Update now: Samba prior to 4.13.17 hit with remote root code execution bug

Vulnerability lies in vfs_fruit module that helps Samba and OS X clients work better.
Written by Chris Duckett on

Samba has fixed a vulnerability in all versions of its software prior to version 4.13.17 that allowed for a remote actor to execute code as root, thanks to an out-of-bounds heap read write vulnerability.

"The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability," Samba said in its security notice.

"Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes."

Discovered by Orange Tsai from Devcore and labelled as CVE-2021-44142, Samba said the vfs_fruit module that improves compatibility for OS X clients is vulnerable in its default configuration.

If the options fruit:metadata=netatalk or fruit:resource=file are set to something else, the vulnerability does not work, but doing so comes with a warning.

"Changing the VFS module settings fruit:metadata or fruit:resource to use the unaffected setting causes all stored information to be inaccessible and will make it appear to macOS clients as if the information is lost," Samba said.

Therefore, Samba says the preferred workaround to patching is to remove fruit from the configuration.

The vulnerability was given a near-perfect score of 9.9 in the CVSSv3.1 scale.

Versions 4.13.17, 4.14.12, and 4.15.5 of Samba have been released to fix the issue. While traditional desktop and server users are able to update through the normal processes, those running NAS systems, particularly older ones, will need to wait for any potential firmware upgrades.

Those releases also fix issues CVE-2022-0336 rated at 8.8 and CVE-2021-44141 rated at 4.2.

For CVE-2022-0336, Samba Active Directory users that can write to an account's servicePrincipalName (SPN) attribute are able to impersonate services thanks to a number of checks being skipped.

"An attacker who has the ability to write to an account can exploit this to perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an attacker who can intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity," Samba said.

The CVE-2021-44141 issue relates to clients being able to use symlinks to work out if a file or directory exists in an area not exported through Samba. For the attack to work both SMB1 and Unix extensions need to be turned on -- using SMB2 is enough to foil the attack.

"SMB1 has been disabled on Samba since version 4.11.0 and onwards," Samba said.

Related Coverage


Microsoft June 2022 Patch Tuesday: 55 fixes, remote code execution in abundance
microsoft windows security patch tuesday

Microsoft June 2022 Patch Tuesday: 55 fixes, remote code execution in abundance

Take home this refurbished 16GB Chromebook for $60

Take home this refurbished 16GB Chromebook for $60

Here's how Apple tells if you've dropped your iPhone into water
Liquid Contact Indicator stickers

Here's how Apple tells if you've dropped your iPhone into water