CVE-2021-44141
Public on 2022-02-02
Modified on 2023-11-27
Description
All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.
A fix for CVE-2021-44141 for will not be provided for Amazon Linux 1 and Amazon Linux 2. You can mitigate this issue by disabling SMBv1.
To do so, add server min protocol = SMB2 to the [global] section of /etc/samba/smb.conf
A fix for CVE-2021-44141 for will not be provided for Amazon Linux 1 and Amazon Linux 2. You can mitigate this issue by disabling SMBv1.
To do so, add server min protocol = SMB2 to the [global] section of /etc/samba/smb.conf
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | samba | No Fix Planned | ||
| Amazon Linux 2 - Core | samba | No Fix Planned | ||
| Amazon Linux 2023 | samba | 2023-02-17 | ALAS2023-2023-032 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| NVD | CVSSv2 | 3.5 | AV:N/AC:M/Au:S/C:P/I:N/A:N |
| NVD | CVSSv3 | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |