Bug 1194859 (CVE-2021-44142)

Summary: VUL-0: CVE-2021-44142: samba: Out-of-Bound Read/Write on Samba vfs_fruit module ( VU#119678 )
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Novell Samba Team <samba>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P1 - Urgent CC: gianluca.gabrielli, jmcdonough, meissner, nopower
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/321025/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-44142:9.9:(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 15 Marcus Meissner 2022-01-31 13:04:39 UTC
is public

https://www.samba.org/samba/security/CVE-2021-44142.html


CVE-2022-44142.html:

=================================================================
== Subject:     Out-of-bounds heap read/write vulnerability
==              in VFS module vfs_fruit allows code execution
==
== CVE ID#:     CVE-2021-44142
==
== Versions:    All versions of Samba prior to 4.13.17
==
== Summary:     This vulnerability allows remote attackers to
==              execute arbitrary code as root on affected Samba
==              installations that use the VFS module vfs_fruit.
=================================================================

===========
Description
===========

All versions of Samba prior to 4.13.17 are vulnerable to an
out-of-bounds heap read write vulnerability that allows remote
attackers to execute arbitrary code as root on affected Samba
installations that use the VFS module vfs_fruit.

The specific flaw exists within the parsing of EA metadata when
opening files in smbd. Access as a user that has write access to a
file's extended attributes is required to exploit this
vulnerability. Note that this could be a guest or unauthenticated user
if such users are allowed write access to file extended attributes.

The problem in vfs_fruit exists in the default configuration of the
fruit VFS module using fruit:metadata=netatalk or fruit:resource=file.
If both options are set to different settings than the default values,
the system is not affected by the security issue.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.13.17, 4.14.12 and 4.15.5 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

Base score 9.9.

==========
Workaround
==========

As a workaround remove the "fruit" VFS module from the list of
configured VFS objects in any "vfs objects" line in the Samba
configuration smb.conf.

Note that changing the VFS module settings fruit:metadata or
fruit:resource to use the unaffected setting causes all stored
information to be inaccessible and will make it appear to macOS
clients as if the information is lost.


=======
Credits
=======

Originally reported by Orange Tsai from DEVCORE.

