The Samba Vulnerability: What is CVE-2021-44142 and How to Fix It

An earlier version of an out-of-bounds (OOB) vulnerability in Samba was disclosed via Trend Micro Zero Day Initiative’s (ZDI) Pwn2Own Austin 2021. ZDI looked further into the security gap and found more variants of the vulnerability after the event and subsequently disclosed the findings to the company. While we have not seen any active attacks exploiting this vulnerability, CVE-2021-44142 received a CVSS rating of 9.9 out of the three variants reported. If abused, this security gap can be used by remote attackers to execute arbitrary code as root on all affected installations that use the virtual file system (VFS) module vfs_fruit. Samba has released all the relevant patches to mitigate the impact of the threats that can abuse this gap. Trend Micro customers are protected and can follow manual workarounds to address this issue.

What is Samba?Samba is a standard interoperability software suite integrated in Windows, a reimplementation of the server message block (SMB) networking protocol for file and print services. It runs on most Unix and Unix-like systems such as Linux and macOS systems, among other versions and operating systems (OS) that use the SMB/Common Internet File System (CIFS) protocol. This allows network administrators to configure, integrate, and set up equipment either as a domain controller (DC) or domain member, and to communicate with Windows-based clients.

What is CVE-2021-44142?

CVE-2021-44142 is a vulnerability that allows remote attackers to execute arbitrary code on affected installations of Samba. The specific gap exists in the parsing of the EA metadata in the server daemon smbd when opening a file.  An attacker can abuse this vulnerability to execute code in the root context even without authentication.

While the analyzed version was smbd 4.9.5, which is not the latest version, a few vendors incorporate this and earlier versions of the server daemon in their products as was seen in the Pwn2Own 2021 event. This is also enabled by default to allow file sharing and interoperability between available devices, particularly the open source implemented NetaTalk. This implementation is a freely available fileserver implementation of the Apple Filing Protocol (AFP) serving Apple devices. As stated in the vendor’s advisory, if the options in the default configurations of vfs_fruit are set to settings other than the preselected option, the system is unaffected by the vulnerability.

Who and what are likely affected?

Samba has released the source code patch for this gap, along with the other vulnerabilities disclosed to them. Samba also announced that this vulnerability affects all versions of Samba prior to 4.13.17. In addition, security releases to correct the said gap have been issued for Samba 4.13.17, 4.14.12, and 4.15.5, advising administrators to upgrade these releases and apply the patch immediately. Network-attached storage (NAS) devices are also likely affected by this vulnerability and vendors are expected to release updates for their respective devices. The company’s vendor list shows that the potential sectors affected by this security concern include critical industries such as communications, energy, government, manufacturing, and science and technology, as well as consumer devices such as appliances and internet of things (IoT) devices.

How can the Samba vulnerability be mitigated?

Patches were released in January, and administrators are advised to apply the applicable updates as soon as possible. While the vendor has also advised removing the fruit VFS module from the vfs objects lines as a workaround, this can severely affect macOS systems attempting to access stored information in the server. Administrators are advised to focus on testing and deploying the patch to remediate the vulnerability. ZDI also advises that many different vendors will need to update their version to ship with affected devices (such as NAS devices), so the release of additional patches can be expected.

Has Samba been abused for attacks?

Earlier versions of Samba, such as 3.6.3 and lower, have reported security concerns that allow unauthorized users to gain root access from an anonymous connection by exploiting Samba’s remote procedure call. Other disclosures have also been done before:

• In 2016, Badlock (assigned CVE-2016-2118, rated Critical) was disclosed to Windows and Samba, where the substitution augmentation, modification, and redefinition (SAMR) and local security authority domain (LSAD) protocols could be abused for man-in-the-middle (MiTM) attacks.  
• In 2017, a remote code execution gap was found in Samba and named EternalRed or SambaCry (assigned CVE-2017-7494, rated Important), which affected all versions since 3.5.0. NamPoHyu was among the ransomware families that exploited this gap.
• In 2020, a proof of concept (PoC) for a Netlogon vulnerability called Zerologon (assigned CVE-2020-1472, rated Critical) was identified. The flaw allowed an attacker to elevate privileges by establishing a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). Federal agencies using the software were ordered to install the patches released in August 2020.

Given the standard use of Samba for system interoperability via the SMB protocol, administrators should monitor shared file, printer, and access sharing data transmissions. The Windows SMB, which is used for remote services, can be abused by attackers to propagate through the organization’s network, or used as a jump-off point to spread to other connected systems. Administrators are advised to enable solutions that can monitor and scan for transmissions that require the vfs_fruit configurations.

Trend Micro solutions

Trend Micro has released a Knowledge Base article addressing this security concern. In addition to installing the released patches by the vendor, Trend Micro has released supplementary rules, filters, and detection protection solutions that may provide additional prevention and mitigation layers against malicious components that may exploit this vulnerability.

Read More HERE