfs_fruit module was first introduced.
The reader should note that while an attacker can exploit this vulnerability remotely, read/write permissions are still needed, which may include anonymous and guest user accounts, on the remote server in some way or another (whether inband or out-of-band). Zero Day Initiative has written an excellent technical rundown of the vulnerability over on their blog for more information.
Samba on the Internet
To preface the following statistics, the reader should know that while Censys can see the versions associated with a Samba service, we cannot determine whether a service has anonymous or guest user access enabled, nor if the vfs_fruit VFS module is running on an individual server. Both of which are required for the exploit to be successful.
Heatmap of hosts running Samba
Censys found 273,245 Samba SMB services running on the public internet. Of those, 22,546 hosts had no version available, while only 3,464 hosts had a Samba version greater than or equal to 4.2.0. The most prevalent version, 3.0.37, had over 180,00 unique hosts. As for the most likely vulnerable versions, 4.10.4 was the number one with 1,127 hosts, followed closely by 4.4.16 with 1,107 hosts.
The following table shows the top 17 Samba versions and the number of hosts Censys was able to find.
| Samba Version |
Host Count |
| 3.0.37 |
184,362 |
| Unknown |
22,546 |
| 3.3.4 |
13,874 |
| 3.2.9 |
5,940 |
| 3.6.3 |
5,763 |
| 3.0.24 |
4,926 |
| 3.0.28a |
3,414 |
| 3.6.25 |
3,151 |
| 3.2.15 |
2,924 |
| 3.6.6 |
2,482 |
| 3.0.3 |
2,139 |
| 3.6.23 |
2,032 |
| 3.6.24 |
1,941 |
| 3.0.27a |
1,804 |
| 3.0.23d |
1,659 |
| 3.5.6 |
1,213 |
| 4.10.4 |
1,127 |
What can I do about it?
- To work around the bug, an administrator can disable vfs_fruit in the servers smb.conf configuration file
- Upgrade to Samba version 4.13.17, 4.14.12, or 4.15.5
Censys ASM has been updated with new fingerprints for identifying potentially vulnerable Samba services.
