Bug 1921116 (CVE-2021-20208) - CVE-2021-20208 cifs-utils: Container can use kerberos cache from the host via mount.cifs/cifs.upcall
Summary: CVE-2021-20208 cifs-utils: Container can use kerberos cache from the host via...
Keywords:
Status: NEW
Alias: CVE-2021-20208
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1934912 (view as bug list)
Depends On: 1924814 1924815 1925956
Blocks: 1936300 1916420 1923718
TreeView+ depends on / blocked
 
Reported: 2021-01-27 14:31 UTC by Pedro Sampaio
Modified: 2021-04-19 19:00 UTC (History)
21 users (show)

Fixed In Version: cifs-utils 6.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in cifs-utils. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2021-01-27 14:31:26 UTC
A flaw was found in cifs-utils. From inside a container, cifs.upcall can read the credential caches for users on the host system potentially allowing hijacking of credentials.

Comment 5 Alex 2021-02-04 14:54:04 UTC
A flaw was found in cifs-utils. When a containerized environment has access to an SMB mount point configured for multi-user access with Kerberos authentication, a process within a container might trigger authenticated request using credential caches stored on the host by unrelated users (because credential caches being accessible to the host identity of the calling process even this process initialized inside container). The highest threat from this potential vulnerability is to data confidentiality and integrity.

Comment 7 Alex 2021-02-08 18:03:58 UTC
Statement:

This flaw is rated as having Moderate impact because of the need to have elevated privileges and limited possibilities of the attack: an attacker will not get actual credentials cache accessed by themselves, but might cause an authentication attempt to an SMB server and may be succeed in file access.

Comment 12 Alex 2021-03-10 15:51:23 UTC
Mitigation:

DFS and multiuser mounts can be disabled in the container SMB mounts options i.e. adding 'nodfs' and removing 'multiuser' (if present).

Comment 13 Ronnie Sahlberg 2021-03-11 01:45:49 UTC
*** Bug 1934912 has been marked as a duplicate of this bug. ***

Comment 14 Alex 2021-04-19 11:30:12 UTC
External References:

https://bugzilla.samba.org/show_bug.cgi?id=14651

Comment 15 Alex 2021-04-19 11:32:02 UTC
Fixed in cifs-utils 6.13.


Note You need to log in before you can comment on or make changes to this bug.