CVE-2021-44142 – Samba fruit_pwrite Heap-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-44142
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root. El módulo vfs_fruit de Samba usa atributos de archivo extendidos (EA, xattr) para proporcionar "...compatibilidad mejorada con los clientes SMB de Apple e interoperabilidad con un servidor de archivos AFP de Netatalk 3". Samba versiones anteriores a 4.13.17, 4.14.12 y 4.15.5 con vfs_fruit configurado permiten una lectura y escritura fuera de límites de la pila por medio de atributos de archivo extendidos especialmente diseñados. • https://github.com/horizon3ai/CVE-2021-44142 https://github.com/gudyrmik/CVE-2021-44142 https://github.com/hrsman/Samba-CVE-2021-44142 https://bugzilla.samba.org/show_bug.cgi?id=14914 https://kb.cert.org/vuls/id/119678 https://security.gentoo.org/glsa/202309-06 https://www.samba.org/samba/security/CVE-2021-44142.html https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin https://access.redhat • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVE-2021-43566
https://notcve.org/view.php?id=CVE-2021-43566
All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed. Todas las versiones de Samba anteriores a 4.13.16, son vulnerables a que un cliente malicioso use una carrera SMB1 o NFS para permitir la creación de un directorio en un área del sistema de archivos del servidor no exportada bajo la definición del recurso compartido. Tenga en cuenta que SMB1 tiene que estar habilitado, o el recurso compartido también disponible por medio de NFS para que este ataque tenga éxito • https://bugzilla.samba.org/show_bug.cgi?id=13979 https://security.netapp.com/advisory/ntap-20220110-0001 https://www.samba.org/samba/security/CVE-2021-43566.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2020-25721
https://notcve.org/view.php?id=CVE-2020-25721
Kerberos acceptors need easy access to stable AD identifiers (eg objectSid). Samba as an AD DC now provides a way for Linux applications to obtain a reliable SID (and samAccountName) in issued tickets. Los aceptadores de Kerberos necesitan un acceso fácil a los identificadores estables de AD (por ejemplo, objectSid). Samba como un DC AD ahora proporciona una manera para que las aplicaciones de Linux para obtener un SID confiable (y samAccountName) en los boletos emitidos • https://bugzilla.redhat.com/show_bug.cgi?id=2021728 https://bugzilla.samba.org/show_bug.cgi?id=14725 https://security.gentoo.org/glsa/202309-06 https://www.samba.org/samba/security/CVE-2020-25721.html • CWE-20: Improper Input Validation •
CVE-2021-23192 – samba: Subsequent DCE/RPC fragment injection vulnerability
https://notcve.org/view.php?id=CVE-2021-23192
A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements. Se ha encontrado un fallo en la forma en que samba implementa DCE/RPC. Si un cliente a un servidor Samba enviaba una petición DCE/RPC muy grande, y elegía fragmentarla, un atacante podía reemplazar los fragmentos posteriores con sus propios datos, omitiendo los requisitos de firma A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements. • https://bugzilla.redhat.com/show_bug.cgi?id=2019666 https://security.gentoo.org/glsa/202309-06 https://ubuntu.com/security/CVE-2021-23192 https://www.samba.org/samba/security/CVE-2021-23192.html https://access.redhat.com/security/cve/CVE-2021-23192 • CWE-20: Improper Input Validation •
CVE-2020-25717 – samba: Active Directory (AD) domain user could become root on domain members
https://notcve.org/view.php?id=CVE-2020-25717
A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation. Se encontró un fallo en la forma en que Samba mapea usuarios del dominio a usuarios locales. Un atacante autenticado podría usar este fallo para causar una posible escalada de privilegios • https://bugzilla.redhat.com/show_bug.cgi?id=2019672 https://security.gentoo.org/glsa/202309-06 https://www.samba.org/samba/security/CVE-2020-25717.html https://access.redhat.com/security/cve/CVE-2020-25717 • CWE-20: Improper Input Validation •