MGASA-2022-0054 - Updated samba packages fix security vulnerability

Publication date: 09 Feb 2022
URL: https://advisories.mageia.org/MGASA-2022-0054.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-20316,
     CVE-2021-44141,
     CVE-2021-44142,
     CVE-2022-0336

For CVE-2021-20316 and CVE-2021-44141, there is only a workaround and
mitigation:

All versions of Samba prior to 4.15.5 are vulnerable to a malicious
client using a server symlink to determine if a file or directory
exists in an area of the server file system not exported under the
share definition. SMB1 with unix extensions has to be enabled in order
for this attack to succeed.

Clients that have write access to the exported part of the file system
under a share via SMB1 unix extensions or via NFS can create symlinks
that point to arbitrary files or directories on the server filesystem.

Clients can then use SMB1 unix extension information queries to
determine if the target of the symlink exists or not by examining
error codes returned from the smbd server. There is no ability to
access these files or directories, only to determine if they exist or
not.

If SMB1 is turned off and only SMB2 is used, or unix extensions are
not enabled then there is no way to discover if a symlink points to a
valid target or not via SMB2. For this reason, even if symlinks are
created via NFS, if the Samba server does not allow SMB1 with unix
extensions there is no way to exploit this bug.

Finding out what files or directories exist on a file server can help
attackers guess system user names or the exact operating system
release and applications running on the server hosting Samba which may
help mount further attacks.

SMB1 has been disabled on Samba since version 4.11.0 and
onwards. Exploitation of this bug has not been seen in the wild.

For CVE-2021-44142, All versions of Samba prior to 4.13.17 are vulnerable
to an out-of-bounds heap read write vulnerability that allows remote
attackers to execute arbitrary code as root on affected Samba
installations that use the VFS module vfs_fruit.

The specific flaw exists within the parsing of EA metadata when
opening files in smbd. Access as a user that has write access to a
file's extended attributes is required to exploit this
vulnerability. Note that this could be a guest or unauthenticated user
if such users are allowed write access to file extended attributes.

The problem in vfs_fruit exists in the default configuration of the
fruit VFS module using fruit:metadata=netatalk or fruit:resource=file.
If both options are set to different settings than the default values,
the system is not affected by the security issue.

For CVE-2022-0336, The Samba AD DC includes checks when adding service
principals names (SPNs) to an account to ensure that SPNs do not alias
with those already in the database. Some of these checks are able to be
bypassed if an account modification re-adds an SPN that was previously
present on that account, such as one added when a computer is joined to
a domain.

An attacker who has the ability to write to an account can exploit
this to perform a denial-of-service attack by adding an SPN that
matches an existing service. Additionally, an attacker who can
intercept traffic can impersonate existing services, resulting in a
loss of confidentiality and integrity.

References:
- https://bugs.mageia.org/show_bug.cgi?id=29974
- https://www.samba.org/samba/security/CVE-2021-44141.html
- https://www.samba.org/samba/security/CVE-2021-44142.html
- https://www.samba.org/samba/security/CVE-2022-0336.html
- https://www.samba.org/samba/history/samba-4.14.12.html
- https://ubuntu.com/security/notices/USN-5260-1
- https://www.samba.org/samba/security/CVE-2021-20316.html
- https://lists.suse.com/pipermail/sle-security-updates/2022-February/010164.html
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/72ZRNFZ3DE3TJA7HFCVV476YJN6I4B5M/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20316
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44141
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44142
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0336

SRPMS:
- 8/core/samba-4.14.12-1.mga8

Mageia 2022-0054: samba security update

For CVE-2021-20316 and CVE-2021-44141, there is only a workaround and mitigation: All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink...

Summary

For CVE-2021-20316 and CVE-2021-44141, there is only a workaround and mitigation:
All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.
Clients that have write access to the exported part of the file system under a share via SMB1 unix extensions or via NFS can create symlinks that point to arbitrary files or directories on the server filesystem.
Clients can then use SMB1 unix extension information queries to determine if the target of the symlink exists or not by examining error codes returned from the smbd server. There is no ability to access these files or directories, only to determine if they exist or not.
If SMB1 is turned off and only SMB2 is used, or unix extensions are not enabled then there is no way to discover if a symlink points...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=29974

- https://www.samba.org/samba/security/CVE-2021-44141.html

- https://www.samba.org/samba/security/CVE-2021-44142.html

- https://www.samba.org/samba/security/CVE-2022-0336.html

- https://www.samba.org/samba/history/samba-4.14.12.html

- https://ubuntu.com/security/notices/USN-5260-1

- https://www.samba.org/samba/security/CVE-2021-20316.html

- https://lists.suse.com/pipermail/sle-security-updates/2022-February/010164.html

- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/72ZRNFZ3DE3TJA7HFCVV476YJN6I4B5M/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20316

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44141

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44142

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0336

Resolution

MGASA-2022-0054 - Updated samba packages fix security vulnerability

SRPMS

- 8/core/samba-4.14.12-1.mga8

Severity
Publication date: 09 Feb 2022
URL: https://advisories.mageia.org/MGASA-2022-0054.html
Type: security
CVE: CVE-2021-20316, CVE-2021-44141, CVE-2021-44142, CVE-2022-0336

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved