CVE-2017-7494
published 2017-05-30CVE-2017-7494: Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-04-20
Exploited in the wild
EPSS
99.45%
99.9th percentile
Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | samba | < samba 2:4.5.8+dfsg-2 (bookworm) | samba 2:4.5.8+dfsg-2 (bookworm) |
| samba | samba | — | — |
| samba | samba | >= 0 < 2:4.5.8+dfsg-2 | 2:4.5.8+dfsg-2 |
| samba | samba | >= 0 < 2:4.5.8+dfsg-2 | 2:4.5.8+dfsg-2 |
| samba | samba | >= 0 < 2:4.5.8+dfsg-2 | 2:4.5.8+dfsg-2 |
| samba | samba | >= 0 < 2:4.5.8+dfsg-2 | 2:4.5.8+dfsg-2 |
| samba | samba | >= 3.5.0 < 4.4.0 | 4.4.0 |
| samba | samba | >= 4.4.0 < 4.4.14 | 4.4.14 |
| samba | samba | >= 4.5.0 < 4.5.10 | 4.5.10 |
| samba | samba | >= 4.6.0 < 4.6.4 | 4.6.4 |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
43002-43004
- →Attackers probe for write access by writing a text file of 8 random symbols to the share, then deleting it — detect this write-then-immediate-delete pattern on SMB shares as a precursor to exploitation. ↗
- →After uploading the payload .so file, attackers brute-force common share root paths to locate the dropped file — monitor SMB traffic for repeated IPC/named-pipe open attempts against sequential filesystem paths. ↗
- →The exploit payload is a shared library (.so file) uploaded to a writable Samba share and then loaded by smbd — alert on .so files written to Samba-accessible shares by unauthenticated or anonymous sessions. ↗
- →The reverse-shell payload (INAebsGB.so) spawns /bin/sh — monitor for smbd spawning shell processes as a child. ↗
- →Use Nessus plugin 42411 to identify SMB shares providing access to unprivileged/anonymous users, which is a required precondition for exploitation. ↗
- ·Exploitation requires a writable share with anonymous/unprivileged write access — systems without such shares are not directly exploitable even if running a vulnerable Samba version. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_cisco9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Samba Remote Code Execution Vulnerability
cisa·2023-03-30·CVSS 9.8
CVE-2017-7494 [CRITICAL] CWE-94 Samba Remote Code Execution Vulnerability
Vulnerability: Samba Remote Code Execution Vulnerability
Affected: Samba Samba
Samba contains a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share and then cause the server to load and execute it.
Required Action: Apply updates per vendor instructions.
Notes: https://www.samba.org/samba/security/CVE-2017-7494.html; https://nvd.nist.gov/vuln/detail/CVE-2017-7494
Remediation Due Date: 2023-04-20
CISA ICS
Schneider Electric U.motion Builder (Update A)
cisa_ics·2017-06-29·CVSS 9.8
[CRITICAL] Schneider Electric U.motion Builder (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Schneider Electric U.motion Builder (Update A)
Last RevisedJanuary 08, 2019
Alert CodeICSA-17-180-02
## 1. EXECUTIVE SUMMARY
-
CVSS v3 10.0
- ATTENTION: Remotely exploitable/low skill level to exploit. Public exploits are available.
- Vendor: Schneider Electric
- Equipment: U.motion Builder
--------- Begin Update A Part 1 of 5 --------
- Vulnerabilities: SQL Injection, Path Traversal, Improper Authentication, Use of Hard-Coded Password, Improper Access Control, Denial of Service, Information Disclosure, Improper Input Validation, Improper Control of Generation of Code
----
Cisco
Vulnerability in Samba Affecting Cisco Products: May 2017
vendor_cisco·2017-05-30·CVSS 9.8
CVE-2017-7494 [CRITICAL] CWE-20 Vulnerability in Samba Affecting Cisco Products: May 2017
Vulnerability in Samba Affecting Cisco Products: May 2017
On May 24, 2017, the Samba team disclosed a vulnerability in Samba server software that could allow an authenticated attacker to execute arbitrary code remotely on a targeted system.
