Threat Advisory: Highly Exploitable Vulnerabilities in Samba
February 3, 2022
Overview
On January 31st, 2022, three vulnerabilities CVE-2021-44141, CVE-2022-0336, CVE-2021-44142 in Samba were publicly disclosed. Samba is a free and open-source software (FOSS) package that provides SMB/CIFS capability for Linux/Unix devices[1].
CVE-2022-0336 is a vulnerability in Samba Active Directory which allows an attacker to bypass service principal name (SPN) checking, allowing an attacker to intercept traffic and impersonate existing services[2].
CVE-2021-44141 is an information disclosure vulnerability due to the existence of symlinks pointing to files or directories outside of the supported file share impacting all versions of Samba file servers prior to version 4.15.5[3].
CVE-2021-44142 is an out-of-bounds heap read/write vulnerability in all versions of Samba prior to 4.13.17’s VFS module “vfs_fruit”. If exploited, an unauthenticated, remote attacker has the potential to execute arbitrary, adversary-controlled code as root from the impacted system[4].
Details & Affected Technologies
| CVE | Description | CVSS 3.1 (Base) | CVSS 3.1 Vector String (Base) | ATT&CK | CWE |
|---|---|---|---|---|---|
| CVE-2022-0336 | Checks in the Samba AD DC to prevent aliased SPNs could be bypassed giving users who can write to an account's servicePrincipalName attribute the ability to impersonate services. | 8.8 HIGH | AV:N/AC:L/PR:L/UI:N /S:U/C:H/I:H/A:H | T1068 - Exploitation for Privilege Escalation | CWE-732: Incorrect Permission Assignment for Critical Resource |
| CVE-2021-44141 | A client can use a symlink to discover if a file or directory exists on the filesystem outside of the exported share. The user must have permissions to query a symlink inside the exported share using SMB1 with UNIX extensions turned on. | 4.2 MEDIUM | AV:N/AC:L/PR:L/UI:N /S:C/C:H/I:H/A:H | T1210 – Exploitation of Remote Services | CWE-61: Unix Symbolic Link (Symlink) Following |
| CVE-2022-44142 | All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit. | 9.9 CRITICAL | AV:N/AC:L/PR:L/UI:N /S:U/C:H/I:N/A:N | T1203 - Exploitation for Client Execution T1068 - Exploitation for Privilege Escalation | CWE-787: Out-of-bounds Write CWE-125: Out-of-bounds Read |
HG Suggestions and Recommendations
Security updates are available for all three of the vulnerabilities. The Herjavec Group Threat and Vulnerability Management Team recommends organizations with vulnerable systems prioritize the patching of the critical (CVE-2021-44142) and high vulnerabilities (CVE-2022-0336) due to their high exploit potential.
The team also recommends organizations seeking to protect themselves against T1023 – Exploitation for Client Execution, T1068 - Exploitation for Privilege Escalation, and T1210 – Exploitation of Remote Services consider Application Isolation and Sandboxing to make it harder for adversaries to advance malicious operations.
In the event that updating impacted systems is not possible in a timely manner, temporary workarounds exist for CVE-2021-44141 and CVE-2021-44142.
CVE-2021-44141 requires SMB1 to be enabled in order to be exploited. By disabling SMB1, the exploit cannot successfully occur. If you cannot update impacted systems immediately, disable SMB1 as soon as possible.
CVE-2021-44142 can be temporarily mitigated by removing the “fruit” VFS module from the list of configured objects in any “vfs objects” line in the Samba configuration file: smb.conf. Organizations choosing to implement this workaround should be aware that changing this setting will cause all stored information to be inaccessible, making the information appear lost for macOS clients.
References
[1] The Samba Team, “What is Samba?,” Samba. Accessed Feb. 01, 2022.
[2] The Samba Team, “CVE-2022-0336,” Samba Security Announcement Archive, Jan. 31, 2022. Accessed Feb. 01, 2022.
[3] The Samba Team, “Samba - Security Announcement Archive.” Accessed Feb. 01, 2022.
[4] The Samba Team, “CVE-2021-44142,” Samba Security Announcement Archive, Jan. 31, 2022. Accessed Feb. 01, 2022.
Take the First Step
In Transforming Your Cybersecurity Program
Enterprise security teams are adapting to meet evolving business needs. With 5 global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Herjavec Group is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.
