VU#119678: Samba vfs_fruit module insecurely handles extended file attributes

Overview

The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges.

Description

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide “…enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver.” Samba with vfs_fruit configured allows out-of-bounds heap read and write via specially crafted extended file attributes.

For more information, see the Samba announcement for CVE-2021-44142 and bug 14914. Also available for reference is a detailed blog post from ZDI.

Impact

A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

From the Samba annoucement for CVE-2021-44142:

Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.

Solution

Apply an update

Samba has released versions 4.13.17, 4.14.12, and 4.15.5.

Disable vfs_fruit

As a workaround, remove ‘fruit’ from ‘vfs objects’ lines in Samba configuration files (e.g., smb.conf).

Acknowledgements

Thanks to Orange Tsai of DEVCORE for researching and reporting this vulnerability. Thanks also to Samba, ZDI, and Western Digital for coordination efforts.

This document was written by James Stanley and Art Manion.

Vendor Information

One or more vendors are listed for this advisory. Please reference the full report for more information.

Other Information

CVE IDs:

CVE-2021-44142

Date Public:

2022-01-31
Date First Published:
2022-01-31
Date Last Updated:
2022-06-27 20:03 UTC
Document Revision:
19

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.