// For flags

CVE-2021-44142

Samba fruit_pwrite Heap-based Buffer Overflow Remote Code Execution Vulnerability

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

El módulo vfs_fruit de Samba usa atributos de archivo extendidos (EA, xattr) para proporcionar "...compatibilidad mejorada con los clientes SMB de Apple e interoperabilidad con un servidor de archivos AFP de Netatalk 3". Samba versiones anteriores a 4.13.17, 4.14.12 y 4.15.5 con vfs_fruit configurado permiten una lectura y escritura fuera de límites de la pila por medio de atributos de archivo extendidos especialmente diseñados. Un atacante remoto con acceso de escritura a los atributos de archivo extendidos puede ejecutar código arbitrario con los privilegios de smbd, típicamente root

An out-of-bounds heap read write vulnerability was found in Samba. Due to a boundary error when processing EA metadata while opening files in smbd within the VFS Samba module (vfs_fruit), a remote attacker with ability to write to file's extended attributes can trigger an out-of-bounds write and execute arbitrary code with root privileges.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samba. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the fruit_pwrite function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.

*Credits: Nguyen Hoang Thach (https://twitter.com/hi_im_d4rkn3ss) and Billy Jheng Bing-Jhong (https://twitter.com/st424204)
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-11-22 CVE Reserved
  • 2022-02-01 CVE Published
  • 2022-03-29 First Exploit
  • 2024-05-15 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-125: Out-of-bounds Read
  • CWE-787: Out-of-bounds Write
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Samba
Search vendor "Samba"
Samba
Search vendor "Samba" for product "Samba"
< 4.13.17
Search vendor "Samba" for product "Samba" and version " < 4.13.17"
-
Affected
Samba
Search vendor "Samba"
Samba
Search vendor "Samba" for product "Samba"
>= 4.14.0 < 4.14.12
Search vendor "Samba" for product "Samba" and version " >= 4.14.0 < 4.14.12"
-
Affected
Samba
Search vendor "Samba"
Samba
Search vendor "Samba" for product "Samba"
>= 4.15.0 < 4.15.5
Search vendor "Samba" for product "Samba" and version " >= 4.15.0 < 4.15.5"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
11.0
Search vendor "Debian" for product "Debian Linux" and version "11.0"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
esm
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
esm
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
20.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "20.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
21.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "21.10"
-
Affected
Synology
Search vendor "Synology"
Diskstation Manager
Search vendor "Synology" for product "Diskstation Manager"
>= 6.2 < 6.2.4-25556.4
Search vendor "Synology" for product "Diskstation Manager" and version " >= 6.2 < 6.2.4-25556.4"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Redhat
Search vendor "Redhat"
Codeready Linux Builder
Search vendor "Redhat" for product "Codeready Linux Builder"
--
Affected
Redhat
Search vendor "Redhat"
Gluster Storage
Search vendor "Redhat" for product "Gluster Storage"
3.5
Search vendor "Redhat" for product "Gluster Storage" and version "3.5"
-
Affected
Redhat
Search vendor "Redhat"
Virtualization Host
Search vendor "Redhat" for product "Virtualization Host"
4.0
Search vendor "Redhat" for product "Virtualization Host" and version "4.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
7.0
Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
8.0
Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Desktop
Search vendor "Redhat" for product "Enterprise Linux Desktop"
7.0
Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Eus
Search vendor "Redhat" for product "Enterprise Linux Eus"
8.2
Search vendor "Redhat" for product "Enterprise Linux Eus" and version "8.2"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Eus
Search vendor "Redhat" for product "Enterprise Linux Eus"
8.4
Search vendor "Redhat" for product "Enterprise Linux Eus" and version "8.4"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux For Ibm Z Systems
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems"
7.0
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux For Ibm Z Systems
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems"
8.0
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "8.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux For Ibm Z Systems Eus
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems Eus"
8.2
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems Eus" and version "8.2"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux For Ibm Z Systems Eus
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems Eus"
8.4
Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems Eus" and version "8.4"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux For Power Big Endian
Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian"
7.0
Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux For Power Little Endian
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian"
7.0
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux For Power Little Endian
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian"
8.0
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian" and version "8.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux For Power Little Endian Eus
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus"
8.2
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus" and version "8.2"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux For Power Little Endian Eus
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus"
8.4
Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus" and version "8.4"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux For Scientific Computing
Search vendor "Redhat" for product "Enterprise Linux For Scientific Computing"
7.0
Search vendor "Redhat" for product "Enterprise Linux For Scientific Computing" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Resilient Storage
Search vendor "Redhat" for product "Enterprise Linux Resilient Storage"
7.0
Search vendor "Redhat" for product "Enterprise Linux Resilient Storage" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
8.1
Search vendor "Redhat" for product "Enterprise Linux Server" and version "8.1"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Aus
Search vendor "Redhat" for product "Enterprise Linux Server Aus"
8.2
Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "8.2"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Aus
Search vendor "Redhat" for product "Enterprise Linux Server Aus"
8.4
Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "8.4"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Tus
Search vendor "Redhat" for product "Enterprise Linux Server Tus"
8.2
Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "8.2"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Tus
Search vendor "Redhat" for product "Enterprise Linux Server Tus"
8.4
Search vendor "Redhat" for product "Enterprise Linux Server Tus" and version "8.4"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Update Services For Sap Solutions
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions"
8.1
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions" and version "8.1"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Update Services For Sap Solutions
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions"
8.2
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions" and version "8.2"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server Update Services For Sap Solutions
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions"
8.4
Search vendor "Redhat" for product "Enterprise Linux Server Update Services For Sap Solutions" and version "8.4"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Workstation
Search vendor "Redhat" for product "Enterprise Linux Workstation"
7.0
Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"
-
Affected