[ANNOUNCE] cifs-utils release 6.13 ready for download
pshilovsky at samba.org
Tue Apr 13 00:10:22 UTC 2021
New version 6.13 of cifs-utils has been released today. This is a
security release to address the following bug:
CVE-2021-20208 cifs.upcall kerberos auth leak in container
For more details, refer to the description below.
== Subject: Container calls to cifs.upcall access host environment
== CVE ID#: CVE-2021-20208
== Versions: cifs-utils 4.0 and above
== Summary: When a container process causes an operation that trigger
== the kernel to ask a userspace for user credentials for
== an SMB filesystem, cifs.upcall utility may indirectly
== leak an information about Kerberos credentials available
== in the host environment and cause non-sanctioned SMB
== filesystem access in the container.
A bug has been reported recently for the cifs.upcall utility which is
part of the cifs-utils package.
In scenarios where a program running inside a container issues a
syscall that triggers the kernel to upcall cifs.upcall, such as when
users access a multiuser cifs mount or when users access a DFS link,
cifs.upcall is executed in the host environment where its execution
may indirectly leak an information about resources available only to
host applications, such as Kerberos credential caches, to a
containerized application. As a result, a containerized application may
trigger access to files on an SMB share under an identity otherwise not
intended to be accessed by this container's environment.
The bug is a consequence of the kernel calling the host cifs.upcall
binary and can traced back to the introduction of the cifs.upcall
mechanism in cifs-utils and the introduction of containers in the
With this release, cifs.upcall joins a caller's process namespaces
before accessing any resources to perform Kerberos authentication.
As a result, access to SMB shares is limited to credentials already
available inside the containerized environment.
A patch is available as an attachment on the bug report.
Base score of 6.1 - medium.
Workaround and mitigation
For host systems that cannot be updated, DFS and multiuser mounts can
be disabled in the container SMB mounts options i.e. adding 'nodfs'
and removing 'multiuser' (if present).
Originally reported by Alastair Houghton.
Patch and workaround provided by Alastair Houghton and Aurelien Aptel.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
More information about the samba-technical