Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.0429 Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution 1 February 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Samba Publisher: Samba Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2021-44142 Reference: ESB-2022.0426 ESB-2022.0418 Original Bulletin: https://www.samba.org/samba/security/CVE-2021-44142.html Comment: CVSS (Max): 9.9 CVE-2021-44142 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/) CVSS Source: Samba - --------------------------BEGIN INCLUDED TEXT-------------------- ================================================================= == Subject: Out-of-bounds heap read/write vulnerability == in VFS module vfs_fruit allows code execution == == CVE ID#: CVE-2021-44142 == == Versions: All versions of Samba prior to 4.13.17 == == Summary: This vulnerability allows remote attackers to == execute arbitrary code as root on affected Samba == installations that use the VFS module vfs_fruit. ================================================================= =========== Description =========== All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit. The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes. The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.13.17, 4.14.12 and 4.15.5 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C Base score 9.9. ========== Workaround ========== As a workaround remove the "fruit" VFS module from the list of configured VFS objects in any "vfs objects" line in the Samba configuration smb.conf. Note that changing the VFS module settings fruit:metadata or fruit:resource to use the unaffected setting causes all stored information to be inaccessible and will make it appear to macOS clients as if the information is lost. ======= Credits ======= Originally reported by Orange Tsai from DEVCORE. Patches provided by Ralph Bohme of the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYfiq+ONLKJtyKPYoAQgdNxAAhYmEUWpp+7ODGfyfUs8Px+nKsHhJHPje bmqlp5pE08gvF0BeCY3KcKtxO3YHWDefAoI/x1ATDI1+t3QzCsCb5eF0GAEe0Fpa Ovkto3kDIKwh/6mMDO9R5hx03D9ogMC5KesopilXf5EqOL2hV81nlSbG4+DiQugv epFKUOCZwXXYgAy2H+IPzo2vXQWkL530B56QPi9p5+m33EVnWiDQRhQyVgQcw3iO DQCkqj7dQ+4nhMeX0bE1sG2YK/aBfadYDVFjuzpR2As7wqNXd/UQj+/uq0eohM7J vmNMwx64QwhvOaIj+KsbNrShTr5hFam9GUDpInCHjkPHXObcdipLzJ1y2RJQ0NXB xHqu92K1jdsSQfOI0u9vi5to4+VzbcBBpatzn/ckL+ZAiYi6WgGIH7qVI9ogVM5L Ol4RG5b2yxRwv8SjXF5R7oNeomh4QtxITXw5guybJf8QnPYZPr77eBQtrlMg6wPj eclkkQIq6mS8lv/fxMOKgFhbwX9WQL/WBuG31uaLCf4wJMUrzUqcoZL2uIcrg77q aMGMm4uEtTDHd/o96HRDe/L0aLTp2KwGKWzxwEtkiPRFK5uld3q0A4iu00EBoYXa pFfZWD/Bpnb3Uo05cSqEEkm2E3ia5kiZGjy8vEIRmvRcTdCzKSCP9HsW7c73PcCW sF+CP7GazaQ= =qjgr -----END PGP SIGNATURE-----