This vulnerability has been assigned CVE ID CVE-2017-7494
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170530-samba
Ubuntu
Samba vulnerability
vendor_ubuntu·2017-05-24
CVE-2017-7494 Samba vulnerability
Title: Samba vulnerability
Summary: Samba could be made to run programs as an administrator.
USN-3296-1 fixed a vulnerability in Samba. This update provides the
corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that Samba incorrectly handled shared libraries. A remote
attacker could use this flaw to upload a shared library to a writable share
and execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Samba vulnerability
vendor_ubuntu·2017-05-24
CVE-2017-7494 Samba vulnerability
Title: Samba vulnerability
Summary: Samba could be made to run programs as an administrator.
It was discovered that Samba incorrectly handled shared libraries. A remote
attacker could use this flaw to upload a shared library to a writable share
and execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
samba: Loading shared modules from any path in the system leading to RCE (SambaCry)
vendor_redhat·2017-05-24·CVSS 9.8
CVE-2017-7494 [CRITICAL] samba: Loading shared modules from any path in the system leading to RCE (SambaCry)
samba: Loading shared modules from any path in the system leading to RCE (SambaCry)
Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root.
Statement: This vulnerability exists in the samba server, client side packages are not affected.
Mitigation: Any of the following:
1. SELinux is enabled by default and our default policy prevents loading of modules from outside of samba's module directories and therefore blocks the exp
Debian
CVE-2017-7494: samba - Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to r...
vendor_debian·2017·CVSS 9.8
CVE-2017-7494 [CRITICAL] CVE-2017-7494: samba - Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to r...
Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
Scope: local
bookworm: resolved (fixed in 2:4.5.8+dfsg-2)
bullseye: resolved (fixed in 2:4.5.8+dfsg-2)
forky: resolved (fixed in 2:4.5.8+dfsg-2)
sid: resolved (fixed in 2:4.5.8+dfsg-2)
trixie: resolved (fixed in 2:4.5.8+dfsg-2)
Cisco
Vulnerability in Samba Affecting Cisco Products: May 2017
vendor_cisco
CVE-2017-7494 Vulnerability in Samba Affecting Cisco Products: May 2017
CVE-2017-7494: Vulnerability in Samba Affecting Cisco Products: May 2017
On May 24, 2017, the Samba team disclosed a vulnerability in Samba server software that could allow an authenticated attacker to execute arbitrary code remotely on a targeted system. This vulnerability has been assigned CVE ID CVE-2017-7494 This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170530-samba
CWE: CWE-20, CWE-20
Bug IDs: CSCve61674, CSCve61675, CSCve61680
GHSA
GHSA-453q-q3mp-9cq4: Samba since version 3
ghsa_unreviewed·2022-05-14
CVE-2017-7494 [CRITICAL] CWE-94 GHSA-453q-q3mp-9cq4: Samba since version 3
Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
OSV
CVE-2017-7494: Samba since version 3
osv·2017-05-30·CVSS 9.8
CVE-2017-7494 [CRITICAL] CVE-2017-7494: Samba since version 3
Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
VulnCheck
Samba Remote Code Execution Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-7494 [CRITICAL] CWE-94 Samba Remote Code Execution Vulnerability
Samba Remote Code Execution Vulnerability
Samba contains a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share and then cause the server to load and execute it.
