Recommendation for Samba security issues CVE-2021-43566 and CVE-2021-20316

Status

Samba released security recommendations for the vulnerabilities CVE-2021-43566 and CVE-2021-20316, both of which are exploitable only for Samba servers that still allow SMB1 as protocol.

Recommendations

As noted in the UCS and security hardening guide we recommend disabling SMB1 (aka LANMAN1 or NT1) in UCS 4.x. This is the default in UCS 5.0-x. You can check this by running:

testparm -sv 2>/dev/null| grep "server min protocol"

It the output is not SMB2_02 or higher then please check

ucr search samba/min/protocol

By default that UCR variable is not set in UCS. In UCS 4.4 this means that SMB1 is allowed. If you want to adjust the setting for samba/min/protocol then please first check the value of server max protocol to avoid bad surprises:

testparm -sv 2>/dev/null| grep "server max protocol"

If that is set to anything below SMB2_02 (e.g. NT1, LANMAN1, LANMAN2 ,CORE or COREPLUS) then please check

ucr search samba/max/protocol

There may be reasons why administrators chose to set this to NT1 or LANMAN1 or similar, e.g. to support legacy SMB clients. Please take care to first raise samba/max/protocol to be above or equal to SMB2_02. We recommend unsetting the upper limit for the protocol by running

ucr unset samba/max/protocol

In cases where SMB1 must be enabled for backwards compatibility the Samba parameter unix extensions should be set to no. to block these security issues. This can be done with the following commands:

echo -e "[global]\n\tunix extensions = no" >> /etc/samba/local.conf
ucr commit /etc/samba/smb.conf

Please consult “man smb.conf” for details about the protocol levels. After carefully reviewing your choices, you may set

ucr set samba/min/protocol="SMB2_02"

After any of these UCR variable changes, and careful review, you need to restart samba by running

/etc/init.d/samba restart

Additionally, both vulnerabilities are also exploitable in case a Samba share is exported via NFS too,
so we recommend to avoid that.

According to upstream assessment, exploiting this a difficult race to win, but theoretically possible. The proof of concept code wins the race only when the server is slowed down and put under heavy load.

Mastodon