Headline
CVE-2021-44142: Samba - Security Announcement Archive
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide “…enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver.” Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
CVE-2021-44142.html:
================================================================= == Subject: Out-of-bounds heap read/write vulnerability == in VFS module vfs_fruit allows code execution == == CVE ID#: CVE-2021-44142 == == Versions: All versions of Samba prior to 4.13.17 == == Summary: This vulnerability allows remote attackers to == execute arbitrary code as root on affected Samba == installations that use the VFS module vfs_fruit. =================================================================
=========== Description ===========
All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.
The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.
The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue.
================== Patch Availability ==================
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.13.17, 4.14.12 and 4.15.5 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.
================== CVSSv3 calculation ==================
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
Base score 9.9.
========== Workaround ==========
As a workaround remove the “fruit” VFS module from the list of configured VFS objects in any “vfs objects” line in the Samba configuration smb.conf.
Note that changing the VFS module settings fruit:metadata or fruit:resource to use the unaffected setting causes all stored information to be inaccessible and will make it appear to macOS clients as if the information is lost.
======= Credits =======
Originally reported by Orange Tsai from DEVCORE. Nguyen Hoang Thach and Billy Jheng Bing-Jhong of STAR Labs working with Trend Micro Zero Day Initiative Lucas Leong of Trend Micro Zero Day Initiative
Patches provided by Ralph Böhme of the Samba team.
========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================