Finding Samba instances with vulnerable vfs_fruit

(updated ), by Pearce Barry
icon

A new vulnerability has surfaced in Samba, which has the potential to provide unauthenticated remote code execution to attackers. Popular as Windows-compatible file sharing and print services software via the SMB protocol, Samba typically runs under Linux and other non-Windows OSes. You can usually find Samba on servers, appliances, desktops, and IoT devices. This out-of-bounds heap read write vulnerability (tracked as CVE-2021-44142 with a “critical” CVSS score of 9.9) resides in Samba’s vfs_fruit module and was discovered-and-disclosed by security researchers Nguyễn Hoàng Thạch and Billy Jheng Bing-Jhong, along with Lucas Leong, and also separately by security researcher Orange Tsai.

For this vulnerability to be successfully exploitable by an attacker, the vfs_fruit module must be in use with default configuration settings for the fruit:metadata and fruit:resource options. The attacker must also have write access to a file share (which could allow guests and unauthenticated users, based on the configuration) that supports extended attributes (i.e., ea support = yes, which is the default for Samba).

While the list of potentially vulnerable vendors is lengthy, some formerly-vulnerable major Linux distributions have patches available, including Red Hat, Ubuntu, and SUSE. Samba maintainers have also released patched versions, and they recommened everyone upgrade to Samba version 4.13.17, 4.14.12, or 4.15.5 as soon as possible. In the event that upgrading is not possible, Samba maintainers offer a mitigation path: removing the “fruit” VFS module from the list of configured VFS objects in any “vfs objects” line in the Samba smb.conf configuration file.

How to find potentially vulnerable Samba instances with runZero

From the Service Inventory, use the following pre-built query to locate assets within your network that are potentially vulnerable:

protocol:smb and (product:samba or smb.sessionID:="0x00000000%")
Find Grafana instances

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Get runZero for free

Don’t have runZero and need help finding potentially vulnerable Samba instances?

Get started
Learn more about runZero

Similar Content

September 30, 2022

Finding Microsoft Exchange Servers on your network

GTSC, a Vietnamese security firm, recently discovered two zero-day vulnerabilities that affect Microsoft Exchange Server 2013, 2016, and 2019. These two vulnerabilities are being tracked as CVE-2022-41040 and CVE-2022-41082.

August 4, 2022

Finding DrayTek Vigor routers

The Trellix Threat Labs Vulnerability Research team recently published vulnerability details affecting almost 30 models of DrayTek Vigor routers. This vulnerability resides in the management interface login page and is trivial to exploit via buffer overflow. An …

Read More

July 29, 2022

Hunting for X.509 Certificates

X.509 certificates are used to secure communications over both trusted and untrusted networks. Protocols such as Transport Layer Security (TLS) rely on X.509 certificates to keep their communications secure between endpoints. Each X.509 certificate is composed of a public …

Read More