Affected: Samba Samba
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.bleepingcomputer.com/news/security/storagecrypt-ransomware-infecting-nas-devices-using-sambacry/; https://bartblaze.blogspot.com/2017/12/storagecrypt-ransomware-coinminer-and.html; https://digital.nhs.uk/cyber-alerts/2017/cc-1858; https://www.ivanti.com/resources/v/doc/pr-survey-report/ransomware-quarterly-indexreport_q2-q3; https://info.securin.io/hubfs/Securin%20Ransomware%20Report%202023.pdf; https://www.cisa.gov/si
Suricata
ET EXPLOIT Samba Arbitrary Module Loading Vulnerability M2 (NT Create AndX .so) (CVE-2017-7494)
suricata·2017-06-16·CVSS 9.8
CVE-2017-7494 [CRITICAL] ET EXPLOIT Samba Arbitrary Module Loading Vulnerability M2 (NT Create AndX .so) (CVE-2017-7494)
ET EXPLOIT Samba Arbitrary Module Loading Vulnerability M2 (NT Create AndX .so) (CVE-2017-7494)
Rule: alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability M2 (NT Create AndX .so) (CVE-2017-7494)"; flow:established,to_server; content:"SMB"; offset:5; depth:3; content:"|05 00|"; distance:8; within:2; content:"|00 2e 00 73 00 6f 00|"; fast_pattern; endswith; reference:cve,2017-7494; classtype:attempted-admin; sid:2024384; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2017_06_16, cve CVE_2017_7494, deployment Perimeter, deployment Internal, performance_impact Moderate, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_03_07;)
Suricata
ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494)
suricata·2017-05-25·CVSS 9.8
CVE-2017-7494 [CRITICAL] ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494)
ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494)
Rule: alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494)"; flow:established,to_server; content:"SMB|2d 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|12 00|"; distance:40; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024335; rev:2; metadata:attack_target SMB_Server, created_at 2017_05_25, cve CVE_2017_7494, deployment Datacenter, performance_impact Low, signature_severity Critical, tag CISA_KEV, updated_at 2024_03_07;)
Suricata
ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (NT Create AndX .so) (CVE-2017-7494)
suricata·2017-05-25·CVSS 9.8
CVE-2017-7494 [CRITICAL] ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (NT Create AndX .so) (CVE-2017-7494)
ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (NT Create AndX .so) (CVE-2017-7494)
Rule: alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (NT Create AndX .so) (CVE-2017-7494)"; flow:established,to_server; content:"SMB|a2 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024336; rev:2; metadata:attack_target SMB_Server, created_at 2017_05_25, cve CVE_2017_7494, deployment Datacenter, performance_impact Low, signature_severity Critical, tag CISA_KEV, updated_at 2024_03_07;)
Exploit-DB
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)
exploitdb·2017-05-29·CVSS 9.8
CVE-2017-7494 [CRITICAL] Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)
Samba 3.5.0 'Samba is_known_pipename() Arbitrary Module Load',
'Description' => %q{
This module triggers an arbitrary shared library load vulnerability
in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module
requires valid credentials, a writeable folder in an accessible share,
and knowledge of the server-side path of the writeable folder. In
some cases, anonymous access combined with common filesystem locations
can be used to automatically exploit this vulnerability.
},
'Author' =>
[
'steelo ', # Vulnerability Discovery
'hdm', # Metasploit Module
'Brendan Coles ', # Check logic
'Tavis Ormandy ', # PID hunting technique
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-7494' ],
[ 'URL', 'https://www.samba.org/samba/security/CVE-2017-7494.html' ],
],
'Payload' =>
{
'Sp
Exploit-DB
Samba 3.5.0 - Remote Code Execution
exploitdb·2017-05-24·CVSS 9.8
CVE-2017-7494 [CRITICAL] Samba 3.5.0 - Remote Code Execution
Samba 3.5.0 - Remote Code Execution
---
#!/usr/bin/env python
# Title : ETERNALRED
# Date: 05/24/2017
# Exploit Author: steelo
# Vendor Homepage: https://www.samba.org
# Samba 3.5.0 - 4.5.4/4.5.10/4.4.14
# CVE-2017-7494
import argparse
import os.path
import sys
import tempfile
import time
from smb.SMBConnection import SMBConnection
from smb import smb_structs
from smb.base import _PendingRequest
from smb.smb2_structs import *
from smb.base import *
class SharedDevice2(SharedDevice):
def __init__(self, type, name, comments, path, password):
super().__init__(type, name, comments)
self.path = path
self.password = password
class SMBConnectionEx(SMBConnection):
def __init__(self, username, password, my_name, remote_name, domain="", use_ntlm_v2=True, sign_options=2, is_direct_tcp=False):
Metasploit
Samba is_known_pipename() Arbitrary Module Load
metasploit
Samba is_known_pipename() Arbitrary Module Load
Samba is_known_pipename() Arbitrary Module Load
This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.
