Finding Samba instances with vulnerable vfs_fruit

, by Pearce Barry

A new vulnerability has surfaced in Samba, which has the potential to provide unauthenticated remote code execution to attackers. Popular as Windows-compatible file sharing and print services software via the SMB protocol, Samba typically runs under Linux and other non-Windows OSes. You can usually find Samba on servers, appliances, desktops, and IoT devices. This out-of-bounds heap read write vulnerability (tracked as CVE-2021-44142 with a “critical” CVSS score of 9.9) resides in Samba’s vfs_fruit module and was discovered-and-disclosed by security researchers Nguyễn Hoàng Thạch and Billy Jheng Bing-Jhong, along with Lucas Leong, and also separately by security researcher Orange Tsai.

For this vulnerability to be successfully exploitable by an attacker, the vfs_fruit module must be in use with default configuration settings for the fruit:metadata and fruit:resource options. The attacker must also have write access to a file share (which could allow guests and unauthenticated users, based on the configuration) that supports extended attributes (i.e., ea support = yes, which is the default for Samba).

While the list of potentially vulnerable vendors is lengthy, some formerly-vulnerable major Linux distributions have patches available, including Red Hat, Ubuntu, and SUSE. Samba maintainers have also released patched versions, and they recommened everyone upgrade to Samba version 4.13.17, 4.14.12, or 4.15.5 as soon as possible. In the event that upgrading is not possible, Samba maintainers offer a mitigation path: removing the “fruit” VFS module from the list of configured VFS objects in any “vfs objects” line in the Samba smb.conf configuration file.

How to find potentially vulnerable Samba instances with Rumble

From the Service Inventory, use the following pre-built query to locate assets within your network that are potentially vulnerable:

protocol:smb and (product:samba or smb.sessionID:="0x00000000%")
Find Grafana instances

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Try Rumble

Don’t have Rumble and need help finding potentially vulnerable Samba instances? Start your Rumble trial today.

Similar Content

May 12, 2022

Wrangling the May 2022 Patch Tuesday

Microsoft recently released security updates for over 70 vulnerabilities, including 3 zero-days and 7 critical vulnerabilities that affect a wide-range of their products and services. The list of patches covers an actively exploited zero-day vulnerability in the Windows …

Read More

May 5, 2022

Finding F5 BIG-IP instances

Technology vendor F5 recently published information on over 40 vulnerabilities, mostly affecting their BIG-IP line of products. While these vulnerabilities include a mix of types and severities, a particular authentication bypass vulnerability that can affect all BIG-IP …

Read More

April 29, 2022

Finding Netatalk instances

A critical vulnerability in the Netatalk open source file server software was found in some popular network attached storage (NAS) devices. Netatalk provides services for the deprecated AFP (Apple Filing Protocol, formerly known as Appletalk Filing Protocol), and runs on a …

Read More