Patches provided by Ralph Böhme of the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 16 Swamp Workflow Management 2022-01-31 20:17:14 UTC
SUSE-SU-2022:0252-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1194859
CVE References: CVE-2021-44142
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    samba-4.4.2-38.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2022-01-31 20:18:28 UTC
SUSE-SU-2022:0251-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1194859
CVE References: CVE-2021-44142
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    samba-4.7.11+git.365.5e9f8cc5fa0-4.63.1
SUSE Linux Enterprise Server 15-LTSS (src):    samba-4.7.11+git.365.5e9f8cc5fa0-4.63.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    samba-4.7.11+git.365.5e9f8cc5fa0-4.63.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    samba-4.7.11+git.365.5e9f8cc5fa0-4.63.1
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.11+git.365.5e9f8cc5fa0-4.63.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2022-02-01 17:22:15 UTC
SUSE-SU-2022:0271-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1194859
CVE References: CVE-2021-44142
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    samba-4.6.16+git.320.a2d80a7efef-3.70.1
SUSE OpenStack Cloud Crowbar 8 (src):    samba-4.6.16+git.320.a2d80a7efef-3.70.1
SUSE OpenStack Cloud 9 (src):    samba-4.6.16+git.320.a2d80a7efef-3.70.1
SUSE OpenStack Cloud 8 (src):    samba-4.6.16+git.320.a2d80a7efef-3.70.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    samba-4.6.16+git.320.a2d80a7efef-3.70.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    samba-4.6.16+git.320.a2d80a7efef-3.70.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    samba-4.6.16+git.320.a2d80a7efef-3.70.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    samba-4.6.16+git.320.a2d80a7efef-3.70.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    samba-4.6.16+git.320.a2d80a7efef-3.70.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    samba-4.6.16+git.320.a2d80a7efef-3.70.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    samba-4.6.16+git.320.a2d80a7efef-3.70.1
HPE Helion Openstack 8 (src):    samba-4.6.16+git.320.a2d80a7efef-3.70.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2022-02-01 20:20:42 UTC
SUSE-SU-2022:0287-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1194859
CVE References: CVE-2021-44142
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    samba-4.11.14+git.319.91d693db37c-4.35.1
SUSE Manager Retail Branch Server 4.1 (src):    samba-4.11.14+git.319.91d693db37c-4.35.1
SUSE Manager Proxy 4.1 (src):    samba-4.11.14+git.319.91d693db37c-4.35.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    samba-4.11.14+git.319.91d693db37c-4.35.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    samba-4.11.14+git.319.91d693db37c-4.35.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    samba-4.11.14+git.319.91d693db37c-4.35.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    samba-4.11.14+git.319.91d693db37c-4.35.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    samba-4.11.14+git.319.91d693db37c-4.35.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    samba-4.11.14+git.319.91d693db37c-4.35.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    samba-4.11.14+git.319.91d693db37c-4.35.1
SUSE Enterprise Storage 7 (src):    samba-4.11.14+git.319.91d693db37c-4.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2022-02-01 20:21:54 UTC
openSUSE-SU-2022:0284-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1194859
CVE References: CVE-2021-44142
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    samba-4.9.5+git.483.212a7ebca6b-3.64.1
Comment 22 Swamp Workflow Management 2022-02-01 20:23:46 UTC
openSUSE-SU-2022:0283-1: An update that solves 8 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (important)
Bug References: 1139519,1183572,1183574,1188571,1191227,1191532,1192684,1193690,1194859,1195048
CVE References: CVE-2020-27840,CVE-2021-20277,CVE-2021-20316,CVE-2021-36222,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336
JIRA References: SLE-23329
Sources used:
openSUSE Leap 15.3 (src):    apparmor-2.13.6-150300.3.11.2, krb5-1.19.2-150300.8.3.2, krb5-mini-1.19.2-150300.8.3.2, ldb-2.4.1-150300.3.10.1, libapparmor-2.13.6-150300.3.11.1, samba-4.15.4+git.324.8332acf1a63-150300.3.25.3, sssd-1.16.1-150300.23.17.3, talloc-2.3.3-150300.3.3.2, talloc-man-2.3.3-150300.3.3.1, tdb-1.4.4-150300.3.3.2, tevent-0.11.0-150300.3.3.2, tevent-man-0.11.0-150300.3.3.1
Comment 23 Swamp Workflow Management 2022-02-01 20:43:01 UTC
SUSE-SU-2022:0283-1: An update that solves 8 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (important)
Bug References: 1139519,1183572,1183574,1188571,1191227,1191532,1192684,1193690,1194859,1195048
CVE References: CVE-2020-27840,CVE-2021-20277,CVE-2021-20316,CVE-2021-36222,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336
JIRA References: SLE-23329
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    apparmor-2.13.6-150300.3.11.2, krb5-1.19.2-150300.8.3.2
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    samba-4.15.4+git.324.8332acf1a63-150300.3.25.3
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    apparmor-2.13.6-150300.3.11.2, krb5-1.19.2-150300.8.3.2, ldb-2.4.1-150300.3.10.1, libapparmor-2.13.6-150300.3.11.1, samba-4.15.4+git.324.8332acf1a63-150300.3.25.3, sssd-1.16.1-150300.23.17.3, talloc-2.3.3-150300.3.3.2, talloc-man-2.3.3-150300.3.3.1, tdb-1.4.4-150300.3.3.2, tevent-0.11.0-150300.3.3.2, tevent-man-0.11.0-150300.3.3.1
SUSE Linux Enterprise Micro 5.1 (src):    apparmor-2.13.6-150300.3.11.2, krb5-1.19.2-150300.8.3.2, ldb-2.4.1-150300.3.10.1, libapparmor-2.13.6-150300.3.11.1, sssd-1.16.1-150300.23.17.3, talloc-2.3.3-150300.3.3.2, tdb-1.4.4-150300.3.3.2, tevent-0.11.0-150300.3.3.2
SUSE Linux Enterprise High Availability 15-SP3 (src):    samba-4.15.4+git.324.8332acf1a63-150300.3.25.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2022-02-01 20:45:36 UTC
SUSE-SU-2022:0284-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1194859
CVE References: CVE-2021-44142
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    samba-4.9.5+git.483.212a7ebca6b-3.64.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    samba-4.9.5+git.483.212a7ebca6b-3.64.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    samba-4.9.5+git.483.212a7ebca6b-3.64.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    samba-4.9.5+git.483.212a7ebca6b-3.64.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    samba-4.9.5+git.483.212a7ebca6b-3.64.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    samba-4.9.5+git.483.212a7ebca6b-3.64.1
SUSE Enterprise Storage 6 (src):    samba-4.9.5+git.483.212a7ebca6b-3.64.1
SUSE CaaS Platform 4.0 (src):    samba-4.9.5+git.483.212a7ebca6b-3.64.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2022-02-01 20:48:01 UTC
openSUSE-SU-2022:0287-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1194859
CVE References: CVE-2021-44142
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    samba-4.11.14+git.319.91d693db37c-4.35.1
Comment 26 Swamp Workflow Management 2022-02-03 20:18:42 UTC
SUSE-SU-2022:0323-1: An update that solves 6 vulnerabilities, contains one feature and has 5 fixes is now available.

