Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Samba vfs_fruit module insecurely handles extended file attributes
Informations
Name VU#119678 First vendor Publication 2022-01-31
Vendor VU-CERT Last vendor Modification 2022-06-27
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 8.8
Base Score 8.8 Environmental Score 8.8
impact SubScore 5.9 Temporal Score 8.8
Exploitabality Sub Score 2.8
 
Attack Vector Network Attack Complexity Low
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score 9 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges.

Description

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba with vfs_fruit configured allows out-of-bounds heap read and write via specially crafted extended file attributes.

For more information, see the Samba announcement for CVE-2021-44142 and bug 14914. Also available for reference is a detailed blog post from ZDI.

Impact

A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

From the Samba annoucement for CVE-2021-44142:

Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.

Solution

Apply an update

Samba has released versions 4.13.17, 4.14.12, and 4.15.5.

Disable vfs_fruit

As a workaround, remove 'fruit' from 'vfs objects' lines in Samba configuration files (e.g., smb.conf).

Acknowledgements

Thanks to Orange Tsai of DEVCORE for researching and reporting this vulnerability. Thanks also to Samba, ZDI, and Western Digital for coordination efforts.

This document was written by James Stanley and Art Manion.

Original Source

Url : https://kb.cert.org/vuls/id/119678

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)
50 % CWE-125 Out-of-bounds Read

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 1
Application 1
Application 371
Application 13
Os 5
Os 2
Os 2
Os 2
Os 1
Os 2
Os 2
Os 2
Os 1
Os 2
Os 2
Os 1
Os 1
Os 2
Os 2
Os 2
Os 3
Os 1
Os 3

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
Date Informations
2022-06-28 00:22:02
  • Multiple Updates
2022-03-25 17:17:43
  • Multiple Updates
2022-03-01 17:17:46
  • Multiple Updates
2022-02-23 21:29:48
  • Multiple Updates
2022-02-23 17:17:41
  • Multiple Updates
2022-02-14 17:17:44
  • Multiple Updates
2022-02-10 17:17:47
  • Multiple Updates
2022-02-09 21:17:47
  • Multiple Updates
2022-02-04 17:17:40
  • Multiple Updates
2022-02-03 21:17:47
  • Multiple Updates
2022-02-02 05:17:55
  • Multiple Updates
2022-02-01 21:17:47
  • Multiple Updates
2022-01-31 21:17:42
  • First insertion