Threat actors are exploiting vulnerabilities in Samba software. Here's what you need to know.
Background
Samba is a widely used free software that allows Windows and Linus/Unix-based hosts to work together and share file and print services with devices on a common network, including Server Message Block (SMB) file-sharing. On January 31, 2022, Samba security released a patch for a critical vulnerability, CVE-2021-44142.
This vulnerability is found in all versions of Samba prior to 4.13.17 using the VFS (Virtual File System) module "vfs_fruit" which provides additional support for Mac OSX devices. This module enhances compatibility with Apple SMB clients and the ability to communicate with a free Open Source AppleShare file server (AFP). The vulnerability allows for a threat actor to execute arbitrary code as the root user with some vulnerable configurations having the potential to be exploited as a guest or unauthenticated user.
Quick facts: what you need to know now
- This vulnerability is found in all versions of Samba prior to 4.13.17 using the VFS (Virtual File System) module "vfs_fruit".
- The problem in the vfs_fruit module can be found in the default configuration values fruit:metadata=netatalk or fruit:resource=file.
- Organizations using Samba are encouraged to update to version 4.13.17, 4.14.12, or 4.15.5 as soon as possible.
- A threat actor exploiting this vulnerability can execute remote code as a root user - meaning they can read, modify or delete files on the system, install malware, and potentially pivot to other areas of the network.
Next Steps for all Samba Customers:
- Patch Samba to version 4.13.17, 4.14.12, or 4.15.5.
- If patching is not possible, implement the following mitigation technique:
- Remove the "fruit" VFS module from the list of configured VFS objects in any "vfs objects" line in the Samba configuration smb.conf.
- Check this article periodically over the next few weeks as we will keep it updated as more information becomes available.
Resources
Malwarebytes Blog Post: https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/samba-patches-critical-vulnerability-that-allows-remote-code-execution-as-root/
The Daily Swig: https://portswigger.net/daily-swig/critical-samba-flaw-presents-code-execution-threat
If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!