← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:157360 · CWE-787 · Disclosed 2022-01-31

Samba 4

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is less a front-door master key than a bad lock hidden in the Apple-files corner of the building

Plugin tenable:157360 bundles three Samba issues behind one version check: CVE-2021-44142 (root RCE in vfs_fruit), CVE-2021-44141 (SMB1 symlink existence leak), and CVE-2022-0336 (Samba AD DC SPN alias bypass). The affected upstream ranges are broadly 4.0.0 through <4.13.17, 4.14.x <4.14.12, and 4.15.x <4.15.5, but the dangerous path is not universal: CVE-2021-44142 only bites when vfs_fruit is enabled with vulnerable defaults and the attacker can write file metadata; CVE-2022-0336 matters only on Samba AD DC; CVE-2021-44141 needs SMB1 plus Unix extensions.

Tenable's HIGH label is defensible as a worst-case umbrella, but it's too generous for fleet-wide prioritization because the plugin is version-only and ignores the configuration gates that decide exploitability. In real enterprise estates this usually lands as a post-initial-access or niche-appliance problem, not a broad unauthenticated internet worm scenario, so I would downgrade it to MEDIUM unless you confirm writable fruit shares on NAS/Time Machine infrastructure or Samba AD DC exposure.

"Scary on paper, but real exploitation usually needs a writable share plus the non-default fruit module or AD DC role."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a writable Samba share

An attacker starts with smbclient, Impacket smbclient.py, or CrackMapExec to enumerate shares and identify a path where file creation or attribute writes are allowed. For CVE-2021-44142, plain network reachability is not enough; the attacker needs write access to a share or guest write on a misconfigured NAS/Time Machine export.
Conditions required:
  • Network reachability to SMB service
  • At least one writable share
  • Credentials, or guest access if the share allows it
Where this breaks in practice:
  • Most enterprise Samba shares are internal-only, not internet-facing
  • Guest-write shares are uncommon in managed environments
  • MFA-equivalent controls don't exist for SMB, but AD auth and ACLs still narrow reach
Detection/coverage: Nessus/Qualys/Tenable remote checks usually stop at version detection; they do not prove writable-share access.
STEP 02

Hit the vfs_fruit code path

The weaponized path uses the Apple interoperability module vfs_fruit, typically via :AFP_AfpInfo / AppleDouble metadata handling described by ZDI and JFrog. If fruit is absent, or if its storage settings deviate from the vulnerable defaults, the RCE path collapses.
Conditions required:
  • vfs objects includes fruit
  • fruit:metadata=netatalk or fruit:resource=file effective settings
  • Target is a file server or NAS serving Apple-compatible shares
Where this breaks in practice:
  • vfs_fruit is not default on many vanilla Linux Samba installs
  • Exposure is concentrated in NAS appliances and macOS-focused shares
  • Remote scanners generally cannot confirm fruit without functional testing or config access
Detection/coverage: Config review with testparm -s or direct smb.conf inspection is the reliable way to confirm this prerequisite.
STEP 03

Trigger malformed Apple metadata parsing

Using the Pwn2Own/ZDI research path, the attacker writes crafted Netatalk metadata and then reopens or manipulates the stream so smbd parses attacker-controlled AppleDouble structures. The bug chain yields out-of-bounds read/write and can be turned into code execution as the smbd process, which is typically root on Linux/NAS platforms.
Conditions required:
  • Ability to create or modify the target file/metadata
  • Target running vulnerable upstream or unbackported distro build
  • Process handling occurs in smbd
Where this breaks in practice:
  • A public internet spray-and-pray exploit ecosystem never materialized the way it did for top KEV bugs
  • Stable exploitation is more realistic on known appliance builds than across heterogeneous enterprise Linux fleets
Detection/coverage: Version scanners catch candidate hosts; EDR on Linux/NAS may catch post-exploit child process activity, but not the protocol-level corruption attempt itself.
STEP 04

Alternate path: abuse Samba AD DC SPN handling

If the host is a Samba AD DC, CVE-2022-0336 lets a user who can write an account's servicePrincipalName create an aliasing condition that can deny service or, with traffic interception, impersonate an existing service. This is real impact, but it is firmly an authenticated internal attack path with directory-specific permissions as a prerequisite.
Conditions required:
  • Host runs Samba as AD DC
  • Attacker has authenticated directory access
  • Attacker can modify a target account's servicePrincipalName
  • For impersonation, attacker can intercept traffic
Where this breaks in practice:
  • Requires prior identity foothold and specific delegated rights
  • Most fleets have few Samba AD DCs compared with generic file servers
  • Traffic interception is another compounding prerequisite
Detection/coverage: AD auditing can flag SPN changes; generic network version scans cannot determine whether the server is an AD DC or whether delegated rights exist.
03 · Intelligence Metadata

The supporting signals.

