Details of VAR-202201-0295

ID

VAR-202201-0295

CVE

CVE-2021-44142

TITLE

(Pwn2Own) Samba fruit_pwrite Heap-based Buffer Overflow Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-22-246

DESCRIPTION

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of AppleDouble entries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. The specific flaw exists within the parsing of EA metadata when opening files in smbd. The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.13.17, 4.14.12 and 4.15.5 have been issued as security releases to correct the defect. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C Base score 9.9. ========== Workaround ========== As a workaround remove the "fruit" VFS module from the list of configured VFS objects in any "vfs objects" line in the Samba configuration smb.conf. Note that changing the VFS module settings fruit:metadata or fruit:resource to use the unaffected setting causes all stored information to be inaccessible and will make it appear to macOS clients as if the information is lost. ======= Credits ======= Originally reported by Orange Tsai from DEVCORE. Patches provided by Ralph Böhme of the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== . For details on migrating Samba/CTDB configuration files, refer to: https://access.redhat.com/solutions/4311261 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: samba security update Advisory ID: RHSA-2022:0664-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:0664 Issue date: 2022-02-23 CVE Names: CVE-2021-44142 ==================================================================== 1. Summary: An update for samba is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.7) - noarch, x86_64 Red Hat Enterprise Linux Server E4S (v. 7.7) - noarch, ppc64le, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.7) - noarch, x86_64 Red Hat Enterprise Linux Server Optional E4S (v. 7.6) - noarch, ppc64le, x86_64 Red Hat Enterprise Linux Server Optional TUS (v. 7.7) - noarch, x86_64 Red Hat Enterprise Linux Server TUS (v. 7.7) - noarch, x86_64 3. Description: Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es): * samba: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution (CVE-2021-44142) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, the smb service will be restarted automatically. 5. Package List: Red Hat Enterprise Linux Server AUS (v. 7.7): Source: samba-4.9.1-12.el7_7.src.rpm noarch: samba-common-4.9.1-12.el7_7.noarch.rpm x86_64: libsmbclient-4.9.1-12.el7_7.i686.rpm libsmbclient-4.9.1-12.el7_7.x86_64.rpm libwbclient-4.9.1-12.el7_7.i686.rpm libwbclient-4.9.1-12.el7_7.x86_64.rpm samba-4.9.1-12.el7_7.x86_64.rpm samba-client-4.9.1-12.el7_7.x86_64.rpm samba-client-libs-4.9.1-12.el7_7.i686.rpm samba-client-libs-4.9.1-12.el7_7.x86_64.rpm samba-common-libs-4.9.1-12.el7_7.x86_64.rpm samba-common-tools-4.9.1-12.el7_7.x86_64.rpm samba-debuginfo-4.9.1-12.el7_7.i686.rpm samba-debuginfo-4.9.1-12.el7_7.x86_64.rpm samba-krb5-printing-4.9.1-12.el7_7.x86_64.rpm samba-libs-4.9.1-12.el7_7.i686.rpm samba-libs-4.9.1-12.el7_7.x86_64.rpm samba-python-4.9.1-12.el7_7.i686.rpm samba-python-4.9.1-12.el7_7.x86_64.rpm samba-winbind-4.9.1-12.el7_7.x86_64.rpm samba-winbind-clients-4.9.1-12.el7_7.x86_64.rpm samba-winbind-modules-4.9.1-12.el7_7.i686.rpm samba-winbind-modules-4.9.1-12.el7_7.