Protection Against Exploitation
First and foremost, it is always highly recommended that users apply the vendor's patches when they become available.Samba has released updated versions: 4.13.17, 4.14.12, and 4.15.5 to address this vulnerability. Users should check their particular distributor's updated code packages. Alternatively, general information and Samba source can be found at https://www.samba.org.
A manual workaround is available and involves changing the default configurations of their VFS module settings by removing 'fruit' from the 'vfs objects' lines in their Samba configuration files. Please note however, that changing these settings could cause stored information to be inaccessible - especially to macOS clients.
Trend Micro Protection and Investigation
In addition to the vendor patch(s) that should be applied, Trend Micro has released some supplementary rules, filters and detection protection that may help provide additional protection and detection of malicious components associated with this attack servers that have not already been compromised or against further attempted attacks.
Using Trend Micro Tools & Products for Investigation
Trend Micro Vulnerability Assessment Tool
Trend Micro has updated our free Vulnerability Assessment Tool with two new assessments using the power of Trend Micro Vision One™ to help check your environment for Linux/Unix servers that may be potentially affected by this vulnerability.
For those that are not familiar with the tool that was also used for the Log4Shell vulnerability, this quick and easy self-serve security assessment tool leverages complimentary access to the Trend Micro Vision One threat defense platform, so you can identify systems that may be affected by this vulnerability. The assessment provides a detailed view of your attack surface and shares next steps to mitigate risks.
There are two options for this assessment -- (1) a Windows-based network scanner that will attempt to identify potential Linux systems running Samba versions that may be affected to help narrow the scope for further investigation; and (2) a Linux-based local agent that will provide more detailed information.
The free assessment tool can be accessed by visiting: https://go2.trendmicro.com/geoip/security-assessment-service.
Please note, if you are already a Trend Micro Vision One customer, you do not need to complete the form. Simply log into your console and you will be provided instructions to complete the assessment.
Manual Scripts
Trend Micro Research has created 2 scripts that can be used by administrators on Linux/Unix based systems to help verify the version of Samba installed and, if present, check of the configuration of the fruit VFS module.
The script package including both scripts can be downloaded from here.
Filename: Trend Micro CVE-2021-44142-Scripts v2.zip
SHA256: 30e063d7c2a5a03e431c2886c8456a91855ad65757384d8d234edba325ae2e0f
Please note, detailed instructions can be found for each script by opening them up in a text editor.
Using Trend Micro Vision One™ and Trend Micro Verification Scripts
The first script (CVE-2021-44142.sh) is a Shell command script that can be deployed in Trend Micro Vision One using the Custom Scripts function.
Instructions on how to use the Custom Script function of Trend Micro Vision One can be found below:
- Written Instructions - Trend Micro CVE-2021-44142 Custom Script in Vision One.pdf
- Video Demo - https://www.youtube.com/watch?v=a3tnVkSPXs0
Trend Micro Verification Scripts (Standalone)
Trend Micro Research has created 2 scripts that can be used by administrators on Linux/Unix based systems to help verify the version of Samba installed and, if present, check of the configuration of the fruit VFS module.
The first script (CVE-2021-44142.sh) is a Shell command script that has two options for testing:
1. Direct - an administrator can open the shell script in a text editor and copy and paste the entire command and run it from a terminal; or
2. The file can be executed directly.
The following is example of the output using the Shell script on a vulnerable system:
This is an example of the output if the Samba version is older than recommended, but the configuration is considered not vulnerable:
The second script (check_samba.py) is a Python-based script that performs the same function. (Requires Python 3.5 or greater).
The following is an example of the Python script executed on a vulnerable system:
The script package including both scripts can be downloaded from here.
Filename: Trend Micro CVE-2021-44142-Scripts v2.zip
SHA256: 30e063d7c2a5a03e431c2886c8456a91855ad65757384d8d234edba325ae2e0f
Please note, detailed instructions can be found for each script by opening them up in a text editor.
Preventative Rules, Filters & Detection
Trend Micro Cloud One - Workload Security and Deep Security IPS Rules
- 1011294 - Samba AppleDouble Remote Code Execution Vulnerability (CVE-2021-44142)
Trend Micro TippingPoint and Cloud One - Network Security Filters
- 40844 - SMB: Samba vfs_fruit Buffer Overflow Vulnerability (ZDI-22-244)
- 40845 - SMB: Samba vfs_fruit File Extended Attribute Update Policy
*
Impact on Trend Micro Products
Trend Micro has started a product/service-wide assessment to see if any products or services may be affected by this vulnerability. If products are found to be affected, information will be added here with additional directions if required.Products Not Currently Affected (including SaaS solutions that have already been patched):
| Adaptive Security Platform Antivirus | Not Affected |
| Cloud Edge | Not Affected |
| Cloud One - Network Security | Not Affected |
| Deep Discovery Analyzer | Not Affected |
| Deep Discovery Director | Not Affected |
| Deep Discovery Email Inspector | Not Affected |
| Deep Discovery Inspector | Not Affected |
| ID Security | Not Affected |
| InterScan Web Security Virtual Appliance | Not Affected |
| Portable Security | Not Affected |
| TippingPoint Accessories | Not Affected |
| TippingPoint IPS (N-, NX- and S-series) | Not Affected |
| TippingPoint Network Protection (AWS & Azure) | Not Affected |
| TippingPoint SMS | Not Affected |
| TippingPoint ThreatDV | Not Affected |
| TippingPoint TPS | Not Affected |
| TippingPoint TX-Series | Not Affected |
| TippingPoint Virtual SMS | Not Affected |
| TippingPoint Virtual TPS | Not Affected |
| Trend Micro Web Security | Not Affected |
References
- Samba Security Bulletin for CVE-2021-44142
- ZDI Blog - CVE-2021-44142: DETAILS ON A SAMBA CODE EXECUTION BUG DEMONSTRATED AT PWN2OWN AUSTIN
- Trend Micro Research Blog - The Samba Vulnerability: What is CVE-2021-44142 and How to Fix It
- Ubuntu Security Advisory - USN-5260-2: Samba vulnerability
- Red Hat Security Advisory: CVE-2021-44142
- https://www.zerodayinitiative.com/advisories/ZDI-22-244
- https://www.zerodayinitiative.com/advisories/ZDI-22-245
- https://www.zerodayinitiative.com/advisories/ZDI-22-246