Get a Quote   (408) 943-4100               TrueNAS Discord      VendOp_Icon_15x15px   Commercial Support
TrueNAS.com Software Systems Company Community Security iX Portal Download

CVE

Versions Affected : All versions prior to TrueNAS Core 12.0-U8 and SCALE 22.02 where:

  • CORE:
  • systems that are sharing same path via SMB and AFP
  • systems that have selected the “Multi-protocol AFP / SMB” preset for a share
  • systems that have populated auxiliary parameters for an SMB share to set “fruit:metadata=netatalk” or “fruit:resource=file”
  • SCALE:
  • systems that have manually selected “Legacy AFP Compatibility”
  • systems that have used AFP in TrueNAS Core have migrated from Core to SCALE (which automatically sets “Legacy AFP Compatibility” on share)
  • systems that have populated auxiliary parameters for an SMB share to set “fruit:metadata=netatalk” or “fruit:resource=file”

Description

All versions of Samba prior to 4.13.17 or 4.15.5 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.

The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes. The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than the default values, the system is not affected by the security issue.

CVSS

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

Base score 9.9.

Workaround

No workarounds available

Mitigation

  • Disable affected SMB shares until upgrade is possible
  • Upgrade to TrueNAS 12.0-U8 and SCALE 22.02 when available

Commit

Further information