{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/119678#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nThe Samba [vfs_fruit](https://www.samba.org/samba/docs/current/man-html/vfs_fruit.8.html) module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges.\r\n\r\n### Description\r\n\r\nThe Samba [`vfs_fruit`](https://www.samba.org/samba/docs/current/man-html/vfs_fruit.8.html) module uses extended file attributes (EA, xattr) to provide \"...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver.\" Samba with `vfs_fruit` configured allows out-of-bounds heap read and write via specially crafted extended file attributes.\r\n\r\nFor more information, see the Samba announcement for [CVE-2021-44142](https://www.samba.org/samba/security/CVE-2021-44142.html) and bug [14914](https://bugzilla.samba.org/show_bug.cgi?id=14914). Also available for reference is a detailed blog post from [ZDI](https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin).\r\n\r\n### Impact\r\nA remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of `smbd`, typically root.\r\n\r\nFrom the Samba annoucement for [CVE-2021-44142](https://www.samba.org/samba/security/CVE-2021-44142.html):\r\n> Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.\r\n\r\n### Solution\r\n\r\n#### Apply an update\r\nSamba has [released](https://www.samba.org/samba/security/CVE-2021-44142.html) versions 4.13.17, 4.14.12, and 4.15.5.\r\n\r\n#### Disable vfs_fruit\r\nAs a workaround, remove 'fruit' from 'vfs objects' lines in Samba configuration files (e.g., `smb.conf`).\r\n\r\n### Acknowledgements\r\nThanks to Orange Tsai of DEVCORE for researching and reporting this vulnerability. Thanks also to Samba, ZDI, and Western Digital for coordination efforts.\r\n\r\nThis document was written by James Stanley and Art Manion.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Red Hat has released updated addressing this vulnerability. These can be found on our CVE page.","title":"Vendor statment from Red Hat"},{"category":"other","text":"Some F5 products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.","title":"Vendor statment from F5 Networks"},{"category":"other","text":"Fixed in OpenWrt master and 22.03 by upgrade to 4.14.12:\r\nhttps://github.com/openwrt/packages/commit/1fa70d6a3c68bc49bdeae4d505f2e41ff3a0b906\r\n\r\nPrepared fix for OpenWrt 21.02 by upgrade to 4.14.12:\r\nhttps://github.com/openwrt/packages/pull/18145\r\n\r\nWill not fix this for OpenWrt 19.07, it still uses Samba 4.11.17","title":"Vendor statment from OpenWRT"},{"category":"other","text":"After further due diligence, Digi International has determined that we are not affected by this vulnerability due to Samba not being used in our products or services.","title":"Vendor statment from Digi International"},{"category":"other","text":"Based on our investigation we confirm that there are no platforms/products which are affected from this vulnerability.\r\n\r\nSecurity Incident Response Team\r\nJuniper Networks","title":"Vendor statment from Juniper Networks"},{"category":"other","text":"Espressif does not include Samba in the products or SDKs.","title":"Vendor statment from Espressif Systems"},{"category":"other","text":"SUSE is affected by this vulnerability and has released or will release updates.","title":"Vendor statment from SUSE Linux"},{"category":"other","text":"MikroTik does not use \"vfs_fruit module\" and therefore is not affected by this CVE.","title":"Vendor statment from MikroTik"},{"category":"other","text":"Triton, our cloud management system, is not affected at all.\r\n\r\nSmartOS offers SAMBA via pkgsrc, but it is not part of a base SmartOS system.  pkgsrc will update SAMBA when SAMBA updates for this case.","title":"Vendor statment from Joyent"},{"category":"other","text":"Samba is not part of illumos proper, but is something distributions add in their own releases.","title":"Vendor statment from Illumos"},{"category":"other","text":"HardenedBSD does not ship with Samba in the base operating system.","title":"Vendor statment from HardenedBSD"},{"category":"other","text":"vfs_fruit module is not in use.","title":"Vendor statment from Check Point"},{"category":"other","text":"Muonics does not use Samba in any of its products and thus this vulnerability is not applicable.","title":"Vendor statment from Muonics Inc."},{"category":"other","text":"No Samba code in our products","title":"Vendor statment from eCosCentric"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/119678"},{"url":"https://www.samba.org/samba/security/CVE-2021-44142.html","summary":"https://www.samba.org/samba/security/CVE-2021-44142.html"},{"url":"https://bugzilla.samba.org/show_bug.cgi?id=14914","summary":"https://bugzilla.samba.org/show_bug.cgi?id=14914"},{"url":"https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin","summary":"https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin"},{"url":"https://www.samba.org/samba/history/security.html","summary":"https://www.samba.org/samba/history/security.html"},{"url":"https://www.samba.org/samba/docs/current/man-html/vfs_fruit.8.html","summary":"https://www.samba.org/samba/docs/current/man-html/vfs_fruit.8.html"},{"url":"https://access.redhat.com/security/cve/CVE-2021-44142","summary":"Reference(s) from vendor \"Red Hat\""},{"url":"https://support.f5.com/csp/article/K84695749","summary":"Reference(s) from vendor \"F5 Networks\""},{"url":"https://www.synology.com/security/advisory/Synology_SA_22_02","summary":"Reference(s) from vendor \"Synology\""},{"url":"https://www.samba.org/samba/security/CVE-2021-44142.html","summary":"Reference(s) from vendor \"Samba\""}],"title":"Samba vfs_fruit module insecurely handles extended file attributes","tracking":{"current_release_date":"2025-02-03T21:10:24+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#119678","initial_release_date":"2022-01-31 00:00:00+00:00","revision_history":[{"date":"2025-02-03T21:10:24+00:00","number":"1.20250203211024.20","summary":"Released on 2025-02-03T21:10:24+00:00"}],"status":"final","version":"1.20250203211024.20"}},"vulnerabilities":[{"title":"Samba versions 4.","notes":[{"category":"summary","text":"Samba versions 4.15.3 and earlier susceptible to Heap-base Buffer Overflow in vfs_fruit module that provides support for Apple's extended attribute (EA).  A attacker  can set arbitrary EA attributes to trigger Heap Out of Bounds read followed by Heap Out of Bounds write that can lead to arbitrary code execution on the target system."