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.7): Source: samba-4.9.1-12.el7_7.src.rpm noarch: samba-common-4.9.1-12.el7_7.noarch.rpm ppc64le: libsmbclient-4.9.1-12.el7_7.ppc64le.rpm libwbclient-4.9.1-12.el7_7.ppc64le.rpm samba-4.9.1-12.el7_7.ppc64le.rpm samba-client-4.9.1-12.el7_7.ppc64le.rpm samba-client-libs-4.9.1-12.el7_7.ppc64le.rpm samba-common-libs-4.9.1-12.el7_7.ppc64le.rpm samba-common-tools-4.9.1-12.el7_7.ppc64le.rpm samba-debuginfo-4.9.1-12.el7_7.ppc64le.rpm samba-krb5-printing-4.9.1-12.el7_7.ppc64le.rpm samba-libs-4.9.1-12.el7_7.ppc64le.rpm samba-winbind-4.9.1-12.el7_7.ppc64le.rpm samba-winbind-clients-4.9.1-12.el7_7.ppc64le.rpm samba-winbind-modules-4.9.1-12.el7_7.ppc64le.rpm x86_64: libsmbclient-4.9.1-12.el7_7.i686.rpm libsmbclient-4.9.1-12.el7_7.x86_64.rpm libwbclient-4.9.1-12.el7_7.i686.rpm libwbclient-4.9.1-12.el7_7.x86_64.rpm samba-4.9.1-12.el7_7.x86_64.rpm samba-client-4.9.1-12.el7_7.x86_64.rpm samba-client-libs-4.9.1-12.el7_7.i686.rpm samba-client-libs-4.9.1-12.el7_7.x86_64.rpm samba-common-libs-4.9.1-12.el7_7.x86_64.rpm samba-common-tools-4.9.1-12.el7_7.x86_64.rpm samba-debuginfo-4.9.1-12.el7_7.i686.rpm samba-debuginfo-4.9.1-12.el7_7.x86_64.rpm samba-krb5-printing-4.9.1-12.el7_7.x86_64.rpm samba-libs-4.9.1-12.el7_7.i686.rpm samba-libs-4.9.1-12.el7_7.x86_64.rpm samba-python-4.9.1-12.el7_7.i686.rpm samba-python-4.9.1-12.el7_7.x86_64.rpm samba-winbind-4.9.1-12.el7_7.x86_64.rpm samba-winbind-clients-4.9.1-12.el7_7.x86_64.rpm samba-winbind-modules-4.9.1-12.el7_7.i686.rpm samba-winbind-modules-4.9.1-12.el7_7.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.7): Source: samba-4.9.1-12.el7_7.src.rpm noarch: samba-common-4.9.1-12.el7_7.noarch.rpm x86_64: libsmbclient-4.9.1-12.el7_7.i686.rpm libsmbclient-4.9.1-12.el7_7.x86_64.rpm libwbclient-4.9.1-12.el7_7.i686.rpm libwbclient-4.9.1-12.el7_7.x86_64.rpm samba-4.9.1-12.el7_7.x86_64.rpm samba-client-4.9.1-12.el7_7.x86_64.rpm samba-client-libs-4.9.1-12.el7_7.i686.rpm samba-client-libs-4.9.1-12.el7_7.x86_64.rpm samba-common-libs-4.9.1-12.el7_7.x86_64.rpm samba-common-tools-4.9.1-12.el7_7.x86_64.rpm samba-debuginfo-4.9.1-12.el7_7.i686.rpm samba-debuginfo-4.9.1-12.el7_7.x86_64.rpm samba-krb5-printing-4.9.1-12.el7_7.x86_64.rpm samba-libs-4.9.1-12.el7_7.i686.rpm samba-libs-4.9.1-12.el7_7.x86_64.rpm samba-python-4.9.1-12.el7_7.i686.rpm samba-python-4.9.1-12.el7_7.x86_64.rpm samba-winbind-4.9.1-12.el7_7.x86_64.rpm samba-winbind-clients-4.9.1-12.el7_7.x86_64.rpm samba-winbind-modules-4.9.1-12.el7_7.i686.rpm samba-winbind-modules-4.9.1-12.el7_7.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. 7.7): noarch: samba-pidl-4.9.1-12.el7_7.noarch.rpm x86_64: libsmbclient-devel-4.9.1-12.el7_7.i686.rpm libsmbclient-devel-4.9.1-12.el7_7.x86_64.rpm libwbclient-devel-4.9.1-12.el7_7.i686.rpm libwbclient-devel-4.9.1-12.el7_7.x86_64.rpm samba-dc-4.9.1-12.el7_7.x86_64.rpm samba-dc-libs-4.9.1-12.el7_7.x86_64.rpm samba-debuginfo-4.9.1-12.el7_7.i686.rpm samba-debuginfo-4.9.1-12.el7_7.x86_64.rpm samba-devel-4.9.1-12.el7_7.i686.rpm samba-devel-4.9.1-12.el7_7.x86_64.rpm samba-python-test-4.9.1-12.el7_7.x86_64.rpm samba-test-4.9.1-12.el7_7.x86_64.rpm samba-test-libs-4.9.1-12.el7_7.i686.rpm samba-test-libs-4.9.1-12.el7_7.x86_64.rpm samba-vfs-glusterfs-4.9.1-12.el7_7.x86_64.rpm samba-winbind-krb5-locator-4.9.1-12.el7_7.x86_64.rpm Red Hat Enterprise Linux Server Optional E4S (v. 7.6): noarch: samba-pidl-4.9.1-12.el7_7.noarch.rpm ppc64le: libsmbclient-devel-4.9.1-12.el7_7.ppc64le.rpm libwbclient-devel-4.9.1-12.el7_7.ppc64le.rpm samba-dc-4.9.1-12.el7_7.ppc64le.rpm samba-dc-libs-4.9.1-12.el7_7.ppc64le.rpm samba-debuginfo-4.9.1-12.el7_7.ppc64le.rpm samba-devel-4.9.1-12.el7_7.ppc64le.rpm samba-python-4.9.1-12.el7_7.ppc64le.rpm samba-python-test-4.9.1-12.el7_7.ppc64le.rpm samba-test-4.9.1-12.el7_7.ppc64le.rpm samba-test-libs-4.9.1-12.el7_7.ppc64le.rpm