Vulnerability Name:

CVE-2021-20208 (CCN-200445)

Assigned:2020-12-17
Published:2021-04-19
Updated:2022-10-21
Summary:A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N)
5.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): High
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N)
5.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:4.9 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
4.5 Medium (CCN CVSS v2 Vector: AV:L/AC:H/Au:S/C:P/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-269
CWE-266
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-20208

Source: CCN
Type: Red Hat Bugzilla - Bug 1921116
(CVE-2021-20208) - CVE-2021-20208 cifs-utils: Container can use kerberos cache from the host via mount.cifs/cifs.upcall

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1921116

Source: MISC
Type: Issue Tracking, Patch, Vendor Advisory
https://bugzilla.samba.org/show_bug.cgi?id=14651

Source: XF
Type: UNKNOWN
samba-cve202120208-info-disc(200445)

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-c87ed13391

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-b1bb3d3b20

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-d54e02d1b2

Source: CCN
Type: Samba Web site
[ANNOUNCE] cifs-utils release 6.13 ready for download

Vulnerable Configuration:Configuration 1:
  • cpe:/a:samba:cifs-utils:*:*:*:*:*:*:*:* (Version >= 4.0 and < 6.13)

    • Configuration 2:
  • cpe:/o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7462
    P
    		cifs-utils-6.15-150400.3.9.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3377
    P
    		sysstat-12.0.2-10.24.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:2888
    P
    		cifs-utils-6.14-150400.1.6 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94489
    P
    		amavisd-new-2.12.1-150400.1.4 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94518
    P
    		cifs-utils-6.14-150400.1.6 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95193
    P
    		grilo-lang-0.3.14-150400.1.11 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:26
    P
    		cifs-utils-6.9-5.12.1 on GA media (Moderate)
    2022-06-13
    oval:org.opensuse.security:def:955
    P
    		Security update for webkit2gtk3 (Important)
    2022-03-04
    oval:org.opensuse.security:def:112075
    P
    		cifs-utils-6.13-1.3 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:105618
    P
    		cifs-utils-6.13-1.3 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:62044
    P
    		cifs-utils-6.9-5.12.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101202
    P
    		libmad-devel-0.15.1b-3.16 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:71785
    P
    		cifs-utils-6.9-5.12.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:100802
    P
    		cifs-utils-6.9-5.12.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101906
    P
    		Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP3) (Important)
    2021-07-27
    oval:org.opensuse.security:def:9315
    P
    		Security update for cifs-utils (Important)
    2021-04-30
    oval:org.opensuse.security:def:70209
    P
    		Security update for cifs-utils (Important)
    2021-04-30
    oval:org.opensuse.security:def:10069
    P
    		Security update for cifs-utils (Important)
    2021-04-30
    oval:org.opensuse.security:def:96916
    P
    		Security update for cifs-utils (Important)
    2021-04-30
    oval:org.opensuse.security:def:8570
    P
    		Security update for cifs-utils (Important)
    2021-04-30
    oval:org.opensuse.security:def:69455
    P
    		Security update for cifs-utils (Important)
    2021-04-30
    oval:org.opensuse.security:def:111356
    P
    		Security update for cifs-utils (Important)
    2021-04-30
    oval:org.opensuse.security:def:26026
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:117383
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:96837
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:100267
    P
    		 (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:75802
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:64466
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:32895
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:100597
    P
    		 (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:58718
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:5645
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:107868
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:66734
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:34403
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:60226
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:108572
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:5013
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:99932
    P
    		 (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:73588
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    oval:org.opensuse.security:def:87359
    P
    		Security update for cifs-utils (Moderate)
    2021-04-13
    BACK
    samba cifs-utils *
    redhat enterprise linux 7.0
    redhat enterprise linux 8.0
    fedoraproject fedora 33
    fedoraproject fedora 34
    fedoraproject fedora 35