CVE-2021-44142: Versions of Samba prior to 4.13.17 Vuln

S

Scoot_Mulner

Dabbler
Joined
Aug 20, 2013
Messages
12
Hello,

I just noticed CVE-2021-44142 and wanted to check the correct steps to mitigate. I am running TrueNAS-12.0-U7 with a couple Apple computers on the network and I have Samba 4.13.14 which is vulnerable.

Code:
# smbd -V
Version 4.13.14

I do have an AFP share that I use to share a single HDD for Time Machine backups. I think that part is fine because, it isn't using Samba.

Under the "Advanced Options" for my Samba share configurations, I do have "Use Apple-style Character Encoding" checked off and I see a "Time Machine" checkbox but I'm not using that so it is unchecked. I don't have anything with the word "fruit" in my "Auxiliary Parameters" section for any of the shares either.

Also, under the Samba service configuration, I see a checkbox for "Enable Apple SMB2/3 Protocol Extensions".

So my question is, if all three of those items are unchecked and I don't have any fruity things in my auxiliary parameters, is TrueNAS safe?
1) Use Apple-style Character Encoding
2) Time Machine
3) Enable Apple SMB2/3 Protocol Extensions

Thanks.
 
Patrick M. Hausen

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
S

Scoot_Mulner

Dabbler
Joined
Aug 20, 2013
Messages
12
Thanks for the link Patrick, lots of useful stuff in there.

From the link:
"testparm -s" will list all the Samba parameters. Then look for "fruit:metadata=netatalk" or "fruit:resource=file" for each share.
 
Borja Marcos

Borja Marcos

Contributor
Joined
Nov 24, 2014
Messages
125
As a suggestion:

Given that it's an extremely serious vulnerability (Truenas becomes vulnerable against a compromised client machine) it would be extremely helpful if unambiguous instructions to remove those options were posted quickly.

If possible, so that it can be done from the GUI.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Borja Marcos said:
As a suggestion:

Given that it's an extremely serious vulnerability (Truenas becomes vulnerable against a compromised client machine) it would be extremely helpful if unambiguous instructions to remove those options were posted quickly.

If possible, so that it can be done from the GUI.
Click to expand...

This will be covered in the release notes for U8 which is will be released tomorrow. The overview in the Jira ticket is for informational / historical purposes. It is generally not a good idea to change how apple metadata is stored if it can be avoided (your users will lose things like finder color tags).
 
Last edited:
You must log in or register to reply here.

Similar threads

Johnny Fartpants
Default VFS objects disappear if you add auxiliary parameters to shares in TN13-U2
Replies
2
Views
833
Johnny Fartpants
Johnny Fartpants
R
Created date removed from all files copied to Truenas from Mac
Replies
9
Views
1K
readynas_refugee
R
S
SMB share migration from 11 to 12, differences in samba settings on old vs new shares
Replies
0
Views
1K
seanm
S
lonewaffle
Final Cut Unsupported Volume Type
Replies
2
Views
371
lonewaffle
lonewaffle
anodos
Initial / experimental support for time machine over SMB
2 3 4
Replies
67
Views
23K
zeztek
Z
Top