Samba Vulnerability Can Trigger RCE and Complete Root User Access
A New Bug in the VFS Module Can Let Hackers Compromise Your Network.
A critical Samba vulnerability has been identified. If successfully exploited by threat actors, this could trigger remote code execution with root privileges on servers. Samba is an open-source implementation of SMB/CIFS that allows you to share files, printers, and other resources between Linux-based hosts and Windows-based hosts.
More Details on the Samba Vulnerability
The Samba vulnerability under discussion has been assigned CVE-2021-44142 and represents a flaw located in the VFS module which is named “vfs_fruit.” The flaw has been given a rating of 9.9 out of 10 on the CVSS scale.
The company released on Monday an advisory saying that
The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes. (…) The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue.
As mentioned before, hackers could exploit it to deploy remote code execution as root users. What does that mean? It means that, if they get this type of privileged access, threat actors can perform actions like reading, changing, and deleting any file on the system, installing different types of malware like for instance ransomware or crypto miners, and even moving laterally across the network.
The enterprise also mentioned that Orange Tsai from DEVCORE originally reported this critical bug impacting Samba installations that employ the VFS module.
What’s the Impact of This Critical Flaw?
The bug impacts all Samba versions before v.4.13.17 and this impact extends also to some instances that support the free software like Red Hat, SUSE Linux, and Ubuntu packages.
Mitigation on the Samba Vulnerability
The company has recently released patches for Samba 4.13.17, 4.14.12, and 4.15.5 impacted by CVE-2021-44142. Administrators should implement these security updates immediately to remain protected.
The company also provided a workaround. This involves deleting the “fruit” VFS module from any “vfs objects” line in the Samba settings smb.conf.
According to ThreatPost, Greg Fitzgerald, who is the co-founder of Sevco Security, shared his input on this topic
The first thing enterprises need to do is apply the appropriate patches to known Samba installations, but these types of vulnerabilities are more difficult to fully mitigate than it may seem. (…) Even when all known instances are effectively patched, that still leaves forgotten or abandoned instances vulnerable. Every enterprise has IT assets that have fallen through the cracks. It’s gotten to the point where attackers are often more familiar with the networks they’re targeting than the security teams in charge of safeguarding those networks. It only takes one unpatched instance to create an opportunity for malicious actors to hit paydirt, and they’re counting on the fact that IT and security teams can’t create a comprehensive and accurate IT asset inventory.
How Can Heimdal™ Help?
Keeping your system patched on time can only be done efficiently with an excellent automated tool. Try out our Patch and Asset Management product and take your vulnerability management to the next level. Covering patches from Microsoft to third-party and proprietary ones, you can have the latest released patches fully tested, adware cleaned, repackaged, and securely deployed in your Heimdal cloud ready to be installed in less than 4 hours from the release, featuring the shortest vendor-to-end-user waiting time. You can also use our solution to pull out accurate and comprehensive reports on asset inventory and vulnerabilities within your system. Find more about our solutions by visiting our home page!
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.