samba-winbind-krb5-locator-4.9.1-12.el7_7.ppc64le.rpm x86_64: libsmbclient-devel-4.9.1-12.el7_7.i686.rpm libsmbclient-devel-4.9.1-12.el7_7.x86_64.rpm libwbclient-devel-4.9.1-12.el7_7.i686.rpm libwbclient-devel-4.9.1-12.el7_7.x86_64.rpm samba-dc-4.9.1-12.el7_7.x86_64.rpm samba-dc-libs-4.9.1-12.el7_7.x86_64.rpm samba-debuginfo-4.9.1-12.el7_7.i686.rpm samba-debuginfo-4.9.1-12.el7_7.x86_64.rpm samba-devel-4.9.1-12.el7_7.i686.rpm samba-devel-4.9.1-12.el7_7.x86_64.rpm samba-python-test-4.9.1-12.el7_7.x86_64.rpm samba-test-4.9.1-12.el7_7.x86_64.rpm samba-test-libs-4.9.1-12.el7_7.i686.rpm samba-test-libs-4.9.1-12.el7_7.x86_64.rpm samba-vfs-glusterfs-4.9.1-12.el7_7.x86_64.rpm samba-winbind-krb5-locator-4.9.1-12.el7_7.x86_64.rpm Red Hat Enterprise Linux Server Optional TUS (v. 7.7): noarch: samba-pidl-4.9.1-12.el7_7.noarch.rpm x86_64: libsmbclient-devel-4.9.1-12.el7_7.i686.rpm libsmbclient-devel-4.9.1-12.el7_7.x86_64.rpm libwbclient-devel-4.9.1-12.el7_7.i686.rpm libwbclient-devel-4.9.1-12.el7_7.x86_64.rpm samba-dc-4.9.1-12.el7_7.x86_64.rpm samba-dc-libs-4.9.1-12.el7_7.x86_64.rpm samba-debuginfo-4.9.1-12.el7_7.i686.rpm samba-debuginfo-4.9.1-12.el7_7.x86_64.rpm samba-devel-4.9.1-12.el7_7.i686.rpm samba-devel-4.9.1-12.el7_7.x86_64.rpm samba-python-test-4.9.1-12.el7_7.x86_64.rpm samba-test-4.9.1-12.el7_7.x86_64.rpm samba-test-libs-4.9.1-12.el7_7.i686.rpm samba-test-libs-4.9.1-12.el7_7.x86_64.rpm samba-vfs-glusterfs-4.9.1-12.el7_7.x86_64.rpm samba-winbind-krb5-locator-4.9.1-12.el7_7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-44142 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYhaxfdzjgjWX9erEAQgiRA/+OW3s71s6N96G2iZh1w2A+AJhuPR9g/R9 xQ42N7OxSjqyXuGBEa75FNSg+ynFxWKaCCMs4WKT18gTw5njQJNzGAcdZ+czZBzd M3gHIbUH/KJ2OlwwGGaGvXQJfEYaQPEeqFsuvkNUYEr9fBPshjl8fNNZwqV8FIqm mQMt8PcHIfLVgbKASIc+qNEZS7ql97w3U1sYAHjwhtPNAYNlbW/jjRNrnILhgHoj Io1zIpN+qa4wZ40H3SCpGd6sC7RVqZps7nt4l73mLBewuWzJItLHTFfjI51NsNK+ 0j4VxTAwaLlh98+4R9ddbMAcySLlm9Vua3N44nFmnEZIP+ugwvJIL201l2yfxEV4 VKO0exmDqtIOBk7fuN0A+Oj9qJHxnWAAQF993jSpFt57aW9T8m+Uh6AXO2Gv7+eu 8kBd69TWwnUjHh6KbxVMV2aM675B+zLxuI1gKlAKs3DRCQf0IfKDPAuHz1qST2LM 4bT7gYV8SixAz69mGSvWyd0CP9nKYBu5iXkwaHut6BdwegUHqn5au0zmTIoU+mfi lyQ2x1q0fB3kw5Z0fKw7ZNwpBkw/B133fKcb4qLUbJZg9sxXEY3XZH/wm2Bi2U8+ Lz7XCoeJCnH8I/P9WbxSX3EZir8Z0qoNTsdFxYpVsjhQ82pbqGHRBjIWG4iXzTCi /LuSuXQFenk=EUCP -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. ========================================================================== Ubuntu Security Notice USN-5260-1 February 01, 2022 samba vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.10 - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Samba. Software Description: - samba: SMB/CIFS file, print, and login server for Unix Details: Orange Tsai discovered that the Samba vfs_fruit module incorrectly handled certain memory operations. (CVE-2021-44142) Michael Hanselmann discovered that Samba incorrectly created directories. In certain configurations, a remote attacker could possibly create a directory on the server outside of the shared directory. (CVE-2021-43566) Kees van Vloten discovered that Samba incorrectly handled certain aliased SPN checks. A remote attacker could possibly use this issue to impersonate services. (CVE-2022-0336) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10: samba 2:4.13.17~dfsg-0ubuntu0.21.10.1 Ubuntu 20.04 LTS: samba 2:4.13.17~dfsg-0ubuntu0.21.04.1 This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Bug Fix(es): * Fix username map script regression introduced with CVE-2020-25717 (BZ#2046174) * Fix possible segfault when joining the domain (BZ#2046160) 4

