Remote code execution vulnerability in Samba due to macOS interop module

An vulnerability in Samba 4 allowed remote code to run as root due to a bug in its support for Mac clients.

It's fixed in 4.13.17, 4.14.12 and 4.15.5, and in case you can't upgrade, there are patches.

The vuln is being tracked as CVE-2021-44142 and received a CVSS rating of 9.9.

Samba is a FOSS implementation of Microsoft's Server Message Block (SMB) network protocol. SMB is how Windows (and DOS and OS/2) share drives. Microsoft used to call it the "Common Internet File System" instead, or CIFS [PDF] for short, but the name exceeded the company's ambition – in Unix land, SMB has never really displaced Sun's Network File System (NFS).

But macOS isn't like the other kids Unixes. It's specifically designed to play nice in a world where Windows dominates, and unlike Apple's pre-NeXT MacOS (or "classic" as it was dubbed before OS X 10.5 killed it off), macOS (note the very important missing capital) speaks SMB natively.

• DMCA-dot-com XSS vuln reported in 2020 still live today and firm has shrugged it off
• Infosec chap: I found a way to hijack your web accounts, turn on your webcam from Safari – and Apple gave me $100k
• Linux distros haunted by Polkit-geist for 12+ years: Bug grants root access to any user
• Sophos: Log4Shell would have been a catastrophe without the Y2K-esque mobilisation of engineers

Early versions of what was then called OS X used Samba to do this, but after Samba switched to GPL3, Apple dropped Samba in OS X 10.7, and switched to its own implementation.

OS X can also understand the old classic MacOS AppleTalk Filing Protocol (AFP). There's a Linux server for that, too, called Netatalk. Netatalk was the only way for Classic MacOS to store files on a Linux server, and it supports the rich file metadata that Classic MacOS used. Samba has a special module called vfs_fruit which keeps Samba shares compatible with Netatalk metadata. That is the module that has the vulnerability.

If you actively used vfs_fruit and changed the default configuration, you're safe from the vulnerability. All the same, everyone should upgrade as soon as possible. ®