user/cifs-utils: CVE-2020-14342: mount.cifs shell injection
| Bugzilla ID | 361 |
| Alias(es) | CVE-2020-14342 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-10-26 01:09:41 -0500 |
| Modified | 2020-10-30 22:34:53 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | user/cifs-utils |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-14342 |
Description
It was found that cifs-utils' mount.cifs was invoking a shell when
requesting the Samba password, which could be used to inject arbitrary
commands. An attacker able to invoke mount.cifs with special
permission, such as via sudo rules, could use this flaw to escalate
their privileges.
Fixed in >= 6.11 https://lists.samba.org/archive/samba-technical/2020-September/135747.html