Trust: 3.78

sources: NVD: CVE-2021-44142 // ZDI: ZDI-22-246 // ZDI: ZDI-22-245 // ZDI: ZDI-22-244 // VULHUB: VHN-406753 // PACKETSTORM: 165801 // PACKETSTORM: 165905 // PACKETSTORM: 165906 // PACKETSTORM: 166138 // PACKETSTORM: 166137 // PACKETSTORM: 165842 // PACKETSTORM: 165797 // PACKETSTORM: 165796 // PACKETSTORM: 165793 // PACKETSTORM: 165788

AFFECTED PRODUCTS

vendor:	samba	model:	samba	scope:	-	version:	-	Trust: 2.1
vendor:	redhat	model:	enterprise linux for ibm z systems eus	scope:	eq	version:	8.2	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	34	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	gte	version:	6.2	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	14.04	Trust: 1.0
vendor:	redhat	model:	enterprise linux server aus	scope:	eq	version:	8.2	Trust: 1.0
vendor:	redhat	model:	enterprise linux workstation	scope:	eq	version:	7.0	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	21.10	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	35	Trust: 1.0
vendor:	redhat	model:	enterprise linux for power big endian	scope:	eq	version:	7.0	Trust: 1.0
vendor:	redhat	model:	enterprise linux server update services for sap solutions	scope:	eq	version:	8.2	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	11.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	10.0	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	20.04	Trust: 1.0
vendor:	redhat	model:	enterprise linux for power little endian eus	scope:	eq	version:	8.2	Trust: 1.0
vendor:	redhat	model:	enterprise linux for power little endian	scope:	eq	version:	7.0	Trust: 1.0
vendor:	redhat	model:	enterprise linux for ibm z systems eus	scope:	eq	version:	8.4	Trust: 1.0
vendor:	redhat	model:	enterprise linux for scientific computing	scope:	eq	version:	7.0	Trust: 1.0
vendor:	redhat	model:	enterprise linux server tus	scope:	eq	version:	8.2	Trust: 1.0
vendor:	redhat	model:	enterprise linux resilient storage	scope:	eq	version:	7.0	Trust: 1.0
vendor:	redhat	model:	enterprise linux	scope:	eq	version:	7.0	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	lt	version:	6.2.4-25556.4	Trust: 1.0
vendor:	redhat	model:	enterprise linux server aus	scope:	eq	version:	8.4	Trust: 1.0
vendor:	redhat	model:	enterprise linux for power little endian	scope:	eq	version:	8.0	Trust: 1.0
vendor:	redhat	model:	codeready linux builder	scope:	eq	version:	-	Trust: 1.0
vendor:	samba	model:	samba	scope:	lt	version:	4.15.5	Trust: 1.0
vendor:	samba	model:	samba	scope:	lt	version:	4.13.17	Trust: 1.0
vendor:	redhat	model:	enterprise linux eus	scope:	eq	version:	8.2	Trust: 1.0
vendor:	redhat	model:	enterprise linux server update services for sap solutions	scope:	eq	version:	8.4	Trust: 1.0
vendor:	redhat	model:	enterprise linux	scope:	eq	version:	8.0	Trust: 1.0
