Samba, the widely used file sharing tool, has a well-established presence, especially in mixed system environments, where file shares have to be accessed from different operating systems. Like NFS, it has a well-deserved reputation for compatibility, availability, and, most importantly, security.
High-profile services like Samba are enticing targets for attackers, and vulnerabilities found in these services can often have far-reaching consequences that are sometimes lost in the noise around CVE announcements. CVE-2021-44142, one of the recently disclosed vulnerabilities affecting Samba, has managed to rise above the rest. It is a remotely exploitable vector that could trigger remote code execution. Does anyone else remember Log4j?
According to the Samba project’s own description of the vulnerability found here, it is possible for a remote attacker to trigger an out-of-bounds heap read/write, which in turn will lead to the execution of arbitrary code as root. The fault lies in the VFS module called vfs_fruit.
Samba implements additional behaviors by relying on a plugin, or module, system, to enable extended functionality for supported protocols, or adding new functionality altogether. Vfs_fruit is one such module that adds extended attribute metadata support for Apple SMB clients. When a user has write permission to a file’s extended attributes, these extended attributes can be manipulated in such a way that the flaw is triggered.
If your environment has no Apple SMB clients, or you don’t need the functionality provided by the vfs_fruit module, you can remove it from the configuration by editing smb.conf and removing any “fruit” entry in the configuration line for “vfs objects”. This has the obvious side effect of actually disabling support for these extended attributes, which in turn causes macOS clients to show this information as empty. If that is an acceptable outcome, then this workaround will avoid the VFS module issue.
However, if you rely on this functionality, then you should patch your systems running Samba as soon as possible. Because it has a remotely exploitable attack vector, this vulnerability has been given one of the highest security scores seen in recent months. Redhat, for example, assigned it a 9.9 score out of 10 (CVSS v3).
While some sysadmins may go for years without ever using this module, it is included and enabled by default in devices and appliances built to work in mixed-systems environments, like NAS and storage systems. If you don’t have patches available for these devices, as they may require specific firmware updates, you should at least consider applying the workaround described above if you can modify smb.conf directly.
As always, the TuxCare Extended Lifecycle Support team is providing service users with patches for the affected Enterprise Linux systems. Specifically, CentOS 8.4, 8.5 and Ubuntu 16.04 already have patches available.
If you would like to know more about TuxCare’s Extended Lifecycle Service and how it can help you keep your out-of-support systems running smoothly and securely while also meeting compliance requirements, you can find more information here.