{"vuid":"VU#119678","idnumber":"119678","name":"Samba vfs_fruit module insecurely handles extended file attributes","keywords":null,"overview":"### Overview\r\nThe Samba [vfs_fruit](https://www.samba.org/samba/docs/current/man-html/vfs_fruit.8.html) module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges.\r\n\r\n### Description\r\n\r\nThe Samba [`vfs_fruit`](https://www.samba.org/samba/docs/current/man-html/vfs_fruit.8.html) module uses extended file attributes (EA, xattr) to provide \"...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver.\" Samba with `vfs_fruit` configured allows out-of-bounds heap read and write via specially crafted extended file attributes.\r\n\r\nFor more information, see the Samba announcement for [CVE-2021-44142](https://www.samba.org/samba/security/CVE-2021-44142.html) and bug [14914](https://bugzilla.samba.org/show_bug.cgi?id=14914). Also available for reference is a detailed blog post from [ZDI](https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin).\r\n\r\n### Impact\r\nA remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of `smbd`, typically root.\r\n\r\nFrom the Samba annoucement for [CVE-2021-44142](https://www.samba.org/samba/security/CVE-2021-44142.html):\r\n> Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.\r\n\r\n### Solution\r\n\r\n#### Apply an update\r\nSamba has [released](https://www.samba.org/samba/security/CVE-2021-44142.html) versions 4.13.17, 4.14.12, and 4.15.5.\r\n\r\n#### Disable vfs_fruit\r\nAs a workaround, remove 'fruit' from 'vfs objects' lines in Samba configuration files (e.g., `smb.conf`).\r\n\r\n### Acknowledgements\r\nThanks to Orange Tsai of DEVCORE for researching and reporting this vulnerability. Thanks also to Samba, ZDI, and Western Digital for coordination efforts.\r\n\r\nThis document was written by James Stanley and Art Manion.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://www.samba.org/samba/security/CVE-2021-44142.html","https://bugzilla.samba.org/show_bug.cgi?id=14914","https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin","https://www.samba.org/samba/history/security.html","https://www.samba.org/samba/docs/current/man-html/vfs_fruit.8.html"],"cveids":["CVE-2021-44142"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2022-01-31T16:46:52.192522Z","publicdate":"2022-01-31T00:00:00Z","datefirstpublished":"2022-01-31T16:46:52.226503Z","dateupdated":"2025-02-03T21:10:24.244663Z","revision":20,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":62}