Software will always have bugs. The challenge is finding and closing them before attackers figure out what kind of damage they can cause by exploiting them. In the case of the Samba networking utility, the remote code execution bug can be potentially exploited by a network worm, which means the addressing this vulnerability just shot to the top\u2014or nearly to the top\u2014of the sysadmin\u2019s to-do list.Samba is an implementation of the SMB\/CIFS protocol that lets Unix and Linux systems access Windows file and print services, as well as interoperate with Windows networking features such as Active Directory and Windows Server Domain. Many home and corporate network storage systems run Samba, and it\u2019s very straightforward to enable the Samba service on any Linux endpoint.A malicious client can \u201cupload a shared library to a writable share, and then cause the server to load and execute it,\u201d the Samba maintainers wrote in an advisory. Samba is currently at version 4.6.4; the vulnerability was introduced seven years ago in version 3.5.0.Basically, if there is a vulnerable version of Samba running on a system, such as an NAS or any other network storage device, and the attacker has the ability to upload files onto that vulnerable device, then exploitation is trivial, requiring just a single line of code. An attacker can exploit the flaw to target the data stored on the file-share or the storage device. Considering the number of devices that use Samba and how long the vulnerability has been present, the potential for a fast-moving network worm is very high, and the damage could be widespread.Organizations around the world saw firsthand with WannaCry and its sibling variants how quickly attackers can package exploits and release them in attacks. WannaCry ransomware and the newer EternalRocks worm highlighted how criminals take advantage of the lag time between when software updates are released and when they are actually deployed. These network worms spread rapidly because they were able to exploit the SMBv1 flaw in unpatched Windows systems\u201cMany NAS environments are used as network backup systems. A direct attack or worm would render those backups almost useless,\u201d said Bob Rudis, lead data scientist at Rapid7. \u201cWe advise that organizations create an offline copy of critical data as soon as possible if patching cannot be done immediately.\u201dThe Samba maintainers have released a patch, but it only applies to more recent versions of Samba, specifically 4.6, 4.5, and 4.4. Anyone running versions between 3.5 and 4.3 remain vulnerable as those versions are no longer supported. Version 4.4 was released March 2016, so any system more than a year old and has not been updated to 4.4 or later does not have an available patch at this time.\u201cOrganizations should be reviewing their official asset and configuration management systems to immediately identify vulnerable systems and then perform comprehensive and regular full network vulnerability scans to identify misconfigured or rogue systems,\u201d Rudis said.Rapid7 Labs looked at Project Sonar\u2019s daily results, which contains scanning data for the entire IPv4 address space, and discovered more than 104,000 endpoints exposed on the Internet that appear to be running vulnerable versions of Samba. While some of these are servers and gateways into the organization\u2019s networks, a number of these would also be home networking gear and Internet of Things (IoT) devices. In those cases, the vendors would have to take charge of updating their devices to fix the flaw, and the update process is not as simple as just running Windows Update on a computer.Nearly 90 percent of devices running a vulnerable version of Samba are potentially running version for which there is no direct patch\u2014meaning they are likely running versions older than 4.4. The patching challenge gets even more complex if they are IoT devices, many of which don\u2019t even have an update mechanism.[Related: -->WannaCry attacks are only the beginning]The vulnerability exists in the networking utility\u2019s remote procedure call (RPC) server component (CVE-2017-7494). The RPC server allowed pipe names that include a \u201c\/\u201d character, which could let attackers craft directory traversal attacks. The patch blocks a connection in this case, and requires a regexp to be used instead. HD Moore, vice president of research and development at Atredis Partners and founder of Metasploit penetration testing framework, said on Twitter that he could exploit the flaw on a system running Ubuntu Linux 16.04 and Synology NAS. A Metasploit module for some systems is already available.While there is no sign of this Samba flaw being used in active attacks, the fact that it can be \u201cwormable\u201d makes it very dangerous for business networks. Don\u2019t focus on how many vulnerable devices are directly accessible from the Internet. The biggest danger will come from the vulnerable devices internally. All the attacker has to do is get a foothold in the network\u2014not so hard to do\u2014and it can easily spread all throughout the network.And that\u2019s not even considering the malicious payload the worm may be delivering. WannaCry was ransomware, but other versions included a cryptocurrency miner and a remote-access Trojan. No one knows what EternalRocks will do as it has yet to dump a payload. Considering Samba is used on fileshares and backups, imagine the damage it can cause if combined with ransomware. Such a worm can be devastating, bringing the whole organization to a standstill.If the device has Samba and can be updated, make sure to run it. If an update mechanism is missing, but there is a way to manually apply the patch, do it. There is a workaround\u2014adding nt pipe support = no to the [global] section of the smb.conf file and restarting smbd\u2014so if that is an option, do that. The workaround will prevent clients from fully accessing network computers. \u00a0If none of this is possible, make sure the data is available offline, just in case. Beef up other security measures to protect the vulnerable devices. Criminals will chain together multiple exploits, so don\u2019t neglect other defense-in-depth measures.\u00a0Considering the kind of damage an attack targeting this flaw could cause, it\u2019s highly likely attackers will soon begin\u00a0actively targeting it.