vendor:	redhat	model:	gluster storage	scope:	eq	version:	3.5	Trust: 1.0
vendor:	redhat	model:	enterprise linux for power little endian eus	scope:	eq	version:	8.4	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	18.04	Trust: 1.0
vendor:	samba	model:	samba	scope:	gte	version:	4.14.0	Trust: 1.0
vendor:	redhat	model:	enterprise linux server update services for sap solutions	scope:	eq	version:	8.1	Trust: 1.0
vendor:	redhat	model:	enterprise linux for ibm z systems	scope:	eq	version:	7.0	Trust: 1.0
vendor:	samba	model:	samba	scope:	lt	version:	4.14.12	Trust: 1.0
vendor:	redhat	model:	enterprise linux desktop	scope:	eq	version:	7.0	Trust: 1.0
vendor:	redhat	model:	enterprise linux server	scope:	eq	version:	8.1	Trust: 1.0
vendor:	redhat	model:	enterprise linux server	scope:	eq	version:	7.0	Trust: 1.0
vendor:	samba	model:	samba	scope:	gte	version:	4.15.0	Trust: 1.0
vendor:	redhat	model:	enterprise linux server tus	scope:	eq	version:	8.4	Trust: 1.0
vendor:	redhat	model:	enterprise linux for ibm z systems	scope:	eq	version:	8.0	Trust: 1.0
vendor:	redhat	model:	virtualization host	scope:	eq	version:	4.0	Trust: 1.0
vendor:	canonical	model:	ubuntu linux	scope:	eq	version:	16.04	Trust: 1.0
vendor:	redhat	model:	enterprise linux eus	scope:	eq	version:	8.4	Trust: 1.0

sources: ZDI: ZDI-22-246 // ZDI: ZDI-22-245 // ZDI: ZDI-22-244 // NVD: CVE-2021-44142

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2021-44142
value:	CRITICAL
Trust: 1.4
nvd@nist.gov:	CVE-2021-44142
value:	HIGH
Trust: 1.0
134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2021-44142
value:	HIGH
Trust: 1.0
ZDI:	CVE-2021-44142
value:	MEDIUM
Trust: 0.7
CNNVD:	CNNVD-202201-2719
value:	HIGH
Trust: 0.6
VULHUB:	VHN-406753
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-44142
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-406753
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-44142
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
ZDI:	CVE-2021-44142
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.4
ZDI:	CVE-2021-44142
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-22-246 // ZDI: ZDI-22-245 // ZDI: ZDI-22-244 // VULHUB: VHN-406753 // CNNVD: CNNVD-202201-2719 // NVD: CVE-2021-44142 // NVD: CVE-2021-44142

PROBLEMTYPE DATA

problemtype:	CWE-125	Trust: 1.1
problemtype:	CWE-787	Trust: 1.1

sources: VULHUB: VHN-406753 // NVD: CVE-2021-44142

THREAT TYPE

remote

Trust: 1.0

sources: PACKETSTORM: 165801 // PACKETSTORM: 165842 // PACKETSTORM: 165797 // PACKETSTORM: 165796 // CNNVD: CNNVD-202201-2719

TYPE

code execution

Trust: 0.6

sources: PACKETSTORM: 165905 // PACKETSTORM: 165906 // PACKETSTORM: 166138 // PACKETSTORM: 166137 // PACKETSTORM: 165793 // PACKETSTORM: 165788

