Samba has patched a vulnerability that could enable remote, unauthenticated attackers to execute arbitrary code as root on impacted installations.
Samba is an interoperability software suite that implements the Server Message Block (SMB) networking protocol, which provides file and print services. It allows network administrators to configure and set up equipment as a domain controller (DC) or domain member, and to communicate with Windows-based clients. Samba runs on many Unix or Unix-like systems like Linux, as well as macOS and other operating systems that use the SMB protocol.
The flaw (CVE-2021-44142) is an out-of-bounds heap read/write error. While it has a critical CVSS rating of 9.9, researchers said they have not seen any active attacks exploiting the vulnerability.
If a flaw in a program allows it to read or write outside of the bounds set for the program, it is possible to manipulate other parts of the memory which are allocated to more critical functions," according to researchers with Malwarebytes in a Wednesday analysis. "This can allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have... In this case as root, which is the user name or account that by default has access to all commands and files on a Linux or other Unix-like operating system.
The security issue stems from how the smbd server daemon, which provides the file sharing service, parses metadata when a file is opened. Part of the smbd’s configuration (smb.conf) consists of a virtual file system (vfs) objects list, which contains three modules: catie, streams_xattr and fruit. The latter fruit module, which provides enhanced compatibility between Apple and Netatalk - an open-source implementation of the Apple Filing Protocol - is where the security issue exists.
“The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file,” according to Samba’s security advisory. “If both options are set to different settings than the default values, the system is not affected by the security issue.”
"It is expected that many different vendors will need to update the version of Samba they ship with their devices, so expect lots of additional patches to address these bugs."
According to a Tuesday analysis of the flaw, when a session is established, smbd allows an unauthenticated attacker to set extended file attributes. The bug ultimately allows attackers to inject malformed metadata values, which can lead to out-of-bounds memory accesses.
Versions of Samba prior to 4.13.17 are affected; Samba on Monday released security updates addressing this issue in Samba versions 4.13.17, 4.14.12, and 4.15.5 (because there are multiple, stable branches of Samba, the vulnerability needed to be addressed in each one). While Samba also listed a workaround of removing the fruit module from smb.conf, researchers with Trend Micro warned that this could “severely impact the functionality of any macOS systems attempting to access the Samba server.”
Several people worked separately to discover and disclose the flaw. After Nguyen Hoang Thach and Billy Jheng Bing-Jhong of STAR Labs uncovered an out-of-bounds vulnerability in Samba at Trend Micro Zero Day Initiative’s (ZDI) Pwn2Own Austin 2021 in November, Lucas Leong of ZDI further investigated this security gap and found more variants of the flaw. Orange Tsai of DEVCORE also independently uncovered and reported the flaw.
Dustin Childs, communications manager at Trend Micro's ZDI, said that the flaw has "already been demonstrated as a practical exploit at Pwn2Own, so it’s definitely not too complex an exploit for knowledgeable attackers."
Samba is used across various sectors, including critical industries like energy and manufacturing; as well as consumer Internet of Things (IoT) devices. Various vendors use Samba “as part of a larger product,” including Centrify, Hewlett Packard and VMware.
“It is expected that many different vendors will need to update the version of Samba they ship with their devices, so expect lots of additional patches to address these bugs,” according to ZDI researchers.