ALERT: Apply patch to critical Samba vulnerability

Wednesday, February 2, 2022

This message is intended for U-M IT staff who are responsible for university Linux servers that run smbd.
 

Summary

A critical vulnerability in all versions of Samba prior to 4.13.17 has been discovered that could allow attackers to execute arbitrary code to gain root privileges on servers, including Red Hat, SUSE Linux, and Ubuntu. It may also affect some NAS appliances, many of which utilize Samba.
 

Problem

The Samba vulnerability applies to Linux servers that run smbd, to offer "SMB" protocol access to file storage and printers. In particular, servers are impacted if they have the vfs_fruit module enabled, which allows for "enhanced" compatibility with Apple clients that connect to these Linux servers for file access. Note that some additional Samba-related packages for Red Hat, SUSE Linux and Ubuntu are also affected. Administrators may not be able to detect this vulnerability with some types of servers or storage appliances (NAS), and they will need to check with their vendor for status and updates.

Affected Versions

All versions prior to 4.13.17 of Samba are affected by this vulnerability.
 

Action Items

Upgrade to the patched versions of Samba as soon as possible. As a workaround remove the "fruit" VFS module from the list of configured VFS objects in any "vfs objects" line in the Samba configuration smb.conf. Note: Changing the VFS module settings fruit:metadata or fruit:resource to use the unaffected setting causes all stored information to be inaccessible and will make it appear to macOS clients as if the information is lost.

Threats

This vulnerability could allow attackers to gain remote code execution with root privileges on servers and carries a rating of 9.9 out of 10 on the CVSS security-vulnerability severity scale. Gaining remote execution ability as a root user allows attackers to read, modify, or delete any files on a system, install malware, capture credentials, and possibly move further into the network. 
 

Technical Details

This flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file’s extended attributes is required in order to exploit this vulnerability. This access could be a guest or unauthenticated user if such users are allowed write access to file extended attributes. The problem in vfs_fruit exists in the default configuration of the fruit VFA module using fruit:metadata=netatalk or fruit:resource=file
 

Detection

All versions of Samba prior to version 4.13.17 have this vulnerability. If possible, use a package manager (or similar method) to check and update your version of Samba. Some administrators may not be able to tell if their appliances and servers (such as NAS devices) are impacted and will need to rely on the vendor to determine vulnerability status and provide updates.
 

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.