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-406753

PATCH

title:	Samba has issued an update to correct this vulnerability.	url:	https://www.samba.org/samba/security/CVE-2021-44142.html	Trust: 2.1
title:	Samba Buffer error vulnerability fix	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=184448	Trust: 0.6

sources: ZDI: ZDI-22-246 // ZDI: ZDI-22-245 // ZDI: ZDI-22-244 // CNNVD: CNNVD-202201-2719

EXTERNAL IDS

db:	NVD	id:	CVE-2021-44142	Trust: 4.8
db:	CERT/CC	id:	VU#119678	Trust: 1.7
db:	ZDI	id:	ZDI-22-246	Trust: 1.3
db:	PACKETSTORM	id:	166137	Trust: 0.8
db:	PACKETSTORM	id:	165906	Trust: 0.8
db:	PACKETSTORM	id:	165842	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-15846	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-15833	Trust: 0.7
db:	ZDI	id:	ZDI-22-245	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16156	Trust: 0.7
db:	ZDI	id:	ZDI-22-244	Trust: 0.7
db:	CS-HELP	id:	SB2022032506	Trust: 0.6
db:	CS-HELP	id:	SB2022021713	Trust: 0.6
db:	CS-HELP	id:	SB2022041954	Trust: 0.6
db:	CS-HELP	id:	SB2022021902	Trust: 0.6
db:	CS-HELP	id:	SB2022021417	Trust: 0.6
db:	CS-HELP	id:	SB2022051734	Trust: 0.6
db:	CS-HELP	id:	SB2022020807	Trust: 0.6
db:	CS-HELP	id:	SB2022022408	Trust: 0.6
db:	PACKETSTORM	id:	169234	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0489	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0795	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0600	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0619	Trust: 0.6
db:	CNNVD	id:	CNNVD-202201-2719	Trust: 0.6
db:	PACKETSTORM	id:	165793	Trust: 0.2
db:	PACKETSTORM	id:	166138	Trust: 0.2
db:	PACKETSTORM	id:	165796	Trust: 0.2
db:	PACKETSTORM	id:	165788	Trust: 0.2
db:	PACKETSTORM	id:	165797	Trust: 0.2
db:	PACKETSTORM	id:	165905	Trust: 0.2
db:	PACKETSTORM	id:	165801	Trust: 0.2
db:	PACKETSTORM	id:	165791	Trust: 0.1
db:	PACKETSTORM	id:	165789	Trust: 0.1
db:	PACKETSTORM	id:	165790	Trust: 0.1
db:	VULHUB	id:	VHN-406753	Trust: 0.1

sources: ZDI: ZDI-22-246 // ZDI: ZDI-22-245 // ZDI: ZDI-22-244 // VULHUB: VHN-406753 // PACKETSTORM: 165801 // PACKETSTORM: 165905 // PACKETSTORM: 165906 // PACKETSTORM: 166138 // PACKETSTORM: 166137 // PACKETSTORM: 165842 // PACKETSTORM: 165797 // PACKETSTORM: 165796 // PACKETSTORM: 165793 // PACKETSTORM: 165788 // CNNVD: CNNVD-202201-2719 // NVD: CVE-2021-44142

REFERENCES

url:	https://www.samba.org/samba/security/cve-2021-44142.html	Trust: 3.8
url:	https://kb.cert.org/vuls/id/119678	Trust: 1.7
url:	https://bugzilla.samba.org/show_bug.cgi?id=14914	Trust: 1.7
url:	https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin	Trust: 1.7
url:	https://access.redhat.com/security/cve/cve-2021-44142	Trust: 1.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-44142	Trust: 1.0
url:	https://www.kb.cert.org/vuls/id/119678	Trust: 1.0
url:	https://security.gentoo.org/glsa/202309-06	Trust: 1.0
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.6
url:	https://access.redhat.com/articles/11258	Trust: 0.6
url:	https://access.redhat.com/security/team/key/	Trust: 0.6
url:	https://access.redhat.com/security/updates/classification/#critical	Trust: 0.6
url:	https://bugzilla.redhat.com/):	Trust: 0.6
url:	https://access.redhat.com/security/team/contact/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022051734	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0795	Trust: 0.6
url:	https://vigilance.fr/vulnerability/samba-buffer-overflow-via-vfs-module-vfs-fruit-37416	Trust: 0.6
url:	https://www.zerodayinitiative.com/advisories/zdi-22-246/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022032506	Trust: 0.6
url:	https://packetstormsecurity.com/files/169234/debian-security-advisory-5071-1.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022021713	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022021417	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022041954	Trust: 0.6
url:	https://packetstormsecurity.com/files/165842/ubuntu-security-notice-usn-5260-3.html	Trust: 0.6
url:	https://packetstormsecurity.com/files/165906/red-hat-security-advisory-2022-0457-03.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022020807	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0619	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022021902	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2021-44142/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022022408	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0600	Trust: 0.6
url:	https://packetstormsecurity.com/files/166137/red-hat-security-advisory-2022-0664-01.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0489	Trust: 0.6
url:	https://ubuntu.com/security/notices/usn-5260-1	Trust: 0.3
url:	https://access.redhat.com/solutions/4311261	Trust: 0.2
url:	https://www.samba.org/samba/security/	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0458	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0457	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0663	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0664	Trust: 0.1
url:	https://ubuntu.com/security/notices/usn-5260-3	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0336	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-43566	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/samba/2:4.13.17~dfsg-0ubuntu0.21.04.1	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/samba/2:4.13.17~dfsg-0ubuntu0.21.10.1	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/samba/2:4.7.6+dfsg~ubuntu-0ubuntu2.28	Trust: 0.1
url:	https://ubuntu.com/security/notices/usn-5260-2	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0331	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:0332	Trust: 0.1

