New version 6.11 of cifs-utils has been released today. This is a
security release to address the following bug:
CVE-2020-14342: mount.cifs: fix shell command injection
For more details, refer to the description below.
============================================================ Subject: Shell
command injection in mount.cifs
=== CVE ID#: CVE-2020-14342
=== Versions: cifs-utils 5.6 and later
=== Summary: A user controlling the username mount option can embed
== shell commands that will be run in the context of
== the calling user.
==========================================================
==========Description
==========
A bug has been reported recently for the mount.cifs utility which is
part of the cifs-utils package. The tool has a shell injection issue
where one can embed shell commands via the username mount option. Those
commands will be run via popen() in the context of the user calling
mount.
The bug requires cifs-utils to be built with --with-systemd (enabled
by default if supported).
A quick test to check if the mount.cifs binary is vulnerable is to look
for popen() calls like so:
$ nm mount.cifs | grep popen
U popen@@GLIBC_2.2.5
If the user is allowed to run mount.cifs via sudo, he can obtain a root
shell.
sudo mount.cifs -o username='`sh`' //1 /mnt
If mount.cifs has the setuid bit, the command will still be run as the
calling user (no privilege escalation).
The bug was introduced in June 2012 with commit 4e264031d0da7d3f2
("mount.cifs: Use systemd's mechanism for getting password, if
present.").
Affected versions:
cifs-utils-5.6
cifs-utils-5.7
cifs-utils-5.8
cifs-utils-5.9
cifs-utils-6.0
cifs-utils-6.1
cifs-utils-6.2
cifs-utils-6.3
cifs-utils-6.4
cifs-utils-6.5
cifs-utils-6.6
cifs-utils-6.7
cifs-utils-6.8
cifs-utils-6.9
cifs-utils-6.10
=================Patch Availability
=================
A patch is available as an attachment on the bug report. It can be
applied from v6.10 down to v6.2 included.
A backported patch is also available for v6.1 and under.
https://bugzilla.samba.org/show_bug.cgi?id=14442
=================CVSSv3 calculation
=================
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (4.4)
========================Workaround and mitigation
========================
For systems that cannot be updated a wrapper executable around
mount.cifs can be installed. This wrapper simply calls the original
mount.cifs on correct input and exits on injection attempts.
Once the wrapper is installed and owned by root it can have the
setuid bit if necessary and the original mount.cifs binary can
have the setuid and execution bits for group and other cleared.
You can find more information along with a Golang implementation
of this wrapper on the bug report attachments.
https://bugzilla.samba.org/show_bug.cgi?id=14442
======Credits
======
Originally reported by Vadim Lebedev.
Patch and workaround provided by Paulo Alcantara and Aurelien Aptel.
=========================================================== Our Code, Our Bugs,
Our Responsibility.
== The Samba Team
==========================================================
