Linux-CIFS Archive on
help / color / mirror / Atom feed
* [ANNOUNCE] cifs-utils release 6.13 ready for download
@ 2021-04-13  0:10 Pavel Shilovsky
  0 siblings, 0 replies; only message in thread
From: Pavel Shilovsky @ 2021-04-13  0:10 UTC (permalink / raw)
  To: linux-cifs, samba-technical, samba, Aurélien Aptel,
	Paulo Alcantara (SUSE),
	Ronnie Sahlberg, Boris Protopopov, Steve French, Shyam Prasad N,
	Rohith Surabattula, Pavel Shilovskiy

New version 6.13 of cifs-utils has been released today. This is a
security release to address the following bug:

CVE-2021-20208 cifs.upcall kerberos auth leak in container

For more details, refer to the description below.

== Subject:     Container calls to cifs.upcall access host environment
== CVE ID#:     CVE-2021-20208
== Versions:    cifs-utils 4.0 and above
== Summary:     When a container process causes an operation that trigger
==              the kernel to ask a userspace for user credentials for
==              an SMB filesystem, cifs.upcall utility may indirectly
==              leak an information about Kerberos credentials available
==              in the host environment and cause non-sanctioned SMB
==              filesystem access in the container.


A bug has been reported recently for the cifs.upcall utility which is
part of the cifs-utils package.

In scenarios where a program running inside a container issues a
syscall that triggers the kernel to upcall cifs.upcall, such as when
users access a multiuser cifs mount or when users access a DFS link,
cifs.upcall is executed in the host environment where its execution
may indirectly leak an information about resources available only to
host applications, such as Kerberos credential caches, to a
containerized application. As a result, a containerized application may
trigger access to files on an SMB share under an identity otherwise not
intended to be accessed by this container's environment.

The bug is a consequence of the kernel calling the host cifs.upcall
binary and can traced back to the introduction of the cifs.upcall
mechanism in cifs-utils and the introduction of containers in the

With this release, cifs.upcall joins a caller's process namespaces
before accessing any resources to perform Kerberos authentication.
As a result, access to SMB shares is limited to credentials already
available inside the containerized environment.

Patch Availability

A patch is available as an attachment on the bug report.

CVSSv3 calculation


Base score of 6.1 - medium.

Workaround and mitigation

For host systems that cannot be updated, DFS and multiuser mounts can
be disabled in the container SMB mounts options i.e. adding 'nodfs'
and removing 'multiuser' (if present).


Originally reported by Alastair Houghton.

Patch and workaround provided by Alastair Houghton and Aurelien Aptel.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2021-04-13  0:10 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-13  0:10 [ANNOUNCE] cifs-utils release 6.13 ready for download Pavel Shilovsky

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).