Samba Vulnerability Advisory | February 2022

Threat actors are exploiting vulnerabilities in Samba software. Here's what you need to know.


Samba is a widely used free software that allows Windows and Linus/Unix-based hosts to work together and share file and print services with devices on a common network, including Server Message Block (SMB) file-sharing. On January 31, 2022, Samba security released a patch for a critical vulnerability, CVE-2021-44142.

This vulnerability is found in all versions of Samba prior to 4.13.17 using the VFS (Virtual File System) module "vfs_fruit" which provides additional support for Mac OSX devices. This module enhances compatibility with Apple SMB clients and the ability to communicate with a free Open Source AppleShare file server (AFP). The vulnerability allows for a threat actor to execute arbitrary code as the root user with some vulnerable configurations having the potential to be exploited as a guest or unauthenticated user.

Quick facts: what you need to know now

  • This vulnerability is found in all versions of Samba prior to 4.13.17 using the VFS (Virtual File System) module "vfs_fruit".
  • The problem in the vfs_fruit module can be found in the default configuration values  fruit:metadata=netatalk or fruit:resource=file.
  • Organizations using Samba are encouraged to update to version 4.13.17, 4.14.12, or 4.15.5 as soon as possible.
  • A threat actor exploiting this vulnerability can execute remote code as a root user - meaning they can read, modify or delete files on the system, install malware, and potentially pivot to other areas of the network.

Next Steps for all Samba Customers:

  1. Patch Samba to version 4.13.17, 4.14.12, or 4.15.5.
  2. If patching is not possible, implement the following mitigation technique:
    1. Remove the "fruit" VFS module from the list of configured VFS objects in any "vfs objects" line in the Samba configuration smb.conf.
  3. Check this article periodically over the next few weeks as we will keep it updated as more information becomes available.


Malwarebytes Blog Post:

The Daily Swig:

If you have any questions, please reach out to the Risk + Response Team at!