Trendmicro
The Samba Vulnerability: What is CVE-2021-44142 and How to Fix It
blogs_trendmicro·2022-02-02·CVSS 8.8
CVE-2021-44142 [HIGH] The Samba Vulnerability: What is CVE-2021-44142 and How to Fix It
Exploits & Vulnerabilities
# The Samba Vulnerability: What is CVE-2021-44142 and How to Fix It
Information on the latest Samba vulnerability and how to protect systems against the threats that can exploit it.
By: Trend Micro
2022/02/02
Read time: ( words)
Save to Folio
Update as of February 8, 2022: To help identify vulnerable endpoints and/or servers, you may use our recently published assessment tool to scan for the Samba vulnerability.
An earlier version of an out-of-bounds (OOB) vulnerability in Samba was disclosed via Trend Micro Zero Day Initiative’s (ZDI) Pwn2Own Austin 2021. ZDI looked further into the security gap and found more variants of the vulnerability after the event and subsequently disclosed the findings to the company. While we have not seen any active attacks exp
Trendmicro
La vulnerabilidad de Samba: qué es CVE-2021-44142 y cómo solucionarlo
blogs_trendmicro·2022-02-02·CVSS 8.8
CVE-2021-44142 [HIGH] La vulnerabilidad de Samba: qué es CVE-2021-44142 y cómo solucionarlo
## La vulnerabilidad de Samba: qué es CVE-2021-44142 y cómo solucionarlo
Información sobre la última vulnerabilidad de Samba y cómo proteger los sistemas contra las amenazas que pueden aprovecharla.
By: Trend Micro Feb 02, 2022 Read time: ( words)
Save to Folio
Por: Trend Micro
Una versión anterior de una vulnerabilidad fuera de los límites (OOB) en Samba fue revelada a través de Pwn2Own Austin 2021 de Trend Micro Zero Day Initiative ( ZDI ). ZDI investigó más a fondo la brecha de seguridad y encontró más variantes de la vulnerabilidad después del evento y posteriormente reveló los hallazgos a la empresa. Aunque no hemos visto ningún ataque activo que explote esta vulnerabilidad, CVE-2021-44142 recibió una calificación CVSS de 9,9 de las tres variantes reportadas. Si se abusa de esta
Securelist
SambaCry is coming
blogs_securelist·2017-06-09·CVSS 9.8
CVE-2017-7494 [CRITICAL] SambaCry is coming
Authors
- Mikhail Kuzin
- Yaroslav Shmelev
- Dmitry Galov
Not long ago, news appeared online of a younger sibling for the sensational vulnerability EternalBlue. The story was about a new vulnerability for *nix-based systems – EternalRed (aka SambaCry). This vulnerability (CVE-2017-7494) relates to all versions of Samba, starting from 3.5.0, which was released in 2010, and was patched only in the latest versions of the package (4.6.4/4.5.10/4.4.14).
On May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and WannaCry. Surprisingly, it was a cryptocurrency mining utility!
## Vulnerability exploitation
In order to check that an unauthorized user has p
Securelist
SambaCry is coming
blogs_securelist·2017-06-09·CVSS 9.8
CVE-2017-7494 [CRITICAL] SambaCry is coming
Authors
Mikhail Kuzin
Yaroslav Shmelev
Dmitry Galov
Not long ago, news appeared online of a younger sibling for the sensational vulnerability EternalBlue. The story was about a new vulnerability for *nix-based systems – EternalRed (aka SambaCry). This vulnerability (CVE-2017-7494) relates to all versions of Samba , starting from 3.5.0, which was released in 2010, and was patched only in the latest versions of the package (4.6.4/4.5.10/4.4.14).
On May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and WannaCry . Surprisingly, it was a cryptocurrency mining utility!
## Vulnerability exploitation
In order to check that an unauthorized user has per
Qualys
Samba Vulnerability CVE-2017-7494
blogs_qualys·2017-05-26·CVSS 9.8
[CRITICAL] Samba Vulnerability CVE-2017-7494
On Wednesday, the Samba Team patched a vulnerability that exists in all versions of Samba including and after version 3.5.0. Exploitation of this vulnerability could result in remote code execution on the affected host.
