=========================================================== == Subject: Container calls to cifs.upcall access host environment == == CVE ID#: CVE-2021-20208 == == Versions: cifs-utils 4.0 and above == == == Summary: When a container process causes an operation that trigger == the kernel to ask a userspace for user credentials for == an SMB filesystem, cifs.upcall utility may indirectly == leak an information about Kerberos credentials available == in the host environment and cause non-sanctioned SMB == filesystem access in the container. =========================================================== =========== Description =========== A bug has been reported recently for the cifs.upcall utility which is part of the cifs-utils package. In scenarios where a program running inside a container issues a syscall that triggers the kernel to upcall cifs.upcall, such as when users access a multiuser cifs mount or when users access a DFS link, cifs.upcall is executed in the host environment where its execution may indirectly leak an information about resources available only to host applications, such as Kerberos credential caches, to a containerized application. As a result, a containerized application may trigger access to files on an SMB share under an identity otherwise not intended to be accessed by this container's environment. The bug is a consequence of the kernel calling the host cifs.upcall binary and can traced back to the introduction of the cifs.upcall mechanism in cifs-utils and the introduction of containers in the kernel. With this release, cifs.upcall joins a caller's process namespaces before accessing any resources to perform Kerberos authentication. As a result, access to SMB shares is limited to credentials already available inside the containerized environment. ================== Patch Availability ================== A patch is available as an attachment on the bug report. https://bugzilla.samba.org/show_bug.cgi?id=14651 ================== CVSSv3 calculation ================== AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:F/RL:O/RC:C/MAV:L/MAC:H/MPR:L/MUI:N/MS:C/MC:L/MI:H/MA:N Base score of 6.1 - medium. ========================= Workaround and mitigation ========================= For host systems that cannot be updated, DFS and multiuser mounts can be disabled in the container SMB mounts options i.e. adding 'nodfs' and removing 'multiuser' (if present). ======= Credits ======= Originally reported by Alastair Houghton. Patch and workaround provided by Alastair Houghton and Aurelien Aptel. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================