The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges.
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide “…enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver.” Samba with vfs_fruit configured allows out-of-bounds heap read and write via specially crafted extended file attributes.
A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
From the Samba annoucement for CVE-2021-44142:
Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.
Apply an update
Samba has released versions 4.13.17, 4.14.12, and 4.15.5.
As a workaround, remove ‘fruit’ from ‘vfs objects’ lines in Samba configuration files (e.g., smb.conf).
Thanks to Orange Tsai of DEVCORE for researching and reporting this vulnerability. Thanks also to Samba, ZDI, and Western Digital for coordination efforts.
This document was written by James Stanley and Art Manion.
Date First Published:
Date Last Updated:
2022-06-27 20:03 UTC