CVE-2020-14342: OS Command Injection
First published: Wed Sep 09 2020(Updated: )
It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Samba Cifs-utils | >=5.6<=6.10 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| openSUSE Leap | =15.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00109.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14342
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DUMRICFXJVCBBOSKZSKT3HFVQM6VPJU3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBNFSTJOQWVPFZAUJNNMAPY45PW5RTTE/
- https://lists.samba.org/archive/samba-technical/2020-September/135747.html
- https://security.gentoo.org/glsa/202009-16
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DUMRICFXJVCBBOSKZSKT3HFVQM6VPJU3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JBNFSTJOQWVPFZAUJNNMAPY45PW5RTTE/
Frequently Asked Questions
What is CVE-2020-14342?
CVE-2020-14342 is a vulnerability found in cifs-utils' mount.cifs, which allowed the injection of arbitrary commands.
How can an attacker exploit CVE-2020-14342?
An attacker with special permissions, such as via sudo rules, can invoke mount.cifs to escalate their privileges.
Which software versions are affected by CVE-2020-14342?
cifs-utils version between 5.6 and 6.10, Fedora 32 and 33, and openSUSE Leap 15.1 are affected by CVE-2020-14342.
What is the severity of CVE-2020-14342?
CVE-2020-14342 has a severity rating of high.
How do I fix CVE-2020-14342?
Update cifs-utils to a version beyond 6.10, update Fedora to a version beyond 33, or update openSUSE Leap to a version beyond 15.1.
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/remedy
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/samba
- canonical/samba cifs-utils
- version/samba cifs-utils/5.6
- version/samba cifs-utils/6.10
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1