Dangerous remotely exploitable vulnerability found in Samba - TuxCare
TuxCare Blog News

Dangerous remotely exploitable vulnerability found in Samba

February 11, 2022

Samba, the widely used file sharing tool, has a well-established presence, especially in mixed system environments, where file shares have to be accessed from different operating systems. Like NFS, it has a well-deserved reputation for compatibility, availability, and, most importantly, security. 

High-profile services like Samba are enticing targets for attackers, and vulnerabilities found in these services can often have far-reaching consequences that are sometimes lost in the noise around CVE announcements. CVE-2021-44142, one of the recently disclosed vulnerabilities affecting Samba, has managed to rise above the rest. It is a remotely exploitable vector that could trigger remote code execution. Does anyone else remember Log4j?

All versions of Samba prior to 4.13.17 are affected. TuxCare’s Extended Lifecycle Support team has released patches for CentOS 8.4, 8.5 and Ubuntu 16.04, all of which are impacted.

According to the Samba project’s own description of the vulnerability found here, it is possible for a remote attacker to trigger an out-of-bounds heap read/write, which in turn will lead to the execution of arbitrary code as root. The fault lies in the VFS module called vfs_fruit.

Samba implements additional behaviors by relying on a plugin, or module, system, to enable extended functionality for supported protocols, or adding new functionality altogether. Vfs_fruit is one such module that adds extended attribute metadata support for Apple SMB clients. When a user has write permission to a file’s extended attributes, these extended attributes can be manipulated in such a way that the flaw is triggered.

If your environment has no Apple SMB clients, or you don’t need the functionality provided by the vfs_fruit module, you can remove it from the configuration by editing smb.conf and removing any “fruit” entry in the configuration line for “vfs objects”. This has the obvious side effect of actually disabling support for these extended attributes, which in turn causes macOS clients to show this information as empty. If that is an acceptable outcome, then this workaround will avoid the VFS module issue.

However, if you rely on this functionality, then you should patch your systems running Samba as soon as possible. Because it has a remotely exploitable attack vector, this vulnerability has been given one of the highest security scores seen in recent months. Redhat, for example, assigned it a 9.9 score out of 10 (CVSS v3).

While some sysadmins may go for years without ever using this module, it is included and enabled by default in devices and appliances built to work in mixed-systems environments, like NAS and storage systems. If you don’t have patches available for these devices, as they may require specific firmware updates, you should at least consider applying the workaround described above if you can modify smb.conf directly.

As always, the TuxCare Extended Lifecycle Support team is providing service users with patches for the affected Enterprise Linux systems. Specifically, CentOS 8.4, 8.5 and Ubuntu 16.04 already have patches available.

If you would like to know more about TuxCare’s Extended Lifecycle Service and how it can help you keep your out-of-support systems running smoothly and securely while also meeting compliance requirements, you can find more information here.

TuxCare can help you reduce your risk window to data exfiltration and other cyber security threats.

TALK TO A CYBERSECURITY EXPERT

Expert knowledge of Linux security tips,
live patching education, and Cybersecurity news.

Stay updated with the latest news and announcements from TuxCare.com

Related Articles

The Bugs Behind the Vulnerabilities...

We continue to look at the code issues that cause...

November 14, 2022

Cybersecurity insurance and fine print:...

Catastrophic risks such as natural disasters and indeed cyberattacks require...

June 29, 2022

IT Automation With Live...

In a symphony orchestra, instruments harmonize to create one pleasing...

June 20, 2022

KernelCare ePortal updated – version...

We are pleased to announce that a new updated ePortal version...

June 16, 2022

KernelCare agent update – version...

We are pleased to announce that a new updated KernelCare agent...

June 2, 2022

KernelCare ePortal updated – version...

We are pleased to announce that a new updated ePortal version...

May 26, 2022

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching