[ANNOUNCE] cifs-utils release 6.13 ready for download

Pavel Shilovsky pshilovsky at samba.org
Tue Apr 13 00:10:22 UTC 2021 

New version 6.13 of cifs-utils has been released today. This is a
security release to address the following bug:

CVE-2021-20208 cifs.upcall kerberos auth leak in container

For more details, refer to the description below.

===========================================================
== Subject:     Container calls to cifs.upcall access host environment
==
== CVE ID#:     CVE-2021-20208
==
== Versions:    cifs-utils 4.0 and above
==
==
== Summary:     When a container process causes an operation that trigger
==              the kernel to ask a userspace for user credentials for
==              an SMB filesystem, cifs.upcall utility may indirectly
==              leak an information about Kerberos credentials available
==              in the host environment and cause non-sanctioned SMB
==              filesystem access in the container.
===========================================================

===========
Description
===========

A bug has been reported recently for the cifs.upcall utility which is
part of the cifs-utils package.

In scenarios where a program running inside a container issues a
syscall that triggers the kernel to upcall cifs.upcall, such as when
users access a multiuser cifs mount or when users access a DFS link,
cifs.upcall is executed in the host environment where its execution
may indirectly leak an information about resources available only to
host applications, such as Kerberos credential caches, to a
containerized application. As a result, a containerized application may
trigger access to files on an SMB share under an identity otherwise not
intended to be accessed by this container's environment.

The bug is a consequence of the kernel calling the host cifs.upcall
binary and can traced back to the introduction of the cifs.upcall
mechanism in cifs-utils and the introduction of containers in the
kernel.

With this release, cifs.upcall joins a caller's process namespaces
before accessing any resources to perform Kerberos authentication.
As a result, access to SMB shares is limited to credentials already
available inside the containerized environment.

==================
Patch Availability
==================

A patch is available as an attachment on the bug report.

https://bugzilla.samba.org/show_bug.cgi?id=14651

==================
CVSSv3 calculation
==================

AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:F/RL:O/RC:C/MAV:L/MAC:H/MPR:L/MUI:N/MS:C/MC:L/MI:H/MA:N

Base score of 6.1 - medium.

=========================
Workaround and mitigation
=========================

For host systems that cannot be updated, DFS and multiuser mounts can
be disabled in the container SMB mounts options i.e. adding 'nodfs'
and removing 'multiuser' (if present).

=======
Credits
=======

Originally reported by Alastair Houghton.

Patch and workaround provided by Alastair Houghton and Aurelien Aptel.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

More information about the samba-technical mailing list