Security update for cifs-utils SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:1455-1 Final 1 1 2021-04-30T09:58:58Z current 2021-04-30T09:58:58Z 2021-04-30T09:58:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cifs-utils This update for cifs-utils fixes the following security issues: - CVE-2021-20208: Fixed a potential kerberos auth leak escaping from container. (bsc#1183239) - CVE-2020-14342: Fixed a shell command injection vulnerability in mount.cifs. (bsc#1174477) This update for cifs-utils fixes the following issues: - Solve invalid directory mounting. When attempting to change the current working directory into non-existing directories, mount.cifs crashes. (bsc#1152930) - Fixed a bug where it was no longer possible to mount CIFS filesystem after the last maintenance update. (bsc#1184815) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-1455,SUSE-SLE-Product-HPC-15-2021-1455,SUSE-SLE-Product-SLES-15-2021-1455,SUSE-SLE-Product-SLES_SAP-15-2021-1455 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20211455-1/ Link for SUSE-SU-2021:1455-1 https://lists.suse.com/pipermail/sle-security-updates/2021-April/008716.html E-Mail link for SUSE-SU-2021:1455-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1152930 SUSE Bug 1152930 https://bugzilla.suse.com/1174477 SUSE Bug 1174477 https://bugzilla.suse.com/1183239 SUSE Bug 1183239 https://bugzilla.suse.com/1184815 SUSE Bug 1184815 https://www.suse.com/security/cve/CVE-2020-14342/ SUSE CVE CVE-2020-14342 page https://www.suse.com/security/cve/CVE-2021-20208/ SUSE CVE CVE-2021-20208 page SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server for SAP Applications 15 cifs-utils-6.9-3.14.1 cifs-utils-devel-6.9-3.14.1 pam_cifscreds-6.9-3.14.1 cifs-utils-6.9-3.14.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS cifs-utils-devel-6.9-3.14.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS cifs-utils-6.9-3.14.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS cifs-utils-devel-6.9-3.14.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS cifs-utils-6.9-3.14.1 as a component of SUSE Linux Enterprise Server 15-LTSS cifs-utils-devel-6.9-3.14.1 as a component of SUSE Linux Enterprise Server 15-LTSS cifs-utils-6.9-3.14.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 cifs-utils-devel-6.9-3.14.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges. CVE-2020-14342 SUSE Linux Enterprise High Performance Computing 15-ESPOS:cifs-utils-6.9-3.14.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:cifs-utils-devel-6.9-3.14.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:cifs-utils-6.9-3.14.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:cifs-utils-devel-6.9-3.14.1 SUSE Linux Enterprise Server 15-LTSS:cifs-utils-6.9-3.14.1 SUSE Linux Enterprise Server 15-LTSS:cifs-utils-devel-6.9-3.14.1 SUSE Linux Enterprise Server for SAP Applications 15:cifs-utils-6.9-3.14.1 SUSE Linux Enterprise Server for SAP Applications 15:cifs-utils-devel-6.9-3.14.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211455-1/ https://www.suse.com/security/cve/CVE-2020-14342.html CVE-2020-14342 https://bugzilla.suse.com/1174477 SUSE Bug 1174477 A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity. CVE-2021-20208 SUSE Linux Enterprise High Performance Computing 15-ESPOS:cifs-utils-6.9-3.14.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:cifs-utils-devel-6.9-3.14.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:cifs-utils-6.9-3.14.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:cifs-utils-devel-6.9-3.14.1 SUSE Linux Enterprise Server 15-LTSS:cifs-utils-6.9-3.14.1 SUSE Linux Enterprise Server 15-LTSS:cifs-utils-devel-6.9-3.14.1 SUSE Linux Enterprise Server for SAP Applications 15:cifs-utils-6.9-3.14.1 SUSE Linux Enterprise Server for SAP Applications 15:cifs-utils-devel-6.9-3.14.1 moderate 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N 6.1 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211455-1/ https://www.suse.com/security/cve/CVE-2021-20208.html CVE-2021-20208 https://bugzilla.suse.com/1183239 SUSE Bug 1183239