CVSS 9.9-Rated Samba Bug Requires Immediate Patching
A critical vulnerability in a popular open-source networking protocol could allow attackers to execute code with root privileges unless patched, experts have warned.
Samba is a popular free implementation of the SMB protocol, allowing Linux, Windows and Mac users to share files across a network.
However, a newly discovered critical vulnerability (CVE-2021-44142) in the software has been given a CVSS score of 9.9, making it one of the most dangerous bugs discovered in recent years. Log4Shell was given only a slightly higher score of 10.0.
“All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read-write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit,” Samba explained.
“The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.”
Patches have been released, and Samba updates 4.13.17, 4.14.12 and 4.15.5 have been issued to fix the problem, with administrators being urged to upgrade to these releases or apply the patch as soon as possible. The vulnerability has not yet been exploited in the wild at the time of writing, but this is likely to change.
An additional workaround is possible if sysadmins remove the “fruit” VFS module from the list of configured VFS objects in any “vfs objects” line in the Samba configuration smb.conf.
The new vulnerability comes at a busy time for administrators, many of whom spent time over the holidays hunting for instances of vulnerable Log4j hidden in Java dependencies across their organization.
Last year was another record-setter in terms of the number of CVEs published to the National Vulnerability Database (NVD), the fifth year in a row this has happened.
More Stories
Scam ‘Funeral Streaming’ Groups Thrive on Facebook
Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends...
Europol Taskforce Disrupts Global Criminal Network Through Supply Chain Attack
The suspected creator of Ghost, an encrypted communication platform allegedly used by organized crime groups worldwide, has been arrested Read...
Introducing LevelBlue’s 24/7 Managed Threat Detection and Response Service for Government
As new threat vectors emerge and cybercriminals leverage sophisticated technologies to orchestrate more targeted attacks, staying ahead of threats is...
AT&T Agrees $13m FCC Settlement Over Cloud Data Breach
Telco giant AT&T will pay the FCC $13m to resolve a cloud breach investigation Read More
CISA Issues Advice to Help Eliminate XSS Bugs
The US Cybersecurity and Infrastructure Security Agency is trying to eradicate cross-site scripting vulnerabilities Read More
The AI Fix #16: GPT-4o1, AI time travelers, and where’s my driverless car?
In episode 16 of The AI Fix, Mark and Graham meet GPT-4o1 and ask if it knows how many cousins...