Primary risk in this bundleCVE-2021-44142 is the only part that can plausibly become root RCE; CVE-2021-44141 is a low-grade existence leak and CVE-2022-0336 is AD-DC-specific authenticated abuse.
In-the-wild statusCISA published an alert on 2022-02-01, but I found no KEV listing for these CVEs in the reviewed CISA catalog pages; Samba's CVE-2021-44141 advisory also says exploitation had not been seen in the wild at disclosure.
Proof-of-concept / exploit statusExploitability is proven by Pwn2Own Austin 2021 and ZDI research for CVE-2021-44142; Tenable marks exploit availability as true. Public analysis exists from ZDI and JFrog, but this did not turn into a ubiquitous commodity exploit wave.
EPSSFor CVE-2021-44142, CIRCL/Vulnerability-Lookup shows EPSS about 0.35695 with percentile about 97.155% in the reviewed record, meaning the market still treats it as more likely to be exploited than most CVEs.
KEV statusCVE-2021-44142: not observed in reviewed CISA KEV catalog pages; no KEV date added identified. Same for CVE-2022-0336 in reviewed sources.
CVSS baselineTenable anchors the plugin to CVE-2022-0336 at 8.8 / HIGH (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), while Samba scores CVE-2021-44142 at 9.9 because the technical impact is full RCE.
Affected versionsUpstream Samba before 4.13.17, 4.14.12, and 4.15.5 is the plugin's broad match. The dangerous fruit path only matters where vfs_fruit is enabled; the AD path only matters on Samba AD DC.
Fixed versions / backportsUpstream fixes are 4.13.17 / 4.14.12 / 4.15.5. Distro backports matter: Ubuntu lists fixes such as 20.04 LTS 2:4.13.17~dfsg-0ubuntu0.21.04.1, 18.04 LTS 2:4.7.6+dfsg~ubuntu-0ubuntu2.28, and 16.04 ESM 2:4.3.11+dfsg-0ubuntu0.16.04.34+esm1 for CVE-2021-44142.
Exposure / scanning realityInternet-wide services on TCP/445 are always ugly, but remote scanners generally cannot tell whether a host actually runs vfs_fruit, whether the share is writable, or whether the package is distro-backported. Expect false-positive prioritization if you trust version banners alone.
Disclosure / researchersSamba released the security advisories on 2022-01-31. CVE-2021-44142 credits Orange Tsai (DEVCORE) plus Nguyen Hoang Thach and Billy Jheng Bing-Jhong (STAR Labs) with additional ZDI involvement; CVE-2022-0336 was reported by Kees van Vloten.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (6.7/10)

The decisive downward pressure is that the scary RCE in this plugin is not a generic Samba bug; it needs a writable share and the vfs_fruit module, which sharply narrows the exposed population. The other bundled issues add little fleet-wide urgency because one is a low-grade SMB1 info leak and the AD-DC bug requires authenticated, delegated directory access plus a traffic-interception angle for the worst impact.

HIGH Technical understanding of the exploit prerequisites
MEDIUM Estimated prevalence of vulnerable `vfs_fruit` deployments in a large mixed enterprise

Why this verdict

  • Down from vendor HIGH: the root-RCE path (CVE-2021-44142) is gated by vfs_fruit, which is common on some NAS/Time Machine setups but not default across generic Linux Samba installs.
  • Another step down: the attacker still needs write access to a share or metadata path, which implies internal position, valid credentials, or an unusually weak guest-write configuration.
  • More downward pressure: CVE-2022-0336 is Samba AD DC only and requires the ability to write an account's servicePrincipalName; that is post-auth and permission-dependent, not broad pre-auth reach.
  • Detection quality matters: Tenable plugin 157360 is a version-only remote check, so distro backports and non-exploitable configs inflate patch queues unless you verify locally.
  • Not IGNORE: if the host is a NAS or file server with fruit and writable shares, compromise lands in smbd context, typically root, which is plenty of blast radius for data theft and lateral movement.

