The Samba-Bugzilla – Attachment 16512 Details for
Bug 14651
CVE-2021-20208 [SECURITY][EMBARGOED] cifs-utils: cifs.upcall kerberos auth leak in container
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
announcement
CVE-2021-20208.txt (text/plain), 2.75 KB, created by
Aurélien Aptel
on 2021-03-09 15:46:07 UTC
(
hide
)
Description:
announcement
Filename:
MIME Type:
Creator:
Aurélien Aptel
Created:
2021-03-09 15:46:07 UTC
Size:
2.75 KB
patch
obsolete
>=========================================================== >== Subject: Container calls to cifs.upcall access host environment >== >== CVE ID#: CVE-2021-20208 >== >== Versions: cifs-utils 4.0 and above >== >== >== Summary: When a container process causes an operation that trigger >== the kernel to ask a userspace for user credentials for >== an SMB filesystem, cifs.upcall utility may indirectly >== leak an information about Kerberos credentials available >== in the host environment and cause non-sanctioned SMB >== filesystem access in the container. >=========================================================== > >=========== >Description >=========== > >A bug has been reported recently for the cifs.upcall utility which is >part of the cifs-utils package. > >In scenarios where a program running inside a container issues a >syscall that triggers the kernel to upcall cifs.upcall, such as when >users access a multiuser cifs mount or when users access a DFS link, >cifs.upcall is executed in the host environment where its execution >may indirectly leak an information about resources available only to >host applications, such as Kerberos credential caches, to a >containerized application. As a result, a containerized application may >trigger access to files on an SMB share under an identity otherwise not >intended to be accessed by this container's environment. > >The bug is a consequence of the kernel calling the host cifs.upcall >binary and can traced back to the introduction of the cifs.upcall >mechanism in cifs-utils and the introduction of containers in the >kernel. > >With this release, cifs.upcall joins a caller's process namespaces >before accessing any resources to perform Kerberos authentication. As a >result, access to SMB shares is limited to credentials already available >inside the containerized environment. > >================== >Patch Availability >================== > >A patch is available as an attachment on the bug report. > >https://bugzilla.samba.org/show_bug.cgi?id=14651 > >================== >CVSSv3 calculation >================== > >AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:F/RL:O/RC:C/MAV:L/MAC:H/MPR:L/MUI:N/MS:C/MC:L/MI:H/MA:N > >Base score of 6.1 - medium. > >========================= >Workaround and mitigation >========================= > >For host systems that cannot be updated, DFS and multiuser mounts can >be disabled in the container SMB mounts options i.e. adding 'nodfs' >and removing 'multiuser' (if present). > >======= >Credits >======= > >Originally reported by Alastair Houghton. > >Patch and workaround provided by Alastair Houghton and Aurelien Aptel. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16512">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14651
:
16477
| 16512