}],"cve":"CVE-2021-44142","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#119678"}],"product_status":{"known_affected":["CSAFPID-ce724c7c-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce7412fa-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce749a54-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce752712-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce759d8c-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce7a37a2-39e2-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-ce7192e6-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce720280-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce727d96-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce72d5d4-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce730edc-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce735e3c-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce739672-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce73d236-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce745a4e-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce74fc7e-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce75cc58-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce761f14-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce7655b0-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce76d832-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce771fb8-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce775686-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce77820a-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce77b540-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce77eb50-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce783a7e-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce787db8-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce78baa8-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce79071a-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce794284-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce799e82-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce79e95a-39e2-11f1-8422-122e2785dc9f","CSAFPID-ce7a76ea-39e2-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Belden","product":{"name":"Belden Products","product_id":"CSAFPID-ce7192e6-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Digi International","product":{"name":"Digi International Products","product_id":"CSAFPID-ce720280-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"OpenWRT","product":{"name":"OpenWRT Products","product_id":"CSAFPID-ce724c7c-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"LANCOM Systems GmbH","product":{"name":"LANCOM Systems GmbH Products","product_id":"CSAFPID-ce727d96-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Sierra Wireless","product":{"name":"Sierra Wireless Products","product_id":"CSAFPID-ce72d5d4-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"AVM GmbH","product":{"name":"AVM GmbH Products","product_id":"CSAFPID-ce730edc-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Android Open Source Project","product":{"name":"Android Open Source Project Products","product_id":"CSAFPID-ce735e3c-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"F5 Networks","product":{"name":"F5 Networks Products","product_id":"CSAFPID-ce739672-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-ce73d236-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Synology","product":{"name":"Synology Products","product_id":"CSAFPID-ce7412fa-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fastly","product":{"name":"Fastly Products","product_id":"CSAFPID-ce745a4e-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-ce749a54-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"BlackBerry","product":{"name":"BlackBerry Products","product_id":"CSAFPID-ce74c8da-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Advantech Czech","product":{"name":"Advantech Czech Products","product_id":"CSAFPID-ce74fc7e-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Samba","product":{"name":"Samba Products","product_id":"CSAFPID-ce752712-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Western Digital","product":{"name":"Western Digital Products","product_id":"CSAFPID-ce756614-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Ubuntu","product":{"name":"Ubuntu Products","product_id":"CSAFPID-ce759d8c-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Miredo","product":{"name":"Miredo Products","product_id":"CSAFPID-ce75cc58-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"MikroTik","product":{"name":"MikroTik Products","product_id":"CSAFPID-ce761f14-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"lwIP","product":{"name":"lwIP Products","product_id":"CSAFPID-ce7655b0-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"JPCERT/CC Vulnerability Handling Team","product":{"name":"JPCERT/CC Vulnerability Handling Team Products","product_id":"CSAFPID-ce769fb6-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Joyent","product":{"name":"Joyent Products","product_id":"CSAFPID-ce76d832-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Illumos","product":{"name":"Illumos Products","product_id":"CSAFPID-ce771fb8-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"HardenedBSD","product":{"name":"HardenedBSD Products","product_id":"CSAFPID-ce775686-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Dell SecureWorks","product":{"name":"Dell SecureWorks Products","product_id":"CSAFPID-ce77820a-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Check Point","product":{"name":"Check Point Products","product_id":"CSAFPID-ce77b540-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Aruba Networks","product":{"name":"Aruba Networks Products","product_id":"CSAFPID-ce77eb50-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Muonics Inc.","product":{"name":"Muonics Inc. Products","product_id":"CSAFPID-ce783a7e-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Treck","product":{"name":"Treck Products","product_id":"CSAFPID-ce787db8-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Juniper Networks","product":{"name":"Juniper Networks Products","product_id":"CSAFPID-ce78baa8-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Espressif Systems","product":{"name":"Espressif Systems Products","product_id":"CSAFPID-ce79071a-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"netsnmp","product":{"name":"netsnmp Products","product_id":"CSAFPID-ce794284-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Internet Initiative Japan Inc.","product":{"name":"Internet Initiative Japan Inc. Products","product_id":"CSAFPID-ce799e82-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"eCosCentric","product":{"name":"eCosCentric Products","product_id":"CSAFPID-ce79e95a-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"SUSE Linux","product":{"name":"SUSE Linux Products","product_id":"CSAFPID-ce7a37a2-39e2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Devicescape","product":{"name":"Devicescape Products","product_id":"CSAFPID-ce7a76ea-39e2-11f1-8422-122e2785dc9f"}}]}}