Bug 1185717 - (CVE-2021-31800) VUL-0: CVE-2021-31800: python-impacket: Multiple path traversal vulnerabilities in smbserver.py
(CVE-2021-31800)
VUL-0: CVE-2021-31800: python-impacket: Multiple path traversal vulnerabiliti...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Network
Leap 15.2
Other Other
: P3 - Medium : Critical (vote)
: ---
Assigned To: Martin Hauke
Security Team bot
https://smash.suse.de/issue/283508/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-06 12:11 UTC by Gianluca Gabrielli
Modified: 2021-05-06 12:23 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-06 12:11:22 UTC
CVE-2021-31800

Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.

References:

https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L2008
https://github.com/SecureAuthCorp/impacket/releases
https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L876
https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L2958
https://github.com/SecureAuthCorp/impacket/commit/49c643bf66620646884ed141c94e5fdd85bcdd2f
https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L3485

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1957426
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31800
https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L876
https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L2958
https://github.com/SecureAuthCorp/impacket/commit/49c643bf66620646884ed141c94e5fdd85bcdd2f
https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L3485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31800
https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L2008
https://github.com/SecureAuthCorp/impacket/releases
Comment 1 Gianluca Gabrielli 2021-05-06 12:19:08 UTC
The upstream patch [0] is not very clear due to the fact the contributor also changed the indentation and other PEP8-related in the same commit. The easiest way to fix it is to version bump to that commit [0]. Otherwise, more information about the actual fix can be retrieved from the first comment of the related PR [1].

[0] https://github.com/SecureAuthCorp/impacket/commit/49c643bf66620646884ed141c94e5fdd85bcdd2f
[1] https://github.com/SecureAuthCorp/impacket/pull/1066#issue-622746179
Comment 2 Gianluca Gabrielli 2021-05-06 12:23:14 UTC
The affected package is openSUSE:Factory/python-impacket version 0.9.22