The Samba-Bugzilla – Attachment 16140 Details for
Bug 14442
CVE-2020-14342: Shell command injection vulnerability in mount.cifs
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
bug annoucement
annoucement-v2.txt (text/plain), 2.94 KB, created by
Aurélien Aptel
on 2020-07-27 11:41:30 UTC
(
hide
)
Description:
bug annoucement
Filename:
MIME Type:
Creator:
Aurélien Aptel
Created:
2020-07-27 11:41:30 UTC
Size:
2.94 KB
patch
obsolete
>=========================================================== >== Subject: Shell command injection in mount.cifs >== >== CVE ID#: CVE-2020-14342 >== >== Versions: cifs-utils 5.6 and later >== >== Summary: A user controlling the username mount option can embed >== shell commands that will be run in the context of >== the calling user. >=========================================================== > >=========== >Description >=========== > >A bug has been reported recently for the mount.cifs utility which is >part of the cifs-utils package. The tool has a shell injection issue >where one can embed shell commands via the username mount option. Those >commands will be run via popen() in the context of the user calling >mount. > >The bug requires cifs-utils to be built with --with-systemd (enabled >by default if supported). > >A quick test to check if the mount.cifs binary is vulnerable is to look >for popen() calls like so: > > $ nm mount.cifs | grep popen > U popen@@GLIBC_2.2.5 > >If the user is allowed to run mount.cifs via sudo, he can obtain a root >shell. > > sudo mount.cifs -o username='`sh`' //1 /mnt > >If mount.cifs has the setuid bit, the command will still be run as the >calling user (no privilege escalation). > >The bug was introduced in June 2012 with commit 4e264031d0da7d3f2 >("mount.cifs: Use systemd's mechanism for getting password, if >present."). > >Affected versions: > cifs-utils-5.6 > cifs-utils-5.7 > cifs-utils-5.8 > cifs-utils-5.9 > cifs-utils-6.0 > cifs-utils-6.1 > cifs-utils-6.2 > cifs-utils-6.3 > cifs-utils-6.4 > cifs-utils-6.5 > cifs-utils-6.6 > cifs-utils-6.7 > cifs-utils-6.8 > cifs-utils-6.9 > cifs-utils-6.10 > >================== >Patch Availability >================== > >A patch is available as an attachement on the bug report. It can be >applied from v6.10 down to v6.2 included. >A backported patch is also available for v6.1 and under. > >https://bugzilla.samba.org/show_bug.cgi?id=14442 > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (4.4) > >========================= >Workaround and mitigation >========================= > >For systems that cannot be updated a wrapper executable around >mount.cifs can be installed. This wrapper simply calls the original >mount.cifs on correct input and exits on injection attempts. > >Once the wrapper is installed and owned by root it can have the >setuid bit if necessary and the original mount.cifs binary can >have the setuid and execution bits for group and other cleared. > >You can find more information along with a Golang implementation >of this wrapper on the bug report attachments. > >https://bugzilla.samba.org/show_bug.cgi?id=14442 > >======= >Credits >======= > >Originally reported by Vadim Lebedev. > >Patch and workaround provided by Paulo Alcantara and Aurelien Aptel. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14442
:
16137
|
16138
|
16139
| 16140 |
16148
|
16149