Critical Samba Vulnerability Allows Hackers To Execute Code With Root Privilege.

According to the CERT Coordination Center (CERT/CC), The flaw affects widely used to be inLinux distributions such as Red Hat, SUSE Linux, and Ubuntu.

This vulnerability allows remote attackers to execute arbitrary code on Samba installations that have been compromised. This vulnerability does not require authentication. When opening a file, the specific flaw exists in the parsing of EA metadata by the Samba server daemon (smbd). An attacker can exploit this flaw to execute code in the context of root.

Samba is a popular freeware implementation of the Server Message Block (SMB) protocol that allows users to access shared files, printers, and other resources over a network.

The maintainers stated in a January 31 advisory. “All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read/write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs fruit.”

The configuration of smbd is found in /etc/samba/smb.conf. Here’s a portion of an smb.conf file showing how Samba would be configured to support a Time Machine share for Apple devices:

path = /data/xx/diskVolume0/backups/timemachine
browseable = yes
public = yes
available = yes
oplocks = yes
follow symlinks = yes
map archive = no
guest ok = yes
writable = yes
vfs objects = catia fruit streams_xattr
durable handles = yes
kernel oplocks = no
kernel share modes = no
posix locking = no
inherit acls = yes
strict sync = yes
fruit:time machine = yes
fruit:time machine max size = 0M

“The issue in vfs fruit exists in the fruit VFS module’s default configuration when using fruit:metadata=netatalk or fruit:resource=file. The system is not affected by the security issue if both options are set to different settings than [sic] the default values.”

Samba also addresses two different flaws ,

  • Vulnerability CVE-2021-44141 (CVSS score: 4.2) – Information leakage due to the existence of files or directories outside of the exported share through symlinks (Fixed in Samba version 4.15.5)
  • CVE-2022-0336 (CVSS score: 3.1) – Samba AD users with account-writing permissions can impersonate arbitrary services (Fixed in Samba versions 4.13.17, 4.14.12, and 4.15.4)

Finally the researchers concluded that ,” On January 31, 2022, Samba fixed this and other bugs. CVE-2021-44142 was assigned to cover the bugs discussed in this report. To address this vulnerability, Samba 4.14.12 and 4.15.5 have been released in addition to 4.13.17. As a workaround, the vendor suggests removing the fruit VFS module from the list of configured VFS in “smb.conf.” This, however, will have a significant impact on the functionality of any macOS systems attempting to connect to the Samba server.”

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s