Bugzilla – Bug 1183239
VUL-0: CVE-2021-20208: cifs-utils: cifs.upcall kerberos auth leak in container
Last modified: 2021-06-21 08:50:42 UTC
Created attachment 846949 [details] patch
The SLE11 code streams don't have netns() syscall as it turns out, patch doesn't build but it doesn't really matter as they are not vulnerable. If you don't have containers, no data is leaking. For the SLE12 code streams, Paulo submitted maintenance requests. So assuming everything passes, I think we are ready on our side.
The bug is now public. https://bugzilla.samba.org/show_bug.cgi?id=14651
=========================================================== == Subject: Container calls to cifs.upcall access host environment == == CVE ID#: CVE-2021-20208 == == Versions: cifs-utils 4.0 and above == == == Summary: When a container process causes an operation that trigger == the kernel to ask a userspace for user credentials for == an SMB filesystem, cifs.upcall utility may indirectly == leak an information about Kerberos credentials available == in the host environment and cause non-sanctioned SMB == filesystem access in the container. =========================================================== =========== Description =========== A bug has been reported recently for the cifs.upcall utility which is part of the cifs-utils package. In scenarios where a program running inside a container issues a syscall that triggers the kernel to upcall cifs.upcall, such as when users access a multiuser cifs mount or when users access a DFS link, cifs.upcall is executed in the host environment where its execution may indirectly leak an information about resources available only to host applications, such as Kerberos credential caches, to a containerized application. As a result, a containerized application may trigger access to files on an SMB share under an identity otherwise not intended to be accessed by this container's environment. The bug is a consequence of the kernel calling the host cifs.upcall binary and can traced back to the introduction of the cifs.upcall mechanism in cifs-utils and the introduction of containers in the kernel. With this release, cifs.upcall joins a caller's process namespaces before accessing any resources to perform Kerberos authentication. As a result, access to SMB shares is limited to credentials already available inside the containerized environment. ================== Patch Availability ================== A patch is available as an attachment on the bug report. https://bugzilla.samba.org/show_bug.cgi?id=14651 ================== CVSSv3 calculation ================== AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:F/RL:O/RC:C/MAV:L/MAC:H/MPR:L/MUI:N/MS:C/MC:L/MI:H/MA:N Base score of 6.1 - medium. ========================= Workaround and mitigation ========================= For host systems that cannot be updated, DFS and multiuser mounts can be disabled in the container SMB mounts options i.e. adding 'nodfs' and removing 'multiuser' (if present).
SUSE-SU-2021:1161-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1183239 CVE References: CVE-2021-20208 JIRA References: Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): cifs-utils-6.9-5.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1159-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1183239 CVE References: CVE-2021-20208 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): cifs-utils-6.9-13.14.1 SUSE Linux Enterprise Server 12-SP5 (src): cifs-utils-6.9-13.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1183239) was mentioned in https://build.opensuse.org/request/show/888794 Factory / cifs-utils
SUSE-SU-2021:1455-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1152930,1174477,1183239,1184815 CVE References: CVE-2020-14342,CVE-2021-20208 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): cifs-utils-6.9-3.14.1 SUSE Linux Enterprise Server 15-LTSS (src): cifs-utils-6.9-3.14.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): cifs-utils-6.9-3.14.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): cifs-utils-6.9-3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0639-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1152930,1174477,1183239,1184815 CVE References: CVE-2020-14342,CVE-2021-20208 JIRA References: Sources used: openSUSE Leap 15.2 (src): cifs-utils-6.9-lp152.2.3.1
closing