Why not higher?

I am not putting this in HIGH or CRITICAL for fleet scheduling because the exploit chain is not broadly reachable on default Samba installs. No reviewed source showed KEV status or active widespread exploitation, and both the fruit requirement and the write-access requirement substantially narrow who can hit the RCE path in real enterprise deployments.

Why not lower?

I am not dropping this to LOW because the upside for an attacker on a truly exposed host is excellent: remote code execution as root on a file server or NAS that often holds shared data and credentials. If you confirm vfs_fruit on writable shares, this stops being a paperwork CVE and becomes a real lateral-movement accelerator.

05 · Compensating Control

What to do — in priority order.

  1. Inventory fruit immediately — On every Samba/NAS host, confirm whether vfs objects includes fruit and whether the host is serving macOS/Time Machine shares. For a MEDIUM verdict there is no mitigation SLA, but do this in the next normal ops cycle so you can separate real exposure from version-only noise before spending patch windows.
  2. Remove fruit where not needed — If Apple compatibility is not a business requirement, remove fruit from smb.conf and reload Samba. This is the cleanest exposure reducer for CVE-2021-44142; apply it ahead of the patch if change control is faster than package deployment.
  3. Kill guest-write shares — Review shares for combinations like writable plus guest access, especially on NAS appliances and collaboration drops. That closes the easiest path to the RCE chain and should be folded into your next routine config hardening pass.
  4. Disable SMB1 and Unix extensions — This specifically neutralizes the CVE-2021-44141 symlink existence leak. If you still have SMB1 enabled for legacy reasons, treat that as a separate hygiene problem and remove it during the normal remediation window.
  5. Audit delegated SPN write rights — On Samba AD DC systems, review who can modify servicePrincipalName attributes and reduce that permission to the minimum set of join/admin workflows. This contains the CVE-2022-0336 path without waiting on patch validation.
What doesn't work
  • A perimeter WAF does nothing here; this is SMB traffic, not HTTP.
  • Blocking only internet exposure is insufficient if your threat model includes post-initial-access movement inside the LAN; most Samba abuse happens internally.
  • Banner-based vulnerability exceptions are not enough by themselves; distro backports can make the version string look old, but config can also make an old version non-exploitable for this specific bundle.
06 · Verification

Crowdsourced verification payload.

Run this on the target Samba host from a local shell, not from an auditor workstation. Invoke with sudo bash samba_157360_check.sh /etc/samba/smb.conf; root is recommended so testparm can read the active config and includes. The script returns exit 1 for VULNERABLE, 0 for PATCHED, and 2 for UNKNOWN.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# samba_157360_check.sh
# Check exposure relevant to Tenable plugin 157360:
# - CVE-2021-44142 (vfs_fruit RCE)
# - CVE-2021-44141 (SMB1 + unix extensions info leak)
# - CVE-2022-0336 (Samba AD DC SPN alias bypass)
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

CFG="${1:-/etc/samba/smb.conf}"

have_cmd() { command -v "$1" >/dev/null 2>&1; }

ver_ge() {
  # returns 0 if $1 >= $2
  [ "$(printf '%s\n%s\n' "$2" "$1" | sort -V | head -n1)" = "$2" ]
}

ver_lt() {
  # returns 0 if $1 < $2
  [ "$1" != "$2" ] && ! ver_ge "$1" "$2"
}

extract_ver() {
  local raw="$1"
  echo "$raw" | grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -n1
}

get_samba_ver() {
  local v=""
  if have_cmd smbd; then
    v=$(smbd -V 2>/dev/null || true)
    extract_ver "$v"
    return
  fi
  if have_cmd samba; then
    v=$(samba -V 2>/dev/null || true)
    extract_ver "$v"
    return
  fi
  echo ""
}

get_testparm_dump() {
  if have_cmd testparm; then
    testparm -s "$CFG" 2>/dev/null || true
  else
    cat "$CFG" 2>/dev/null || true
  fi
}

VER=$(get_samba_ver)
if [ -z "$VER" ]; then
  echo "UNKNOWN - could not determine Samba version (missing smbd/samba)"
  exit 2
fi

DUMP=$(get_testparm_dump)
if [ -z "$DUMP" ]; then
  echo "UNKNOWN - could not read Samba configuration from $CFG"
  exit 2
fi

