Headline
CVE-2020-14342: cifs-utils release 6.11 ready for download
It was found that cifs-utils’ mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges.
Pavel Shilovsky pshilovsky at samba.org
Thu Sep 3 17:29:29 UTC 2020
- Previous message (by thread): Oops in cifs_negotiate_protocol - linux kernel 4.16.2-1.el7.elrepo.x86_64
- Next message (by thread): Fwd: [EXTERNAL] Re: [nfsv4] NFS over QUIC
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
New version 6.11 of cifs-utils has been released today. This is a security release to address the following bug:
CVE-2020-14342: mount.cifs: fix shell command injection
For more details, refer to the description below.
=========================================================== == Subject: Shell command injection in mount.cifs == == CVE ID#: CVE-2020-14342 == == Versions: cifs-utils 5.6 and later == == Summary: A user controlling the username mount option can embed == shell commands that will be run in the context of == the calling user. ===========================================================
=========== Description ===========
A bug has been reported recently for the mount.cifs utility which is part of the cifs-utils package. The tool has a shell injection issue where one can embed shell commands via the username mount option. Those commands will be run via popen() in the context of the user calling mount.
The bug requires cifs-utils to be built with --with-systemd (enabled by default if supported).
A quick test to check if the mount.cifs binary is vulnerable is to look for popen() calls like so:
$ nm mount.cifs | grep popen
U popen@@GLIBC\_2.2.5
If the user is allowed to run mount.cifs via sudo, he can obtain a root shell.
sudo mount.cifs -o username='\`sh\`' //1 /mnt
If mount.cifs has the setuid bit, the command will still be run as the calling user (no privilege escalation).
The bug was introduced in June 2012 with commit 4e264031d0da7d3f2 (“mount.cifs: Use systemd’s mechanism for getting password, if present.”).
Affected versions: cifs-utils-5.6 cifs-utils-5.7 cifs-utils-5.8 cifs-utils-5.9 cifs-utils-6.0 cifs-utils-6.1 cifs-utils-6.2 cifs-utils-6.3 cifs-utils-6.4 cifs-utils-6.5 cifs-utils-6.6 cifs-utils-6.7 cifs-utils-6.8 cifs-utils-6.9 cifs-utils-6.10
================== Patch Availability ==================
A patch is available as an attachment on the bug report. It can be applied from v6.10 down to v6.2 included. A backported patch is also available for v6.1 and under.
https://bugzilla.samba.org/show_bug.cgi?id=14442
================== CVSSv3 calculation ==================
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (4.4)
========================= Workaround and mitigation =========================
For systems that cannot be updated a wrapper executable around mount.cifs can be installed. This wrapper simply calls the original mount.cifs on correct input and exits on injection attempts.
Once the wrapper is installed and owned by root it can have the setuid bit if necessary and the original mount.cifs binary can have the setuid and execution bits for group and other cleared.
You can find more information along with a Golang implementation of this wrapper on the bug report attachments.
https://bugzilla.samba.org/show_bug.cgi?id=14442
======= Credits =======
Originally reported by Vadim Lebedev.
Patch and workaround provided by Paulo Alcantara and Aurelien Aptel.
========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
- Previous message (by thread): Oops in cifs_negotiate_protocol - linux kernel 4.16.2-1.el7.elrepo.x86_64
- Next message (by thread): Fwd: [EXTERNAL] Re: [nfsv4] NFS over QUIC
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the samba-technical mailing list
Related news
Ubuntu Security Notice 5459-1 - Aurélien Aptel discovered that cifs-utils invoked a shell when requesting a password. In certain environments, a local attacker could possibly use this issue to escalate privileges. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that cifs-utils incorrectly used host credentials when mounting a krb5 CIFS file system from within a container. An attacker inside a container could possibly use this issue to obtain access to sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.