Improper Privilege Management in cifs-utils - CVE-2021-20208
Published: June 2, 2022
Vulnerability identifier: #VU63954
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-20208
CWE-ID: CWE-269
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Distrotech
Affected software:
cifs-utils
cifs-utils
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management in cifs-utils. A local user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host.
How to mitigate CVE-2021-20208
Install updates from vendor's website.
Sources
- https://bugzilla.samba.org/show_bug.cgi?id=14651
- https://bugzilla.redhat.com/show_bug.cgi?id=1921116
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z4BZSJXROEFHYATAAHHRR6P3HUSMPQB3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4HSDIWXXNQBUW5ZS37RQMLJ7THK5AS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66WJ3SVBHCSNQZAWSGLB6FBOCFU45FFG/