Versions Affected : All versions prior to TrueNAS 12.0-U6.1 and SCALE 22.02-RC.1-2

---

Description

If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements.

Samba implements DCE/RPC, and in most cases it is provided over and protected by the underlying SMB transport, with protections like ‘SMB signing’. However there are other cases where large DCE/RPC request payloads are exchanged and fragmented into several pieces. If this happens over untrusted transports (e.g. directly over TCP/IP or anonymous SMB) clients will typically protect by an explicit authentication at the DCE/RPC layer, e.g. with GSSAPI/Kerberos/NTLMSSP or Netlogon Secure Channel. Because the checks on the fragment protection were not done between the policy controls on the header and the subsequent fragments, an attacker could replace subsequent fragments in requests with their own data, which might be able to alter the server behaviour.

CVSS

CVSS:3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8)

Workaround

No workaround is available. However, systems that do not use Samba are not vulnerable.

---

Mitigation

• Upgrade TrueNAS CORE/Enterprise to 12.0-U6.1 or later
• Upgrade to TrueNAS SCALE 22.02-RC.1-2 or later

Commit

• TrueNAS Jira Ticket NAS-113195
• TrueNAS Commit

Further information

• 

• MITRE CVE-2021-20254 Entry

• SAMBA Project Announcement