Patch Now: Samba ‘Fruit’ Vulnerability Allows Remote Code Execution

A new CVSS 9.9 critical vulnerability in the Samba platform allows remote code execution with root privileges. The vulnerability, CVE-2021-44142, is an out-of-bounds heap read/write vulnerability in the Virtual File System (VFS) module called “vfs_fruit”. The vulnerability impacts all versions of Samba prior to 4.13.17 and can be found in Red Hat, SUSE Linux, and Ubuntu packages.

Samba is a suite of tools that allow Windows and Linux to work together and share file or printer services with multi-platform devices on a single network. The vulnerability allows an attacker to remotely execute code with root privileges on impacted servers. This allows the adversary to read, modify, or delete files; query users; or install malware on the target system – which can easily create a platform for attackers to move laterally within the network to other devices.

This vulnerability is similar to SambaCry in 2017 which also targeted Samba. This vulnerability is likely more critical as it does not require valid credentials to a writable share making it easier to use as a springboard within the network.

The Samba vulnerability does require a guest or unauthenticated user on the host system with write access to file extended attributes; however, this is a commonly missed hardening practice and likely to be common enough for adversaries to confidently attack this vulnerability.

The criticality of this vulnerability combined with the wide potential impact makes this a must-remediate for organizations. Patches are available as well as workarounds for servers that are not removable from their production environments. We recommend patching this critical vulnerability within 72 hours to minimize risk exposure.

Recommended Remediation

Samba 4.13.17, 4.14.12, and 4.15.5 all include remediation for CVE-2021-44142, and we recommend administrators upgrade all vulnerable systems as soon as possible due to the severity of the vulnerability. Vendors are releasing patches for affected systems, and Automox-supported operating systems can be patched via an existing Patch Policy, or an emergency out of band patch.

If patching immediately isn’t an option, Samba recommends a temporary workaround to remediate. Remove the fruit VFS module from the list of configured VFS objects in any "vfs objects" line in the Samba configuration smb.conf file.

Samba notes that this workaround may make stored data inaccessible and appear to be lost to macOS clients – consider this before moving forward with the workaround.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic