cbcvebase.
CVE-2017-7494
published 2017-05-30

CVE-2017-7494: Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-04-20
Exploited in the wild
EPSS
99.45%
99.9th percentile
Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiansamba< samba 2:4.5.8+dfsg-2 (bookworm)samba 2:4.5.8+dfsg-2 (bookworm)
sambasamba
sambasamba>= 0 < 2:4.5.8+dfsg-22:4.5.8+dfsg-2
sambasamba>= 0 < 2:4.5.8+dfsg-22:4.5.8+dfsg-2
sambasamba>= 0 < 2:4.5.8+dfsg-22:4.5.8+dfsg-2
sambasamba>= 0 < 2:4.5.8+dfsg-22:4.5.8+dfsg-2
sambasamba>= 3.5.0 < 4.4.04.4.0
sambasamba>= 4.4.0 < 4.4.144.4.14
sambasamba>= 4.5.0 < 4.5.104.5.10
sambasamba>= 4.6.0 < 4.6.44.6.4

Detection & IOCsextracted from sources · hover to see the quote

filenameINAebsGB.so
hash349d84b3b176bbc9834230351ef3bc2a
snort
43002-43004
  • Attackers probe for write access by writing a text file of 8 random symbols to the share, then deleting it — detect this write-then-immediate-delete pattern on SMB shares as a precursor to exploitation.
  • After uploading the payload .so file, attackers brute-force common share root paths to locate the dropped file — monitor SMB traffic for repeated IPC/named-pipe open attempts against sequential filesystem paths.
  • The exploit payload is a shared library (.so file) uploaded to a writable Samba share and then loaded by smbd — alert on .so files written to Samba-accessible shares by unauthenticated or anonymous sessions.
  • The reverse-shell payload (INAebsGB.so) spawns /bin/sh — monitor for smbd spawning shell processes as a child.
  • Use Nessus plugin 42411 to identify SMB shares providing access to unprivileged/anonymous users, which is a required precondition for exploitation.
  • ·Exploitation requires a writable share with anonymous/unprivileged write access — systems without such shares are not directly exploitable even if running a vulnerable Samba version.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_cisco9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.