Samba is used to provide SMB and CIFS services for Linux systems, and is pervasive in both enterprise and consumer products. While the Samba Team is providing patches for the latest versions (4.4.x and higher), some Linux vendors, such as RedHat and Ubuntu , are providing patches for older versions of Samba if they are used in a supported version of the OS. The Samba Team may also release patches for older versions of Samba .
## Background
Questions have been raised on whether this vulnerability could pose the same risk as WannaCry, and this vulnerability does bear some
Tenable
Detecting SambaCry CVE-2017-7494
blogs_tenable·2017-05-26·CVSS 9.8
CVE-2017-7494 [CRITICAL] Detecting SambaCry CVE-2017-7494
Blog / Cyber Exposure Alerts
Subscribe
# Detecting SambaCry CVE-2017-7494
Mehul Revankar
May 26, 2017
5 Min Read
We’ve seen several critical vulnerabilities lately. First there was WannaCry, and then WannaCry 2.0 (EternalRocks), and now do we have WannaCry 3.0? Well, not really. But a new seven-year-old remote code execution vulnerability (CVE-2017-7494) that is affecting Samba versions 3.5.0 and higher is making news this week. The vulnerability is billed as the WannaCry equivalent for Linux, and some are even calling it SambaCry since it affects the SMB protocol implementation in Linux and is potentially wormable. To be clear, this new vulnerability is unrelated to the SMB exploits that were released by the Shadow Brokers group and used by WannaCry ransomware to infect a large numbe
Tenable
SambaCry Vulnerability Detection
blogs_tenable·2017-05-26·CVSS 9.8
[CRITICAL] SambaCry Vulnerability Detection
by Megan Daudelin May 26, 2017
A seven-year-old remote code execution vulnerability that is affecting Samba versions 3.5.0 and higher is making news this week. The vulnerability is billed as the WannaCry equivalent for *nix operating systems, and some are even calling it SambaCry since it affects the SMB protocol implementation and is potentially wormable. To be clear, this new vulnerability is unrelated to the SMB exploits that were used by the WannaCry ransomware. SambaCry is similar only because the vulnerability affects the SMB protocol. By leveraging data gathered by Tenable Nessus and the Tenable Passive Vulnerability Scanner (PVS), this dashboard is able to give security teams detailed insight into systems in their networks that may be vulnerable to exploitation.
The SambaCry vuln
Tenable
Detecting SambaCry CVE-2017-7494
blogs_tenable·2017-05-26·CVSS 9.8
[CRITICAL] Detecting SambaCry CVE-2017-7494
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Samba Vulnerability CVE-2017-7494 | Qualys
blogs_qualys·2017-05-26·CVSS 9.8
CVE-2017-7494 [CRITICAL] Samba Vulnerability CVE-2017-7494 | Qualys
On Wednesday, the Samba Team patched a vulnerability that exists in all versions of Samba including and after version 3.5.0. Exploitation of this vulnerability could result in remote code execution on the affected host.
Samba is used to provide SMB and CIFS services for Linux systems, and is pervasive in both enterprise and consumer products. While the Samba Team is providing patches for the latest versions (4.4.x and higher), some Linux vendors, such as RedHat and Ubuntu, are providing patches for older versions of Samba if they are used in a supported version of the OS. The Samba Team may also release patches for older versions of Samba.
