A flaw was found in cifs-utils. From inside a container, cifs.upcall can read the credential caches for users on the host system potentially allowing hijacking of credentials.
A flaw was found in cifs-utils. When a containerized environment has access to an SMB mount point configured for multi-user access with Kerberos authentication, a process within a container might trigger authenticated request using credential caches stored on the host by unrelated users (because credential caches being accessible to the host identity of the calling process even this process initialized inside container). The highest threat from this potential vulnerability is to data confidentiality and integrity.
Statement: This flaw is rated as having Moderate impact because of the need to have elevated privileges and limited possibilities of the attack: an attacker will not get actual credentials cache accessed by themselves, but might cause an authentication attempt to an SMB server and may be succeed in file access.
Mitigation: DFS and multiuser mounts can be disabled in the container SMB mounts options i.e. adding 'nodfs' and removing 'multiuser' (if present).
*** Bug 1934912 has been marked as a duplicate of this bug. ***
External References: https://bugzilla.samba.org/show_bug.cgi?id=14651
Fixed in cifs-utils 6.13.
The final fix is a part of cifs-utils 6.14. Version 6.13 misses two important fixes.