Finding Samba instances with vulnerable vfs_fruit
A new vulnerability has surfaced in Samba, which has the potential to provide unauthenticated remote code execution to attackers. Popular as Windows-compatible file sharing and print services software via the SMB protocol, Samba typically runs under Linux and other non-Windows OSes. You can usually find Samba on servers, appliances, desktops, and IoT devices. This out-of-bounds heap read write vulnerability (tracked as CVE-2021-44142 with a “critical” CVSS score of 9.9) resides in Samba’s
vfs_fruit module and was discovered-and-disclosed by security researchers Nguyễn Hoàng Thạch and Billy Jheng Bing-Jhong, along with Lucas Leong, and also separately by security researcher Orange Tsai.
For this vulnerability to be successfully exploitable by an attacker, the
vfs_fruit module must be in use with default configuration settings for the
fruit:resource options. The attacker must also have write access to a file share (which could allow guests and unauthenticated users, based on the configuration) that supports extended attributes (i.e.,
ea support = yes, which is the default for Samba).
While the list of potentially vulnerable vendors is lengthy, some formerly-vulnerable major Linux distributions have patches available, including Red Hat, Ubuntu, and SUSE. Samba maintainers have also released patched versions, and they recommened everyone upgrade to Samba version 4.13.17, 4.14.12, or 4.15.5 as soon as possible. In the event that upgrading is not possible, Samba maintainers offer a mitigation path: removing the “fruit” VFS module from the list of configured VFS objects in any “vfs objects” line in the Samba smb.conf configuration file.
protocol:smb and (product:samba or smb.sessionID:="0x00000000%")
Get runZero for free
Don’t have runZero and need help finding potentially vulnerable Samba instances?Get started
February 3, 2023
Finding Lexmark printer assets
Printer manufacturer Lexmark recently published details on a vulnerability that affects over 100 of their printer models. Learn how runZero can help you find potentially affected assets.
December 9, 2022
Finding Cisco 7800 and 8800 series IP phone assets on your network
Cisco 7800 and 8800 IP phones can be found in many companies and organizations. Successful exploitation of this vulnerability can provide an unauthenticated attacker in the same network segment or VLAN with remote code execution or denial-of-service capabilities.
December 5, 2022
Finding MegaRAC BMC assets on your network
MegaRAC can be found in many server manufacturers’ Baseboard Management Controllers (BMCs), including AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, HPE, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan. Successful exploitation of these …