Samba bug can let remote attackers execute code as root

Samba has addressed a critical severity vulnerability that can let attackers gain remote code execution with root privileges on servers running vulnerable software.

Samba is an SMB networking protocol re-implementation that provides file sharing and printing services across many platforms, allowing Linux, Windows, and macOS users to share files over a network.

The vulnerability, tracked as CVE-2021-44142 and reported by Orange Tsai of DEVCORE, is an out-of-bounds heap read/write present in the vfs_fruit VFS module when parsing EA metadata when opening files in smbd.

“The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file,” Samba explained in a security advisory published today.

“If both options are set to different settings than the default values, the system is not affected by the security issue.”

The vulnerable vfs_fruit module is designed to provide enhanced compatibility with Apple SMB clients and Netatalk 3 AFP fileservers.

According to the CERT Coordination Center (CERT/CC), the list of platforms impacted by this vulnerability includes Red Hat, SUSE Linux, and Ubuntu.

How to fix the problem

Attackers can exploit the flaw in low complexity attacks without requiring user interaction if the targeted servers run any Samba installations before version 4.13.17, the release that addresses this bug.

While default configurations are exposed to attacks, threat actors that would want to target this vulnerability would need write access to a file’s extended attributes.

“Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes,” the Samba Team added.

Administrators are advised to install the 4.13.17, 4.14.12, and 4.15.5 releases published today or apply the corresponding patches to correct the security defect as soon as possible.

Samba also provides a workaround for admins who cannot immediately install the latest releases, which requires them to remove ‘fruit’ from ‘vfs objects’ lines in their Samba configuration files.

However, as the Samba Team notes, “changing the VFS module settings fruit:metadata or fruit:resource to use the unaffected setting causes all stored information to be inaccessible and will make it appear to macOS clients as if the information is lost.”