### Background
Questions have been raised on whether this vulnerability could pose the same risk as WannaCry, and this vulnerability does bear some s
Talos
Samba Vulnerability: Dancing Its Way to a Network Near You
blogs_talos·2017-05-25·CVSS 9.8
CVE-2017-7494 [CRITICAL] Samba Vulnerability: Dancing Its Way to a Network Near You
## Samba Vulnerability: Dancing Its Way to a Network Near You
## Overview
Today, a new vulnerability affecting the widely used Samba software was released. Samba is the SMB/CIFS protocol commonly used in *NIX operating systems. CVE-2017-7494 has the potential to impact many systems around the world. This vulnerability could allow a user to upload a shared library to a writeable share on a vulnerable Samba server and result in the server executing the uploaded file. This would allow an attacker to upload an exploit payload to a writeable Samba share, resulting in code execution on any server running an affected version of the Samba package. This currently affects all versions of Samba 3.5.0 (released March of 2010) and later. To emphasize the severity and low complexity: a metasploit one-
Talos
Samba Vulnerability: Dancing Its Way to a Network Near You
blogs_talos·2017-05-25·CVSS 9.8
CVE-2017-7494 [CRITICAL] Samba Vulnerability: Dancing Its Way to a Network Near You
### Overview
Today, a new vulnerability affecting the widely used Samba software was released. Samba is the SMB/CIFS protocol commonly used in *NIX operating systems. CVE-2017-7494 has the potential to impact many systems around the world. This vulnerability could allow a user to upload a shared library to a writeable share on a vulnerable Samba server and result in the server executing the uploaded file. This would allow an attacker to upload an exploit payload to a writeable Samba share, resulting in code execution on any server running an affected version of the Samba package. This currently affects all versions of Samba 3.5.0 (released March of 2010) and later. To emphasize the severity and low complexity: a metasploit one-liner can be used to trigger this vulnerability.
A patch has
Crowdstrike
Trying to Dance the Samba: An Exercise in Weaponizing Vulnerabilities
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Trying to Dance the Samba: An Exercise in Weaponizing Vulnerabilities
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Crowdstrike
Trying to Dance the Samba: An Exercise in Weaponizing Vulnerabilities
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Trying to Dance the Samba: An Exercise in Weaponizing Vulnerabilities
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
arXiv
Cybersecurity AI Benchmark (CAIBench): A Meta-Benchmark for Evaluating Cybersecurity AI Agents
arxiv_fulltext·2025-10-28
Cybersecurity AI Benchmark (CAIBench): A Meta-Benchmark for Evaluating Cybersecurity AI Agents
-1em
## Abstract
Cybersecurity spans multiple interconnected domains, complicating the development of meaningful, labor-relevant benchmarks. Existing benchmarks assess isolated skills rather than integrated performance. We find that pre-trained knowledge of cybersecurity in LLMs does not imply attack and defense abilities, revealing a gap between knowledge and capability. To address this limitation, we present the Cybersecurity AI Benchmark (CAIBench), a modular meta-benchmark framework that allows evaluating LLM models and agents across offensive and defensive cybersecurity domains, taking a step towards meaningfully measuring their labor-relevance. CAIBench integrates five evaluation categories, covering over 10,000 instances: Jeopardy-style CTFs, Attack and Defense CTFs, Cyber Range e
arXiv
Real-World Usability of Vulnerability Proof-of-Concepts: A Comprehensive Study
arxiv_fulltext·2025-10-21
Real-World Usability of Vulnerability Proof-of-Concepts: A Comprehensive Study
Real-World Usability of Vulnerability Proof-of-Concepts: A Comprehensive Study
Wenjing Dang, Kaixuan Li, Member, IEEE, Sen Chen, Member, IEEE, Zhenwei Zhuo, \ Zhang, Member, IEEE, and Zheli Liu, Member, IEEE
Wenjing Dang and Kaixuan Li contributed equally to this work.
