Samba warns of a very serious vulnerability in its SMB software
Samba, the developer of the free server daemon of the same name, warns of a serious vulnerability that could allow attackers to execute code with root privileges. The vulnerability has been given a CVE score of 9.9 out of 10.
The vulnerability, assigned the CVE code 2021-44142, is in every version of Samba prior to version 4.13.17. This is an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on Samba installations that use the vfs module vfs-fruit. That module is used for communication between Apple SMB clients and a Netatalk 3 afp file server. The vulnerability is very serious and Samba therefore calls for the software to be updated as soon as possible.
The vulnerability arises during parsing of ea metadata when files are opened in smbd. To exploit the vulnerability, the attacker must have additional write access to the files, but Samba writes that an attacker can get it as a guest user or an unauthorized user.
That means attackers who exploit the vulnerability don’t need authentication to run arbitrary code in Samba. The attacker can then execute code in the smbd daemon with root access. The Zero Day Initiative explains in a blog post how the vulnerability can then be exploited via a heap out-of-bounds read write and a buffer overflow. According to the CERT Coordination Center, the vulnerability also affects Red Hat, SUSE Linux and Ubuntu.
Although Samba mainly recommends updating the software, it has also put a workaround online. Samba explains that it is possible to remove the vfs module fruit from the list of configured vfs objects, anywhere in the Samba configuration where fruit is mentioned. However, this has serious consequences for macOS systems that try to access the Samba server. Samba warns that modifying fruit:metadata or fruit:resource can cause stored information to be inaccessible, or make it look like macOS has lost the information. The Zero Day Initiative advises against the workaround and urges users to focus on updating and testing the patch.
The vulnerability was discovered by several researchers. Taiwanese researcher Orange Tsai is recognized by Samba as the discoverer. The exploit was showcased in November by Thach Nguyen Hoang and Billy Jheng Bing-Jhong at Pwn2Own Austin 2021, where they won $45,000 for using the exploit. So it took a while before Samba had an update for the vulnerability.