Samba bug may allow code execution as root on Linux machines, NAS devices (CVE-2021-44142)

A critical vulnerability (CVE-2021-44142) in Samba, a widely used open source implementation of the Server Message Block (SMB) networking protocol, could allow attackers to execute arbitrary code as root on affected Samba installations.

Several updated versions of Samba have been released on Monday, fixing CVE-2021-44142 and two other flaws (1, 2), but since the software is included in most Linux and Unix-like operating systems (including Apple’s macOS and macOS Server), users of those are advised to keep an eye out for specific updates by those developer teams.

About CVE-2021-44142

Samba allows file and print sharing between computers running Windows and those running Unix or Linux.

CVE-2021-44142 is an out-of-bounds heap read/write vulnerability in Samba’s vfs_fruit virtual file system (VFS) module.

“The fruit module that ships with Samba is designed to provide interoperability between Samba and Netatalk. Netatalk is an open-source implementation of the Apple Filing Protocol (AFP). It allows Unix-like systems to serve as file servers for Apple devices. The specific flaw exists within the parsing of EA metadata in the Samba server daemon (smbd) when opening a file,” the ZDI Research Team noted, and shared technical details about the flaw and a variant – all of which have been patched in the latest Samba security updates.

According to the Samba Team, the vulnerability can be exploited by any user that has write access to a file’s extended attributes – even a guest or unauthenticated user if they have those permissions.

But not all systems may be affected. “The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue,” they noted.

CVE-2021-44142 was discovered and its exploitation demonstrated at the Pwn2Own Austin 2021 in November 2021 by Nguyễn Hoàng Thạch and Billy Jheng Bing-Jhong of STAR Labs. It was also independently discovered by Orange Tsai of DEVCORE and reported to the Samba team. The heap-based buffer overflow variant of the bug was discovered and reported by ZDI vulnerability researcher Lucas Leong.

Remediation and risk mitigation

The flaw affects all versions of Samba prior to 4.13.17. The patch has also been included in Samba 4.14.12 and 4.15.5.

The Samba Team has also pointed out a workaround: removing the fruit VFS module from the list of configured VFS objects in any vfs objects line in the Samba configuration smb.conf, but warned that this might cause “all stored information to be inaccessible and will make it appear to macOS clients as if the information is lost.”

For that and other reasons, updating is the best option.

“Administrators are advised to focus on testing and deploying the patch to remediate the vulnerability. ZDI also advises that many different vendors will need to update their version to ship with affected devices (such as NAS devices), so the release of additional patches can be expected,” the ZDI team noted.

CERT/CC lists Red Hat, SUSE Linux and Ubuntu as affected.

“The company’s vendor list shows that the potential sectors affected by this security concern include critical industries such as communications, energy, government, manufacturing, and science and technology, as well as consumer devices such as appliances and internet of things (IoT) devices,” ZDI added.

Though there is no indication that CVE-2021-44142 is being exploited in active attacks, it is not unusual for attackers to exploit Samba vulnerabilities. SambaCry (CVE-2017-7494) has been, for example, used in the past to compromise NAS devices and deliver ransomware.

“Given the standard use of Samba for system interoperability via the SMB protocol, administrators should monitor shared file, printer, and access sharing data transmissions,” the ZDI team advised.

“The Windows SMB, which is used for remote services, can be abused by attackers to propagate through the organization’s network, or used as a jump-off point to spread to other connected systems. Administrators are advised to enable solutions that can monitor and scan for transmissions that require the vfs_fruit configurations.”