CVE-2021-44141

2022-01-3115:06:29

redhat.com

access.redhat.com

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

21.6%

JSON

A vulnerability was found in Samba due to an insecure link following. By querying a symlink inside the exported share using SMB1 with unix extensions turned on, an attacker can discover if a named or directory exists on the filesystem outside the exported share. This flaw allows a remote authenticated attacker to obtain sensitive information.

Mitigation

Do not enable SMB1 (please note SMB1 is disabled by default in Samba from version 4.11.0 and onwards). This prevents the creation or querying of symbolic links via SMB1. If SMB1 must be enabled for backwards compatibility then add the parameter:

unix extensions = no

to the [global] section of your smb.conf and restart smbd. This prevents SMB1 clients from creating or reading symlinks on the exported file system.

However, if the same region of the file system is also exported allowing write access via NFS, NFS clients can create symlinks that allow SMB1 with unix extensions clients to discover the existance of the NFS created symlink targets. For non-patched versions of Samba we recommend only exporting areas of the file system by either SMB2 or NFS, not both.