Bug 1183239 - (CVE-2021-20208) VUL-0: CVE-2021-20208: cifs-utils: cifs.upcall kerberos auth leak in container
(CVE-2021-20208)
VUL-0: CVE-2021-20208: cifs-utils: cifs.upcall kerberos auth leak in container
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Aurelien Aptel
Security Team bot
https://smash.suse.de/issue/279407/
CVSSv3.1:SUSE:CVE-2021-20208:6.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-03-09 15:42 UTC by Alexandros Toptsoglou
Modified: 2021-06-21 08:50 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch (6.95 KB, patch)
2021-03-09 15:48 UTC, Aurelien Aptel
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Aurelien Aptel 2021-03-09 15:48:07 UTC
Created attachment 846949 [details]
patch
Comment 10 Aurelien Aptel 2021-03-09 18:27:30 UTC
The SLE11 code streams don't have netns() syscall as it turns out, patch doesn't build but it doesn't really matter as they are not vulnerable. If you don't have containers, no data is leaking.

For the SLE12 code streams, Paulo submitted maintenance requests. 

So assuming everything passes, I think we are ready on our side.
Comment 13 Aurelien Aptel 2021-04-13 09:22:22 UTC
The bug is now public.

https://bugzilla.samba.org/show_bug.cgi?id=14651
Comment 14 Alexandros Toptsoglou 2021-04-13 09:27:09 UTC
===========================================================
== Subject:     Container calls to cifs.upcall access host environment
==
== CVE ID#:     CVE-2021-20208
==
== Versions:    cifs-utils 4.0 and above
==
==
== Summary:     When a container process causes an operation that trigger
==              the kernel to ask a userspace for user credentials for
==              an SMB filesystem, cifs.upcall utility may indirectly
==              leak an information about Kerberos credentials available
==              in the host environment and cause non-sanctioned SMB
==              filesystem access in the container.
===========================================================

===========
Description
===========

A bug has been reported recently for the cifs.upcall utility which is
part of the cifs-utils package.

In scenarios where a program running inside a container issues a
syscall that triggers the kernel to upcall cifs.upcall, such as when
users access a multiuser cifs mount or when users access a DFS link,
cifs.upcall is executed in the host environment where its execution
may indirectly leak an information about resources available only to
host applications, such as Kerberos credential caches, to a
containerized application. As a result, a containerized application may
trigger access to files on an SMB share under an identity otherwise not
intended to be accessed by this container's environment.

The bug is a consequence of the kernel calling the host cifs.upcall
binary and can traced back to the introduction of the cifs.upcall
mechanism in cifs-utils and the introduction of containers in the
kernel.

With this release, cifs.upcall joins a caller's process namespaces
before accessing any resources to perform Kerberos authentication. As a
result, access to SMB shares is limited to credentials already available
inside the containerized environment.

==================
Patch Availability
==================

A patch is available as an attachment on the bug report.

https://bugzilla.samba.org/show_bug.cgi?id=14651

==================
CVSSv3 calculation
==================

AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:F/RL:O/RC:C/MAV:L/MAC:H/MPR:L/MUI:N/MS:C/MC:L/MI:H/MA:N

Base score of 6.1 - medium.

=========================
Workaround and mitigation
=========================

For host systems that cannot be updated, DFS and multiuser mounts can
be disabled in the container SMB mounts options i.e. adding 'nodfs'
and removing 'multiuser' (if present).
Comment 15 Swamp Workflow Management 2021-04-13 13:16:21 UTC
SUSE-SU-2021:1161-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1183239
CVE References: CVE-2021-20208
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    cifs-utils-6.9-5.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2021-04-13 13:19:26 UTC
SUSE-SU-2021:1159-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1183239
CVE References: CVE-2021-20208
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    cifs-utils-6.9-13.14.1
SUSE Linux Enterprise Server 12-SP5 (src):    cifs-utils-6.9-13.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 OBSbugzilla Bot 2021-04-27 13:20:04 UTC
This is an autogenerated message for OBS integration:
This bug (1183239) was mentioned in
https://build.opensuse.org/request/show/888794 Factory / cifs-utils
Comment 20 Swamp Workflow Management 2021-04-30 13:17:26 UTC
SUSE-SU-2021:1455-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1152930,1174477,1183239,1184815
CVE References: CVE-2020-14342,CVE-2021-20208
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    cifs-utils-6.9-3.14.1
SUSE Linux Enterprise Server 15-LTSS (src):    cifs-utils-6.9-3.14.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    cifs-utils-6.9-3.14.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    cifs-utils-6.9-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2021-05-01 01:28:27 UTC
openSUSE-SU-2021:0639-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1152930,1174477,1183239,1184815
CVE References: CVE-2020-14342,CVE-2021-20208
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    cifs-utils-6.9-lp152.2.3.1
Comment 22 Aurelien Aptel 2021-06-21 08:50:42 UTC
closing