Wenjing Dang and Zhenwei Zhuo are with the College of Intelligence and Computing, Tianjin University, China. Kaixuan Li and Lyuye Zhang are with the Nanyang Technological University, Singapore. Sen Chen (Corresponding author) and Zheli Liu are with the Nankai University, China. (email: [email protected]; [email protected]; [email protected]; [email protected]; [email protected]; [email protected])
## Abstract
The Proof-of-Concept (PoC) for a vulnerability is crucial in validating its existence, m
arXiv
xOffense: An AI-driven autonomous penetration testing framework with offensive knowledge-enhanced LLMs and multi agent systems
arxiv_fulltext·2025-09-16
xOffense: An AI-driven autonomous penetration testing framework with offensive knowledge-enhanced LLMs and multi agent systems
1
.001
xOffense: An AI-driven autonomous penetration testing framework with offensive knowledge-enhanced LLMs and multi agent systems
[1]organization=Information Security Lab, University of Information Technology,
city=Ho Chi Minh City,
country=Vietnam
[2]organization=Vietnam National University Ho Chi Minh City,
city=Ho Chi Minh City,
country=Vietnam
[1,2]Phung Duc Luong 0009-0004-6057-5313
[email protected]
[1,2]Le Tran Gia Bao 0009-0000-8911-5741
[email protected]
[1,2]Nguyen Vu Khai Tam
0009-0008-1715-4213
[email protected]
[1,2]Dong Huu Nguyen Khoa 0009-0005-9526-140X
[email protected]
[1,2]Nguyen Huu Quyen 0000-0002-0065-9919
[email protected]
[1,2]Van-Hau Pham 0000-0003-3147-3356
[email protected]
[1,2]Phan The Duy 0000-0002-5945-3712cor1
[email protected]
arXiv
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
arxiv_fulltext·2025-05-29
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
Xiangmin Shen
Northwestern University
Evanston
Illinois
USA
[email protected]
Both authors contributed equally to this work.
Lingzhi Wang
Northwestern University
Evanston
Illinois
USA
[email protected]
[1]
Zhenyuan Li
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Yan Chen
Northwestern University
Evanston
Illinois
USA
[email protected]
Wencheng Zhao
Ant Group
Hangzhou
Zhejiang
China
[email protected]
Dawei Sun
Ant Group
Hangzhou
Zhejiang
China
[email protected]
Jiashui Wang
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Wei Ruan
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Shen et al.
## Abstract
arXiv
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
arxiv_fulltext·2022-12-29
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
## Abstract
Currently, the development of IoT firmware heavily depends on third-party components (TPCs) to improve development efficiency. Nevertheless, TPCs are not secure, and the vulnerabilities in TPCs will influence the security of IoT firmware. Existing works pay less attention to the vulnerabilities caused by TPCs, and we still lack a comprehensive understanding of the security impact of TPC vulnerability against firmware. To fill in the knowledge gap, we design and implement , which leverages syntactical features and control-flow graph features to detect the TPCs in firmware, and then recognizes the corresponding vulnerabilities. Based on , we present the first l
arXiv
Intrusion Prevention through Optimal Stopping
arxiv_fulltext·2022-04-01
Intrusion Prevention through Optimal Stopping
MyBSTcontrol
Intrusion Prevention through Optimal Stopping
Kim Hammar 23 and Rolf Stadler23
2
Division of Network and Systems Engineering, KTH Royal Institute of Technology, Sweden
3 KTH Center for Cyber Defense and Information Security, Sweden
Email: \kimham, stadler\@kth.se
2022 IEEE; This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice.
## Abstract
We study automated intrusion prevention using reinforcement learning. Following a novel approach, we formulate the problem of intrusion prevention as an (optimal) multiple stopping problem. This formulation gives us insight into the structure of optimal policies, which we show to have threshold properties. For most practical cases, it is not feasible to obtain an optimal defende
CTF
2020-defcon-redteamvillage / README
ctf_writeups·2020
2020-defcon-redteamvillage / README
## DEF CON Red Team Village CTF 2020: SSH Tunneling Masterclass
Unlike last year's DEF CON, where I hung around the Monero and Crypto/Privacy villages, I spent most of this year's DEF CON in the virtual Red Team Village. Mostly because there was no Monero CTF this year, and the Red Team CTF looked really interesting.
For the Red Team Village CTF, there was first a qualifying round which was a typical jeopardy CTF. My team "Organizers" came 6th out of over 700 teams. The top 20 teams were selected to compete in the finals, which was definitely one of the best CTFs I've ever played. It was a red team engagement against a corporate network themed after the film [Office Space](https://en.wikipedia.org/wiki/Office_Space). Each of the 20 teams received their own environment - requiring the CTF
CTF
README
ctf_writeups·CVSS 9.8
[CRITICAL] README
# Boot to root CTFs
Walkthroughs and notes of 'boot to root' CTFs mostly from VulnHub that I did for fun. I like to use vulnerable VMs from VulnHub (in addition to the ones I create) to organize hands-on penetration testing training sessions for junior security auditors/consultants :-)
### >> Classic pentest methodology to do a Boot2root CTF upload a Webshell)
➤ Clear-text passwords stored in 'public' website pages, configuration files, log files
➤ ...
