Product | Versions | Protocol | Insecure Module | Vulnerability | CVE # | CVSS |
---|---|---|---|---|---|---|
Samba | < 4.13.17 | SMB | vfs_fruit |
Out-of-bounds heap read/write | CVE-2021-44142 | 9.9 |
The vfs_fruit
module that ships with Samba is designed to provide interoperability between Samba and Netatalk. With Netatalk being an open-source implementation of the AFP — Apple Filing Protocol — which is used to converse with macOS clients. When everything’s in place and working, it allows Unix-like systems to serve as file servers for Apple devices. Once a session is established, smbd — the SMB daemon — allows an unauthenticated user to set extended file attributes and therein lies the problem. [5]
Some introductions first:
- vfs_fruit - The vfs_fruit module provides enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver.[2]
- Netatalk - Netatalk is a freely-available Open Source AFP fileserver. A UNIX, Linux or BSD system running Netatalk is capable of serving many Macintosh clients simultaneously as an AppleShare file server (AFP - Apple Filing Protocol).[3]
- AFS - The Apple Filing Protocol (AFP), formerly AppleTalk Filing Protocol, is a proprietary network protocol, and part of the Apple File Service (AFS)[4]
All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.
The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.
The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue.[1]