# Version gate for upstream vulnerable ranges covered by plugin 157360.
VULN_VERSION=1
if ver_ge "$VER" "4.15.5"; then
  VULN_VERSION=0
elif ver_ge "$VER" "4.14.12" && ver_lt "$VER" "4.15.0"; then
  VULN_VERSION=0
elif ver_ge "$VER" "4.13.17" && ver_lt "$VER" "4.14.0"; then
  VULN_VERSION=0
fi

if [ "$VULN_VERSION" -eq 0 ]; then
  echo "PATCHED - Samba version $VER is at or above fixed upstream thresholds"
  exit 0
fi

# Configuration checks.
FRUIT=0
if echo "$DUMP" | grep -Eiq '^[[:space:]]*vfs objects[[:space:]]*=.*\bfruit\b'; then
  FRUIT=1
fi

SERVER_ROLE="$(echo "$DUMP" | awk -F= '/^[[:space:]]*server role[[:space:]]*=/{gsub(/^[ \t]+|[ \t]+$/, "", $2); print tolower($2); exit}')"
ADDC=0
if echo "$SERVER_ROLE" | grep -q 'active directory domain controller'; then
  ADDC=1
fi

# SMB1/unix extensions path for CVE-2021-44141.
SMB1=0
if echo "$DUMP" | grep -Eiq '^[[:space:]]*server min protocol[[:space:]]*=.*NT1'; then
  SMB1=1
fi
UNIXEXT=1
if echo "$DUMP" | grep -Eiq '^[[:space:]]*unix extensions[[:space:]]*=.*no'; then
  UNIXEXT=0
fi

# Share writability heuristic.
WRITABLE=0
if echo "$DUMP" | grep -Eiq '^[[:space:]]*(read only|write ok|writable)[[:space:]]*=.*(no|yes)'; then
  # If any share says read only = no OR write ok/writable = yes, treat as writable.
  if echo "$DUMP" | grep -Eiq '^[[:space:]]*read only[[:space:]]*=.*no'; then WRITABLE=1; fi
  if echo "$DUMP" | grep -Eiq '^[[:space:]]*(write ok|writable)[[:space:]]*=.*yes'; then WRITABLE=1; fi
fi

GUESTWRITE=0
if [ "$WRITABLE" -eq 1 ] && echo "$DUMP" | grep -Eiq '^[[:space:]]*guest ok[[:space:]]*=.*yes'; then
  GUESTWRITE=1
fi

# Decision logic.
if [ "$FRUIT" -eq 1 ] && [ "$WRITABLE" -eq 1 ]; then
  echo "VULNERABLE - version $VER with vfs_fruit enabled and at least one writable share"
  exit 1
fi

if [ "$ADDC" -eq 1 ]; then
  echo "VULNERABLE - version $VER and host appears to be a Samba AD DC (CVE-2022-0336 path applies)"
  exit 1
fi

if [ "$SMB1" -eq 1 ] && [ "$UNIXEXT" -eq 1 ]; then
  echo "VULNERABLE - version $VER with SMB1/NT1 and unix extensions enabled (CVE-2021-44141 path applies)"
  exit 1
fi

# If only version is old but none of the exploit-driving configs are seen, avoid false certainty.
echo "UNKNOWN - vulnerable version $VER detected, but no high-confidence exploitable config found; check distro backports, included configs, and appliance vendor patches"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, split this finding into real exposure and version-only noise. First, validate which hosts actually run Samba with vfs_fruit, which are Samba AD DCs, and which are just distro-backported packages tripping a banner check; if you confirm writable fruit shares or Samba AD DC exposure, apply the config mitigations immediately in your normal emergency-change process, but for the overall MEDIUM verdict there is noisgate mitigation SLA — go straight to the 365-day remediation window for the remaining population. Finish vendor patching or vendor-supported appliance updates within 365 days under the noisgate remediation SLA, and close false positives by documenting backports instead of burning cycles on already-fixed packages.

Sources

  1. Tenable Nessus Plugin 157360
  2. Samba advisory for CVE-2021-44142
  3. Samba advisory for CVE-2021-44141
  4. Samba advisory for CVE-2022-0336
  5. ZDI analysis of CVE-2021-44142
  6. JFrog technical analysis of CVE-2021-44142
  7. CISA alert on Samba security updates
  8. Ubuntu CVE page showing backported fixes
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.