2. Exploiting unpatched known vulnerabilities
➤ Web server (e.g. Apache Struts RCE: CVE-2017-12611/CVE-2017-9805/CVE-2017-9791, JBoss Java Deserialization RCE)
➤ Bash & web server CGI (e.g. Shellshock RCE CVE-2014-6271/CVE-2014-7169)
➤ Web CMS (e.g. Drupalgeddon2 RCE CVE-2018-7600)
➤ Web framework (e.g. PHP CGI RCE CVE-2012-1823)
➤ FTP s
Bugzilla
CVE-2017-7494 samba: Loading shared modules from any path in the system leading to RCE (SambaCry) [fedora-all]
bugzilla·2017-05-24·CVSS 9.8
CVE-2017-7494 [CRITICAL] CVE-2017-7494 samba: Loading shared modules from any path in the system leading to RCE (SambaCry) [fedora-all]
CVE-2017-7494 samba: Loading shared modules from any path in the system leading to RCE (SambaCry) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affect
Bugzilla
CVE-2017-7494 samba: Loading shared modules from any path in the system leading to RCE (SambaCry)
bugzilla·2017-05-12·CVSS 9.8
CVE-2017-7494 [CRITICAL] CVE-2017-7494 samba: Loading shared modules from any path in the system leading to RCE (SambaCry)
CVE-2017-7494 samba: Loading shared modules from any path in the system leading to RCE (SambaCry)
As per upstream samba advisory:
All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
External References:
https://www.samba.org/samba/security/CVE-2017-7494.html
Acknowledgements:
Name: the Samba project
Upstream: steelo
Discussion:
Created samba tracking bugs for this issue:
Affects: fedora-all [bug 1455050]
---
This issue has been addressed in the following products:
Red Hat Gluster Storage 3.2 for RHEL 6
Red Hat Gluster Storage 3.2 for RHEL 7
Via RHSA-2017:1273 https://access.redhat.com/errata/RHSA-2017:1273
http://www.debian.org/security/2017/dsa-3860http://www.securityfocus.com/bid/98636http://www.securitytracker.com/id/1038552https://access.redhat.com/errata/RHSA-2017:1270https://access.redhat.com/errata/RHSA-2017:1271https://access.redhat.com/errata/RHSA-2017:1272https://access.redhat.com/errata/RHSA-2017:1273https://access.redhat.com/errata/RHSA-2017:1390https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-095-01+Security+Notification+Umotion+V1.1.pdf&p_Doc_Ref=SEVD-2018-095-01https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03755en_ushttps://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03759en_ushttps://security.gentoo.org/glsa/201805-07https://security.netapp.com/advisory/ntap-20170524-0001/https://www.exploit-db.com/exploits/42060/https://www.exploit-db.com/exploits/42084/https://www.samba.org/samba/security/CVE-2017-7494.htmlhttp://www.debian.org/security/2017/dsa-3860http://www.securityfocus.com/bid/98636http://www.securitytracker.com/id/1038552https://access.redhat.com/errata/RHSA-2017:1270https://access.redhat.com/errata/RHSA-2017:1271https://access.redhat.com/errata/RHSA-2017:1272https://access.redhat.com/errata/RHSA-2017:1273https://access.redhat.com/errata/RHSA-2017:1390https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-095-01+Security+Notification+Umotion+V1.1.pdf&p_Doc_Ref=SEVD-2018-095-01https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03755en_ushttps://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03759en_ushttps://security.gentoo.org/glsa/201805-07https://security.netapp.com/advisory/ntap-20170524-0001/https://www.exploit-db.com/exploits/42060/https://www.exploit-db.com/exploits/42084/https://www.samba.org/samba/security/CVE-2017-7494.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-7494
2017-05-30
Published
2023-03-30
Added to CISA KEV
Exploited in the wild