Operating System:

[WIN][UNIX/Linux]

Published:

01 February 2022

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2022.0429 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.0429
         Out-of-bounds heap read/write vulnerability in VFS module
                      vfs_fruit allows code execution
                              1 February 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Samba
Publisher:         Samba
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-44142  

Reference:         ESB-2022.0426
                   ESB-2022.0418

Original Bulletin: 
   https://www.samba.org/samba/security/CVE-2021-44142.html

Comment: CVSS (Max):  9.9 CVE-2021-44142 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/)
         CVSS Source: Samba

- --------------------------BEGIN INCLUDED TEXT--------------------

=================================================================
== Subject:     Out-of-bounds heap read/write vulnerability
==              in VFS module vfs_fruit allows code execution
==
== CVE ID#:     CVE-2021-44142
==
== Versions:    All versions of Samba prior to 4.13.17
==
== Summary:     This vulnerability allows remote attackers to
==              execute arbitrary code as root on affected Samba
==              installations that use the VFS module vfs_fruit.
=================================================================

===========
Description
===========

All versions of Samba prior to 4.13.17 are vulnerable to an
out-of-bounds heap read write vulnerability that allows remote
attackers to execute arbitrary code as root on affected Samba
installations that use the VFS module vfs_fruit.

The specific flaw exists within the parsing of EA metadata when
opening files in smbd. Access as a user that has write access to a
file's extended attributes is required to exploit this
vulnerability. Note that this could be a guest or unauthenticated user
if such users are allowed write access to file extended attributes.

The problem in vfs_fruit exists in the default configuration of the
fruit VFS module using fruit:metadata=netatalk or fruit:resource=file.
If both options are set to different settings than the default values,
the system is not affected by the security issue.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.13.17, 4.14.12 and 4.15.5 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

Base score 9.9.

==========
Workaround
==========

As a workaround remove the "fruit" VFS module from the list of
configured VFS objects in any "vfs objects" line in the Samba
configuration smb.conf.

Note that changing the VFS module settings fruit:metadata or
fruit:resource to use the unaffected setting causes all stored
information to be inaccessible and will make it appear to macOS
clients as if the information is lost.


=======
Credits
=======

Originally reported by Orange Tsai from DEVCORE.

Patches provided by Ralph Bohme of the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYfiq+ONLKJtyKPYoAQgdNxAAhYmEUWpp+7ODGfyfUs8Px+nKsHhJHPje
bmqlp5pE08gvF0BeCY3KcKtxO3YHWDefAoI/x1ATDI1+t3QzCsCb5eF0GAEe0Fpa
Ovkto3kDIKwh/6mMDO9R5hx03D9ogMC5KesopilXf5EqOL2hV81nlSbG4+DiQugv
epFKUOCZwXXYgAy2H+IPzo2vXQWkL530B56QPi9p5+m33EVnWiDQRhQyVgQcw3iO
DQCkqj7dQ+4nhMeX0bE1sG2YK/aBfadYDVFjuzpR2As7wqNXd/UQj+/uq0eohM7J
vmNMwx64QwhvOaIj+KsbNrShTr5hFam9GUDpInCHjkPHXObcdipLzJ1y2RJQ0NXB
xHqu92K1jdsSQfOI0u9vi5to4+VzbcBBpatzn/ckL+ZAiYi6WgGIH7qVI9ogVM5L
Ol4RG5b2yxRwv8SjXF5R7oNeomh4QtxITXw5guybJf8QnPYZPr77eBQtrlMg6wPj
eclkkQIq6mS8lv/fxMOKgFhbwX9WQL/WBuG31uaLCf4wJMUrzUqcoZL2uIcrg77q
aMGMm4uEtTDHd/o96HRDe/L0aLTp2KwGKWzxwEtkiPRFK5uld3q0A4iu00EBoYXa
pFfZWD/Bpnb3Uo05cSqEEkm2E3ia5kiZGjy8vEIRmvRcTdCzKSCP9HsW7c73PcCW
sF+CP7GazaQ=
=qjgr
-----END PGP SIGNATURE-----