Overview
The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges.
Description
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba with vfs_fruit configured allows out-of-bounds heap read and write via specially crafted extended file attributes.
For more information, see the Samba announcement for CVE-2021-44142 and bug 14914.
Impact
A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
From the Samba annoucement for CVE-2021-44142:
Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.
Solution
Apply an update
Samba has released versions 4.13.17, 4.14.12, and 4.15.5.
Disable vfs_fruit
As a workaround, remove 'fruit' from 'vfs objects' lines in Samba configuration files (e.g., smb.conf).
Acknowledgements
Thanks to Orange Tsai of DEVCORE for researching ..
Support the originator by clicking the read the rest link below.
