Main Vulnerability Database Vulnerabilities #VU46731

OS Command Injection in cifs-utils - CVE-2020-14342

Published: September 9, 2020 / Updated: June 2, 2022

Vulnerability identifier: #VU46731

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-14342

CWE-ID: CWE-78

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
cifs-utils

Software vendor:
Distrotech

Description

The vulnerability allows a local authenticated user to execute arbitrary code.

It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges.

Remediation

Install update from vendor's website.

External links

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14342
https://lists.samba.org/archive/samba-technical/2020-September/135747.html

OS Command Injection in cifs-utils - CVE-2020-14342

Description

Remediation

External links

Please verify you're human