Security update for cifs-utils SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1579-1 Final 1 1 2020-09-29T22:21:05Z current 2020-09-29T22:21:05Z 2020-09-29T22:21:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cifs-utils This update for cifs-utils fixes the following issues: - CVE-2020-14342: Fixed a shell command injection vulnerability in mount.cifs (bsc#1174477). - Fixed an invalid free in mount.cifs; (bsc#1152930). This update was imported from the SUSE:SLE-15-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1579 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TC64OHNF4BWAKNIMUW3XQQI4EWLKL2HS/ E-Mail link for openSUSE-SU-2020:1579-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1152930 SUSE Bug 1152930 https://bugzilla.suse.com/1174477 SUSE Bug 1174477 https://www.suse.com/security/cve/CVE-2020-14342/ SUSE CVE CVE-2020-14342 page openSUSE Leap 15.1 cifs-utils-6.9-lp151.4.7.1 cifs-utils-devel-6.9-lp151.4.7.1 pam_cifscreds-6.9-lp151.4.7.1 cifs-utils-6.9-lp151.4.7.1 as a component of openSUSE Leap 15.1 cifs-utils-devel-6.9-lp151.4.7.1 as a component of openSUSE Leap 15.1 pam_cifscreds-6.9-lp151.4.7.1 as a component of openSUSE Leap 15.1 It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges. CVE-2020-14342 openSUSE Leap 15.1:cifs-utils-6.9-lp151.4.7.1 openSUSE Leap 15.1:cifs-utils-devel-6.9-lp151.4.7.1 openSUSE Leap 15.1:pam_cifscreds-6.9-lp151.4.7.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TC64OHNF4BWAKNIMUW3XQQI4EWLKL2HS/ https://www.suse.com/security/cve/CVE-2020-14342.html CVE-2020-14342 https://bugzilla.suse.com/1174477 SUSE Bug 1174477