Kalyan Parajuli

Kalyan Parajuli

Infosec MS Student @ Carnegie Mellon University

© 2022

Dark Mode

Samba 9.9 CVE-2021-44142 Vulnerability
Feb 17, 2022
  • SMB
  • Samba
  • vfs_fruit
  • 9+
  • 9.8+
Product Versions Protocol Insecure Module Vulnerability CVE # CVSS
Samba < 4.13.17 SMB vfs_fruit Out-of-bounds heap read/write CVE-2021-44142 9.9

The vfs_fruit module that ships with Samba is designed to provide interoperability between Samba and Netatalk. With Netatalk being an open-source implementation of the AFP — Apple Filing Protocol — which is used to converse with macOS clients. When everything’s in place and working, it allows Unix-like systems to serve as file servers for Apple devices. Once a session is established, smbd — the SMB daemon — allows an unauthenticated user to set extended file attributes and therein lies the problem. [5]

Some introductions first:

  1. vfs_fruit - The vfs_fruit module provides enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver.[2]
  2. Netatalk - Netatalk is a freely-available Open Source AFP fileserver. A UNIX, Linux or BSD system running Netatalk is capable of serving many Macintosh clients simultaneously as an AppleShare file server (AFP - Apple Filing Protocol).[3]
  3. AFS - The Apple Filing Protocol (AFP), formerly AppleTalk Filing Protocol, is a proprietary network protocol, and part of the Apple File Service (AFS)[4]

All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.

The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.

The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue.[1]

References

  1. https://www.samba.org/samba/security/CVE-2021-44142.html
  2. https://www.samba.org/samba/docs/current/man-html/vfs_fruit.8.html
  3. http://netatalk.sourceforge.net/
  4. https://en.wikipedia.org/wiki/Apple_Filing_Protocol
  5. https://www.grc.com/sn/sn-857-notes.pdf