CREDITS

Nguyen Hoang Thach (https://twitter.com/hi_im_d4rkn3ss) and Billy Jheng Bing-Jhong (https://twitter.com/st424204)

Trust: 2.0

sources: ZDI: ZDI-22-246 // ZDI: ZDI-22-245 // CNNVD: CNNVD-202201-2719

SOURCES

db:	ZDI	id:	ZDI-22-246
db:	ZDI	id:	ZDI-22-245
db:	ZDI	id:	ZDI-22-244
db:	VULHUB	id:	VHN-406753
db:	PACKETSTORM	id:	165801
db:	PACKETSTORM	id:	165905
db:	PACKETSTORM	id:	165906
db:	PACKETSTORM	id:	166138
db:	PACKETSTORM	id:	166137
db:	PACKETSTORM	id:	165842
db:	PACKETSTORM	id:	165797
db:	PACKETSTORM	id:	165796
db:	PACKETSTORM	id:	165793
db:	PACKETSTORM	id:	165788
db:	CNNVD	id:	CNNVD-202201-2719
db:	NVD	id:	CVE-2021-44142

LAST UPDATE DATE

2026-02-06T19:54:30.160000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-22-246	date:	2022-02-01T00:00:00
db:	ZDI	id:	ZDI-22-245	date:	2022-02-01T00:00:00
db:	ZDI	id:	ZDI-22-244	date:	2022-02-01T00:00:00
db:	VULHUB	id:	VHN-406753	date:	2022-02-23T00:00:00
db:	CNNVD	id:	CNNVD-202201-2719	date:	2022-12-09T00:00:00
db:	NVD	id:	CVE-2021-44142	date:	2025-04-23T19:15:51.880

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-22-246	date:	2022-02-01T00:00:00
db:	ZDI	id:	ZDI-22-245	date:	2022-02-01T00:00:00
db:	ZDI	id:	ZDI-22-244	date:	2022-02-01T00:00:00
db:	VULHUB	id:	VHN-406753	date:	2022-02-21T00:00:00
db:	PACKETSTORM	id:	165801	date:	2022-02-02T16:21:28
db:	PACKETSTORM	id:	165905	date:	2022-02-09T16:03:23
db:	PACKETSTORM	id:	165906	date:	2022-02-09T16:03:43
db:	PACKETSTORM	id:	166138	date:	2022-02-24T16:11:06
db:	PACKETSTORM	id:	166137	date:	2022-02-24T16:10:57
db:	PACKETSTORM	id:	165842	date:	2022-02-03T16:31:23
db:	PACKETSTORM	id:	165797	date:	2022-02-01T17:04:22
db:	PACKETSTORM	id:	165796	date:	2022-02-01T17:04:16
db:	PACKETSTORM	id:	165793	date:	2022-02-01T17:02:58
db:	PACKETSTORM	id:	165788	date:	2022-02-01T17:00:01
db:	CNNVD	id:	CNNVD-202201-2719	date:	2022-01-31T00:00:00
db:	NVD	id:	CVE-2021-44142	date:	2022-02-21T15:15:07.380