Category: security (critical)
Bug References: 1089938,1139519,1158916,1180064,1182058,1191227,1192684,1193533,1193690,1194859,1195048
CVE References: CVE-2020-29361,CVE-2021-20316,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336
JIRA References: SLE-23330
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    apparmor-2.8.2-56.6.3, p11-kit-0.23.2-8.3.2, samba-4.15.4+git.324.8332acf1a63-3.54.1, sssd-1.16.1-7.28.9
SUSE Linux Enterprise Server 12-SP5 (src):    apparmor-2.8.2-56.6.3, ca-certificates-1_201403302107-15.3.3, gnutls-3.4.17-8.4.1, libnettle-3.1-21.3.2, p11-kit-0.23.2-8.3.2, samba-4.15.4+git.324.8332acf1a63-3.54.1, sssd-1.16.1-7.28.9, yast2-samba-client-3.1.23-3.3.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.15.4+git.324.8332acf1a63-3.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Gianluca Gabrielli 2022-02-07 12:27:07 UTC
Hi Samba team,

Please let us know if the following packages are affected, we have customers asking for that.

 - SUSE:SLE-11-SP1:Update/samba    3.4.3
 - SUSE:SLE-11-SP3:Update/samba    3.6.3
Comment 29 Noel Power 2022-02-07 13:24:58 UTC
(In reply to Gianluca Gabrielli from comment #28)
> Hi Samba team,
> 
> Please let us know if the following packages are affected, we have customers
> asking for that.
> 
>  - SUSE:SLE-11-SP1:Update/samba    3.4.3
>  - SUSE:SLE-11-SP3:Update/samba    3.6.3

There is no vfs_fruit module in 3.6.3 , I couldn't find any mention in the source code of the extended attribute 'org.netatalk.Metadata' so I don't believe these code streams are affected
Comment 32 Swamp Workflow Management 2022-02-10 17:19:06 UTC
SUSE-SU-2022:0361-1: An update that solves 11 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (critical)
Bug References: 1014440,1188727,1189017,1189875,1192214,1192215,1192246,1192247,1192283,1192284,1192505,1192849,1194859
CVE References: CVE-2016-2124,CVE-2020-17049,CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2021-20254,CVE-2021-23192,CVE-2021-3738,CVE-2021-44142
JIRA References: SLE-18456
Sources used:
SUSE Enterprise Storage 7 (src):    ldb-2.2.2-4.6.1, samba-4.13.13+git.545.5897c2d94f3-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Marcus Meissner 2022-02-14 08:01:06 UTC
also factory has received the update