Advisories ยป MGASA-2022-0054

Updated samba packages fix security vulnerability

Publication date: 09 Feb 2022
Modification date: 09 Feb 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2021-20316 , CVE-2021-44141 , CVE-2021-44142 , CVE-2022-0336

Description

For CVE-2021-20316 and CVE-2021-44141, there is only a workaround and
mitigation:

All versions of Samba prior to 4.15.5 are vulnerable to a malicious
client using a server symlink to determine if a file or directory
exists in an area of the server file system not exported under the
share definition. SMB1 with unix extensions has to be enabled in order
for this attack to succeed.

Clients that have write access to the exported part of the file system
under a share via SMB1 unix extensions or via NFS can create symlinks
that point to arbitrary files or directories on the server filesystem.

Clients can then use SMB1 unix extension information queries to
determine if the target of the symlink exists or not by examining
error codes returned from the smbd server. There is no ability to
access these files or directories, only to determine if they exist or
not.

If SMB1 is turned off and only SMB2 is used, or unix extensions are
not enabled then there is no way to discover if a symlink points to a
valid target or not via SMB2. For this reason, even if symlinks are
created via NFS, if the Samba server does not allow SMB1 with unix
extensions there is no way to exploit this bug.

Finding out what files or directories exist on a file server can help
attackers guess system user names or the exact operating system
release and applications running on the server hosting Samba which may
help mount further attacks.

SMB1 has been disabled on Samba since version 4.11.0 and
onwards. Exploitation of this bug has not been seen in the wild.

For CVE-2021-44142, All versions of Samba prior to 4.13.17 are vulnerable
to an out-of-bounds heap read write vulnerability that allows remote
attackers to execute arbitrary code as root on affected Samba
installations that use the VFS module vfs_fruit.

The specific flaw exists within the parsing of EA metadata when
opening files in smbd. Access as a user that has write access to a
file's extended attributes is required to exploit this
vulnerability. Note that this could be a guest or unauthenticated user
if such users are allowed write access to file extended attributes.

The problem in vfs_fruit exists in the default configuration of the
fruit VFS module using fruit:metadata=netatalk or fruit:resource=file.
If both options are set to different settings than the default values,
the system is not affected by the security issue.

For CVE-2022-0336, The Samba AD DC includes checks when adding service
principals names (SPNs) to an account to ensure that SPNs do not alias
with those already in the database. Some of these checks are able to be
bypassed if an account modification re-adds an SPN that was previously
present on that account, such as one added when a computer is joined to
a domain.

An attacker who has the ability to write to an account can exploit
this to perform a denial-of-service attack by adding an SPN that
matches an existing service. Additionally, an attacker who can
intercept traffic can impersonate existing services, resulting in a
loss of confidentiality and integrity.

References

SRPMS

8/core