[ANNOUNCE] cifs-utils release 6.13 ready for download
Pavel Shilovsky
pshilovsky at samba.org
Tue Apr 13 00:10:22 UTC 2021
New version 6.13 of cifs-utils has been released today. This is a
security release to address the following bug:
CVE-2021-20208 cifs.upcall kerberos auth leak in container
For more details, refer to the description below.
===========================================================
== Subject: Container calls to cifs.upcall access host environment
==
== CVE ID#: CVE-2021-20208
==
== Versions: cifs-utils 4.0 and above
==
==
== Summary: When a container process causes an operation that trigger
== the kernel to ask a userspace for user credentials for
== an SMB filesystem, cifs.upcall utility may indirectly
== leak an information about Kerberos credentials available
== in the host environment and cause non-sanctioned SMB
== filesystem access in the container.
===========================================================
===========
Description
===========
A bug has been reported recently for the cifs.upcall utility which is
part of the cifs-utils package.
In scenarios where a program running inside a container issues a
syscall that triggers the kernel to upcall cifs.upcall, such as when
users access a multiuser cifs mount or when users access a DFS link,
cifs.upcall is executed in the host environment where its execution
may indirectly leak an information about resources available only to
host applications, such as Kerberos credential caches, to a
containerized application. As a result, a containerized application may
trigger access to files on an SMB share under an identity otherwise not
intended to be accessed by this container's environment.
The bug is a consequence of the kernel calling the host cifs.upcall
binary and can traced back to the introduction of the cifs.upcall
mechanism in cifs-utils and the introduction of containers in the
kernel.
With this release, cifs.upcall joins a caller's process namespaces
before accessing any resources to perform Kerberos authentication.
As a result, access to SMB shares is limited to credentials already
available inside the containerized environment.
==================
Patch Availability
==================
A patch is available as an attachment on the bug report.
https://bugzilla.samba.org/show_bug.cgi?id=14651
==================
CVSSv3 calculation
==================
AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:F/RL:O/RC:C/MAV:L/MAC:H/MPR:L/MUI:N/MS:C/MC:L/MI:H/MA:N
Base score of 6.1 - medium.
=========================
Workaround and mitigation
=========================
For host systems that cannot be updated, DFS and multiuser mounts can
be disabled in the container SMB mounts options i.e. adding 'nodfs'
and removing 'multiuser' (if present).
=======
Credits
=======
Originally reported by Alastair Houghton.
Patch and workaround provided by Alastair Houghton and Aurelien Aptel.
==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
More information about the samba-technical
mailing list