Vulnerability Name:

CVE-2021-31800 (CCN-201296)

Assigned:2020-11-06
Published:2020-11-06
Updated:2021-05-26
Summary:Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
CVSS v3 Severity:9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-22
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-31800

Source: XF
Type: UNKNOWN
impacket-cve202131800-dir-traversal(201296)

Source: CCN
Type: Impacket GIT Repository
Impacket

Source: MISC
Type: Third Party Advisory
https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L2008

Source: MISC
Type: Third Party Advisory
https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L2958

Source: MISC
Type: Third Party Advisory
https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L3485

Source: MISC
Type: Third Party Advisory
https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L876

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/SecureAuthCorp/impacket/commit/49c643bf66620646884ed141c94e5fdd85bcdd2f

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/SecureAuthCorp/impacket/releases

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-888ccfd5b6

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-ab09c9a7a1

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-52dfb60726

Vulnerable Configuration:Configuration 1:
  • cpe:/a:secureauth:impacket:*:*:*:*:*:*:*:* (Version <= 0.9.22)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:113268
    P
    		python36-impacket-0.9.23-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106680
    P
    		python36-impacket-0.9.23-1.2 on GA media (Moderate)
    2021-10-01
    BACK
    secureauth impacket *
    fedoraproject fedora 32
    fedoraproject fedora 33
    fedoraproject fedora 34