Critical Samba vulnerability allows remote code execution as root
For a detailed advisory, download the pdf file here.
A critical vulnerability identified in Samba allows an attacker to execute remote code and gain access to the vulnerable system as root. Samba installations that use VFS module ” vfs_fruit” are impacted by this vulnerability.
An out-of-bounds heap read/write vulnerability exists in the parsing of Extended Attributes (EA) metadata while opening files in smbd. To exploit this issue, an attacker requires to have write access to a file’s extended attributes. According to samba, one possible workaround is to “Remove the “fruit” VFS module from the list of configured VFS objects in any “vfs objects” line in the Samba configuration smb.conf.” Organizations should update their software to 4.13.17 to patch this vulnerability.
Potential Mitre Att&ck TTPs are :
TA0005: Defense EvasionTA0004: Privilege EscalationT1564: Hide ArtifactsT1222: File and Directory Permissions ModificationT1068: Exploitation for Privilege EscalationT1564.004: Hide Artifacts: NTFS File Attributes
Vulnerability Details
Patch Link
https://www.samba.org/samba/history/security.html
References
https://www.samba.org/samba/security/CVE-2021-44142.html
https://www.cisa.gov/uscert/ncas/current-activity/2022/02/01/samba-releases-security-updates
What’s new on HivePro
Get through updates and upcoming events, and more directly in your inbox