--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Vulnerability in Samba' version: '1.0' number: '2022-008' date: 'February 1, 2022' --- _History:_ * _01/02/2022 --- v1.0 -- Initial publication_ # Summary On January 31, Samba has issued advisories and software updates [1] to address multiple vulnerabilities one of which, identified as `CVE-2021-44142`, could lead to Remote Code Execution with `root` privileges. It is recommended to update as soon as possible. # Technical Details The vulnerability `CVE-2021-44142`, with a severity score of 9.9 out of 10, is an out-of-bounds heap read-write vulnerability that allows remote attackers to execute arbitrary code as `root` on affected Samba installations [2]. The specific flaw exists within the parsing of Extended Attributes (EA) metadata when opening files in `smbd`. Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes. # Affected Products All versions of Samba prior to `4.13.17` are vulnerable when Samba has the VFS module `vfs_fruit` enabled in its default configuration. This means that the following options are configured as follows: `fruit:metadata=netatalk` or `fruit:resource=file`. If both options are set to different settings than the default values, the system is not affected by the security issue. # Recommendations Samba team and CERT-EU strongly recommend upgrading Samba to the latest version as soon as possible. ## Workaround As a temporary workaround, one can remove the `fruit` VFS module from the list of configured VFS objects in any `vfs objects` line in the Samba configuration `smb.conf`. Note that changing the VFS module settings `fruit:metadata` or `fruit:resource` to use the unaffected setting causes all stored information to be inaccessible. # References [1] [2]