Finding Samba instances with vulnerable vfs_fruit
A new vulnerability has surfaced in Samba, which has the potential to provide unauthenticated remote code execution to attackers. Popular as Windows-compatible file sharing and print services software via the SMB protocol, Samba typically runs under Linux and other non-Windows OSes. You can usually find Samba on servers, appliances, desktops, and IoT devices. This out-of-bounds heap read write vulnerability (tracked as CVE-2021-44142 with a “critical” CVSS score of 9.9) resides in Samba’s vfs_fruit
module and was discovered-and-disclosed by security researchers Nguyễn Hoàng Thạch and Billy Jheng Bing-Jhong, along with Lucas Leong, and also separately by security researcher Orange Tsai.
For this vulnerability to be successfully exploitable by an attacker, the vfs_fruit
module must be in use with default configuration settings for the fruit:metadata
and fruit:resource
options. The attacker must also have write access to a file share (which could allow guests and unauthenticated users, based on the configuration) that supports extended attributes (i.e., ea support = yes
, which is the default for Samba).
While the list of potentially vulnerable vendors is lengthy, some formerly-vulnerable major Linux distributions have patches available, including Red Hat, Ubuntu, and SUSE. Samba maintainers have also released patched versions, and they recommened everyone upgrade to Samba version 4.13.17, 4.14.12, or 4.15.5 as soon as possible. In the event that upgrading is not possible, Samba maintainers offer a mitigation path: removing the “fruit” VFS module from the list of configured VFS objects in any “vfs objects” line in the Samba smb.conf configuration file.
How to find potentially vulnerable Samba instances with runZero
From the Service Inventory, use the following pre-built query to locate assets within your network that are potentially vulnerable:
protocol:smb and (product:samba or smb.sessionID:="0x00000000%")

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.
Get runZero for free
Don’t have runZero and need help finding potentially vulnerable Samba instances?
Get started
Similar Content
February 15, 2023
Finding OpenSSH servers
The OpenSSH team surfaced a security issue earlier this month that specifically affects OpenSSH server version 9.1p1 (a.k.a. version 9.1). This version contains a memory double-free vulnerability (tracked as CVE-2023-25136) that can be reached pre-authentication by a remote …
Read MoreFebruary 8, 2023
Finding VMware ESXi assets
This Rapid Response post covers ESXiArgs, a new strain of ransomware that is targeting VMware ESXi servers. Learn how you can find potentially affected servers on your network.
February 3, 2023
Finding Lexmark printer assets
Printer manufacturer Lexmark recently published details on a vulnerability that affects over 100 of their printer models. Learn how runZero can help you find potentially affected assets.