The flaw is an out-of-bounds heap read/write vulnerability in a VFS module. An out-of-bounds write is when information is written to memory before or after the intended area (buffer). The information that is written is not part of a normal sequential write or read patter due excessive data. In other words, someone intentionally forces a write outside of the intended memory space that is nor part of normal operation. When this happens, it can allow the execution of arbitrary code making this type of flaw very serious. In the case of the Samba vulnerability is allows the code to execute as root and is remotely exploitable.
Samba is used across multiple platforms including macOS, Linux, and Windows. The CVSS score out of the gate is a 9.9 making this one a “patch now” type of vulnerability. This is the one of several patch-now vulnerabilities that have come to light in 2022 and we are only just beginning the 2nd month. After having a record year for vulnerability releases in 2021, it looks like 2022 is already shaping up to be another banner year.
This and other patch-now vulnerabilities highlight the importance of a good vulnerability management program that includes an aggressive patching cycle. The traditional monthly patching routine with the occasional out of band patch just does not cut it anymore. Additionally, as more and more flaws are found in userland software and apps the importance of covering all your endpoints in your scanning and patching efforts becomes more evident. From security perspective, 2022 is going to be an interesting year.
Happy Patching