StarlingX

CVE-2021-44142 / CVE-2020-25717 / CVE-2020-25719: samba multiple CVEs

Bug #1964842 reported by Ghada Khalil
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Joe Slater

Bug Description

CVE-2021-44142: samba: Out-of-bounds heap read/write vulnerability VFS module vfs_fruit allows code execution
CVE-2020-25717: samba: A user in an AD Domain could become root on domain members

CVE-2020-25719: samba: AD DC did not always rely on the SID and PAC in Kerberos tickets.

Score:
cve_id status cvss2Score av ac au ai
CVE-2021-44142 fixed 9.0 N L S C
CVE-2020-25717 fixed 8.5 N L S N
CVE-2020-25719 fixed 9.0 N L S C

Description:
CVE-2021-44142: The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

CVE-2020-25717: A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation.

CVE-2020-25719: A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total domain compromise.

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-44142
https://access.redhat.com/security/cve/CVE-2021-44142
https://nvd.nist.gov/vuln/detail/CVE-2020-25717
https://access.redhat.com/security/cve/CVE-2020-25717
https://nvd.nist.gov/vuln/detail/CVE-2020-25719
https://access.redhat.com/security/cve/CVE-2020-25719
https://access.redhat.com/errata/RHSA-2021:5195
https://access.redhat.com/errata/RHSA-2021:5192
https://access.redhat.com/errata/RHSA-2022:0328

Note: The 3 CVEs are fixed by CentOS per this announcement: https://lists.centos.org/pipermail/centos-announce/2022-February/073554.html

Required Package Versions:
samba-client-libs-4.10.16-18.el7_9.x86_64.rpm
samba-common-4.10.16-18.el7_9.noarch.rpm
samba-common-libs-4.10.16-18.el7_9.x86_64.rpm

Packages:
samba

Found during February 2022 CVE Scan

Revision history for this message
Ghada Khalil (gkhalil) wrote :

Screening: Marking as medium priority as this CVE meets the StarlingX fix criteria. Should be fixed in stx master and considered for cherry-pick to stx.6.0 if a maintenance release is planned

tags: added: stx.7.0 stx.security
Changed in starlingx:
importance: Undecided → Medium
status: New → Triaged
information type: Public → Public Security
Changed in starlingx:
assignee: nobody → Yue Tao (wrytao)
tags: added: stx.6.0
Yue Tao (wrytao)
Changed in starlingx:
assignee: Yue Tao (wrytao) → Joe Slater (jslater0wind)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/834351

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/834351
Committed: https://opendev.org/starlingx/tools/commit/29254bd6ea1e80ce21ce55417248d7557f528598
Submitter: "Zuul (22348)"
Branch: master

commit 29254bd6ea1e80ce21ce55417248d7557f528598
Author: Joe Slater <email address hidden>
Date: Fri Mar 18 15:17:50 2022 -0400

    samba: fix three CVEs

    CVE-2021-44142: out-of-bounds heap read/write
    CVE-2020-25717: user can become root
    CVE-2020-25719: AD DC does not always rely on the SID and PAC

    === testing

    Boot iso and check rpm versions. Only samba
    libraries are included in the image.

    ===

    Closes-bug: 1964842
    Signed-off-by: Joe Slater <email address hidden>
    Change-Id: I55a97b662ac24c1ba9852a09d8e40b5a40f67945

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.