=========================================================== == Subject: Shell command injection in mount.cifs == == CVE ID#: CVE-2020-14342 == == Versions: cifs-utils 5.6 and later == == Summary: A user controlling the username mount option can embed == shell commands that will be run in the context of == the calling user. =========================================================== =========== Description =========== A bug has been reported recently for the mount.cifs utility which is part of the cifs-utils package. The tool has a shell injection issue where one can embed shell commands via the username mount option. Those commands will be run via popen() in the context of the user calling mount. The bug requires cifs-utils to be built with --with-systemd (enabled by default if supported). A quick test to check if the mount.cifs binary is vulnerable is to look for popen() calls like so: $ nm mount.cifs | grep popen U popen@@GLIBC_2.2.5 If the user is allowed to run mount.cifs via sudo, he can obtain a root shell. sudo mount.cifs -o username='`sh`' //1 /mnt If mount.cifs has the setuid bit, the command will still be run as the calling user (no privilege escalation). The bug was introduced in June 2012 with commit 4e264031d0da7d3f2 ("mount.cifs: Use systemd's mechanism for getting password, if present."). Affected versions: cifs-utils-5.6 cifs-utils-5.7 cifs-utils-5.8 cifs-utils-5.9 cifs-utils-6.0 cifs-utils-6.1 cifs-utils-6.2 cifs-utils-6.3 cifs-utils-6.4 cifs-utils-6.5 cifs-utils-6.6 cifs-utils-6.7 cifs-utils-6.8 cifs-utils-6.9 cifs-utils-6.10 ================== Patch Availability ================== A patch is available as an attachement on the bug report. It can be applied from v6.10 down to v6.2 included. A backported patch is also available for v6.1 and under. https://bugzilla.samba.org/show_bug.cgi?id=14442 ================== CVSSv3 calculation ================== CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (4.4) ========================= Workaround and mitigation ========================= For systems that cannot be updated a wrapper executable around mount.cifs can be installed. This wrapper simply calls the original mount.cifs on correct input and exits on injection attempts. Once the wrapper is installed and owned by root it can have the setuid bit if necessary and the original mount.cifs binary can have the setuid and execution bits for group and other cleared. You can find more information along with a Golang implementation of this wrapper on the bug report attachments. https://bugzilla.samba.org/show_bug.cgi?id=14442 ======= Credits ======= Originally reported by Vadim Lebedev. Patch and workaround provided by Paulo Alcantara and Aurelien Aptel. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================