Samba vfs_fruit Module RCE Vulnerability

By

Overview:

  Samba is an open-source implementation of file, print, and other network services suite known as SMB/CIFS (Server Message Block/Common Internet File System). Samba implements several protocols and services including NetBIOS over TCP/IP (NBT), SMB, CIFS, DCE/RPC, MSRPC, the network neighborhood suite of protocols, Netlogon remote protocol and more. A Samba server listens on 139/TCP and 445/TCP for SMB over TCP (default). If Samba is configured to use NetBIOS over UDP as transport, it uses the nmbd daemon to listen on 137/UDP and provides NetBIOS name service and on 138/UDP for NetBIOS datagram service.

  A out-of-bounds heap read/write vulnerability has been reported in vfs_fruit module of Samba. The vulnerability is due a flaw while parsing EA metadata when opening files in smbd. Unauthenticated attackers can exploit this vulnerability by sending crafted requests to the target service.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-44142.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability occurs due to improper validation of the EntryOffset field of the ADEID_FILEDATESI Entry inside AppleDouble data. To set the AFP_AfpInfo of a file, a SMB2_SET_INFO request containing an extended attribute org.netatalk.Metadata can be sent to the Samba server, via SMBv2 protocol. When the Samba server receives the request, the org.netatalk.Metadata attribute will be saved in the file extended attribute user.org.netatalk.Metadata using system call setxattr().

  There are two internal functions ad_getdate() and ad_setdate() to use the ADEID_FILEDATESI Entry stored in the AFP_AfpInfo of a file. Both functions use the offset value set in the EntryOffset of the ADEID_FILEDATESI Entry for memory operations. The length of the memory operations are 4 bytes. However, these functions only validate that if the EntryOffset field is within the AppleDouble data. If the EntryOffset field plus 4 is exceeding the total size of the AppleDouble data (402 bytes) , then the operation will trigger an out-of-bounds read or write condition.

  The vulnerable function ad_setdate() can be triggered when the time related file information is updated through SMB protocol. For example, it is observed that if a remote client sent an SMB2_SET_INFO containing FileInfoClass as SMB_FILE_BASIC_INFORMATION(0x04). The Samba server will eventually call ad_setdate() to update the file information with supplied data. Similarly the vulnerable function ad_getdate() can be triggered when the time related file information is queried through SMB protocol. It is observed that even SMB2_CREATE message will end up calling fruit_stat() function and eventually calling ad_getdate() to reproduce the out-of-bounds read condition.

  SMB Protocol

Triggering the Problem:

  • The attacker must have network connectivity to the target host.
  • The attacker can connect to a share on the target system.
  • The attacker must have write permission on a shared folder.

Triggering Conditions:

  The attacker establishes an SMB session and sends multiple crafted requests to the target server. The vulnerability is triggered as the server processes the requests.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SMB/CIFS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2481 Samba vfs_fruit Module Remote Code Execution 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Apply the IPS signature above.
    • Disable SMBv2 if it is not required.
    • Apply the vendor-supplied patch that eliminates this vulnerability.
    • Remove write permissions for untrusted users.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.