OS Command Injection in cifs-utils - CVE-2020-14342
Published: September 9, 2020 / Updated: June 2, 2022
Vulnerability identifier: #VU46731
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-14342
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Distrotech
Affected software:
cifs-utils
cifs-utils
Detailed vulnerability description
The vulnerability allows a local authenticated user to execute arbitrary code.
It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges.
How to mitigate CVE-2020-14342
Install update from vendor's website.