Security Advisory - New Samba Bug Allows Remote Attackers to Execute Arbitrary Code as Root

A critical severity vulnerability in the Samba platform could allow attackers to gain remote code execution with root privileges on servers.

What?

Samba is an interoperability suite that allows Windows and Linus/Unix-based hosts to work together and share file and print services with multi-platform devices on a common network, including SMB file-sharing. Gaining the ability to execute remote code as a root user means that an attacker would be able to read, modify or delete any files on the system, enumerate users, install malware (such as cryptominers or ransomware), and pivot to further into a corporate network.


The bug (CVE-2021-44142) specifically is an out-of-bounds heap read/write vulnerability in the VFS module called “vfs_fruit.” It affects all versions of Samba prior to v.4.13.17, and carries a rating of 9.9 out of 10 on the CVSS security-vulnerability severity scale. Additionally, some Samba-supporting Red Hat, SUSE Linux and Ubuntu packages are also affected.

How?

The “fruit” module is used to provide “enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver,” through the use of extended file attributes (EA), according to company documentation.


The specific flaw exists within the parsing of EA metadata when opening files in smbd [i.e., the server daemon that provides filesharing and printing services to Windows clients]. The problem in vfs_fruit exists in the default configuration of the fruit VFS module using [specific modules] fruit:metadata=netatalk or fruit:resource=file.

The Fix?

Samba 4.13.17, 4.14.12 and 4.15.5 are the patched versions; administrators are urged to upgrade to these releases as soon as possible.


There is also a workaround available, according to the company, which involves removing the “fruit” module from the list of VFS objects in Samba configuration files: “Remove the ‘fruit’ VFS module from the list of configured VFS objects in any ‘vfs objects’ line in the Samba configuration smb.conf.”


Admins could also conceivably change the default settings for the the fruit:metadata or fruit:resource modules, but Samba warned that this would cause “all stored information to be inaccessible and will make it appear to macOS clients as if the information is lost.”