Overview
The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges.
Description
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide “…enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver.” Samba with vfs_fruit configured allows out-of-bounds heap read and write via specially crafted extended file attributes.
For more information, see the Samba announcement for CVE-2021-44142 and bug 14914. Also available for reference is a detailed blog post from ZDI.
Impact
A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
From the Samba annoucement for CVE-2021-44142:
Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.
Solution
Apply an update
Samba has released versions 4.13.17, 4.14.12, and 4.15.5.
Disable vfs_fruit
As a workaround, remove ‘fruit’ from ‘vfs objects’ lines in Samba configuration files (e.g., smb.conf).
Acknowledgements
Thanks to Orange Tsai of DEVCORE for researching and reporting this vulnerability. Thanks also to Samba, ZDI, and Western Digital for coordination efforts.
This document was written by James Stanley and Art Manion.
Vendor Information
Other Information
Date Public:
2022-01-31
Date First Published:
2022-01-31
Date Last Updated:
2022-06-27 20:03 UTC
Document Revision:
19