HomeCIS AdvisoriesA Vulnerability in Samba Could Allow for Arbitrary Code Execution

A Vulnerability in Samba Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2022-016

DATE(S) ISSUED:

02/01/2022

OVERVIEW:

A vulnerability has been discovered in Samba which could allow for arbitrary code execution. Samba is the standard Windows interoperability suite of programs for Linux and Unix. Successful exploitation of this vulnerability could result in arbitrary code execution as root on affected Samba installations that use the VFS module vfs_fruit. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.

THREAT INTELLIGENCE:

There are currently no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

  • Samba prior to version 4.13.17

RISK:

Government:
Large and medium government entitiesHIGH
Small governmentHIGH
Businesses:
Large and medium business entitiesHIGH
Small business entitiesHIGH
Home Users:
LOW

TECHNICAL SUMMARY:

A vulnerability has been discovered in Samba installations that use the vfs_fruit module, which could allow for arbitrary code execution. An out-of-bounds heap read write vulnerability exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability. This could be a guest or unauthenticated user if such users are allowed write access to file extended attributes. The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue.

Successful exploitation of this vulnerability could result in arbitrary code execution as root on affected Samba installations. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Samba to vulnerable systems and servers immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Evaluate read, write, and execute permissions on all newly installed software.
  • Apply the Principle of Least Privilege to all systems and services.

Get Email Updates When Cyber Threats Like This Arise

Subscribe to Advisories

Information Hub

Advisories

See All Advisories
Advisory06.02.2023
2023-055: A Vulnerability in MOVEit Transfer that Could Allow for Remote Code Execution
Read More
Advisory06.01.2023
2023-054: A Vulnerability in Barracuda Email Security Gateway Could Allow for Remote Command Injection
Read More
White Paper05.24.2023
MS-ISAC Guide to DDoS Attacks
Read More
Blog Post05.23.2023
A New Vision for Cyber Threat Intelligence at the MS-ISAC
Read More