Bug 1860884 (CVE-2020-14342)

Summary: CVE-2020-14342 cifs-utils: shell command injection in mount.cifs
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: cbuissar, jlayton, lsahlber, mkaplan, ronniesahlberg, security-response-team, sprabhu, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cifs-utils 6.11 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in cifs-utils' mount.cifs where it was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. This flaw allows an attacker who can invoke mount.cifs with special permission, such as via sudo rules, to escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-29 06:53:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1866238, 1866239, 1876400    
Bug Blocks: 1860093    

Description msiddiqu 2020-07-27 10:34:55 UTC
A user controlling the username mount option can embed shell commands that will be run in the context of the calling user.

Comment 3 Cedric Buissart 2020-09-07 06:43:21 UTC
Statement:

In order to exploit this flaw, the attacker would need to be able to inject a specially crafted username into the command run by root. This requires a specific setup (e.g.: sudo rules, etc.).
As a result, the vulnerability is considered as low severity.

Comment 5 Cedric Buissart 2020-09-07 07:09:22 UTC
Acknowledgments:

Name: Aurélien Aptel (SUSE Labs Samba Team)
Upstream: Vadim Lebedev

Comment 6 Cedric Buissart 2020-09-07 07:09:42 UTC
Created cifs-utils tracking bugs for this issue:

Affects: fedora-all [bug 1876400]

Comment 8 Michael Kaplan 2020-09-08 11:52:21 UTC
External References:

https://lists.samba.org/archive/samba-technical/2020-September/135747.html