CVE-2021-20316

Published: 31 December 2021

Symlink race error can allow metadata read and modify outside of the exported share.

Mitigation

This issue can be mitigated by disabling SMB1, which is the default
configuration in Samba 4.11 and above. In environments where SMB1 cannot
be disabled, symlink support can be disabled with unix extensions = no.

Status

Notes

per upstream, fixing this required a whole rewrite of the VFS
layer and there is no reasonable way to fix this in older
versions. Marking this CVE as ignored for older releases.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20316
• https://www.samba.org/samba/security/CVE-2021-20316.html
• NVD
• Launchpad
• Debian

Bugs

• https://bugzilla.samba.org/show_bug.cgi?id=14842