On January 31st, 2022 Samba released updates to patch newly-disclosed vulnerabilities in their suite of Windows interoperability programs for Unix and Linux. Samba allows the integration of Linux/Unix servers and desktops into Active Directory environments, where they can function as either a domain controller or regular domain member. Successful exploitation of the most critical vulnerability, registered as CVE-2021-44142, could allow an attacker to achieve remote code execution and execute arbitrary code.
Samba runs on most Unix-like systems, such as Linux and Solaris. It is a free software re-implementation of the SMB networking protocol that provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain. Samba is also widely used in OT/ICS environments, including SCADA systems.
The out-of-bounds heap read/write that impacts the CVE-2021-44142 vulnerability is caused by using the vfs_fruit VFS module while opening files in smbd when parsing the EA metadata. This issue affects all versions of Samba prior to 4.13.17. To exploit this vulnerability, an attacker must have write access to a file’s extended attributes. The vulnerability was reported by Orange Tsai from DEVCORE, and Lucas Leong of Trend Micro ZDI also discovered additional variants of the vulnerability.
Samba has released updated versions. Administrators can address the issues by installing versions 4.13.17, 4.14.12, or 4.15.5, or applying the patch. Samba also provides a manual workaround that consists in removing ‘fruit’ from ‘vfs objects’ lines in the Samba configuration files.
Protection with TXOne’s Edge Series
In addition to the vendor patch that can be applied, TXOne Networks provides supplementary rules by out-of-cycle release. Users can get these rules via automatic or manual update of Edge device rules.
- TM_220202_11 for EdgeIPS/EdgeFire
- TM_IPSLE_220202_10 for EdgeIPSLE
- TM_IPSP_220202_09 for EdgeIPS Pro