Trend Micro Plays Vital Role in Uncovering Critical Samba Bug

OutReach – 7 February 2022 – Trend Micro Incorporated (TYO: 4704; TSE: 4704),
a global cybersecurity leader, today
confirmed its commitment to making the digital world safer by revealing the
instrumental role its Zero Day Initiative (ZDI)* played in finding and
reporting a critical vulnerability in the file sharing protocol Samba.

To find
out more about the Samba flaw and how to mitigate its impact, please visit our
here and technical support alert here.


“This latest
vulnerability disclosure comes on the heels of the recent Log4j vulnerability
and highlights the challenges many global security teams have in mitigating
risk across a multitude of applications and open source software,” said Jon
Clay, vice president of threat intelligence at Trend Micro. “The good news is
this was found during our Pwn2Own event, which means we had an opportunity to
work with the developers to responsibly patch and disclose the vulnerabilities.
So far, we have not heard of any in-the-wild attacks occurring.”

Trend Micro’s
Pwn2Own events run regularly around the world, challenging contestants to find
new vulnerabilities and exploits in widely used software and systems. They are
part of a company-wide effort to enhance cybersecurity for customers and the
entire online community through the ZDI and Trend Micro’s own global threat
intelligence team of thousands of researchers.

These efforts
are increasingly important as organizations continue to digitally transform,
expanding their attack surface and reliance on software – particularly
open source components.

vulnerability in question, CVE-2021-44142, was given a CVSS score of 9.9,
illustrating its potentially critical impact on affected organizations. If
exploited, the out-of-bounds heap read write bug could allow remote attackers
to execute arbitrary code as root.

While no
exploits of this vulnerability have been seen in the wild, the window in which
affected organizations must patch critical new vulnerabilities before threat
actors start exploiting them is increasingly short.

Trend Micro
therefore calls on all organizations to patch CVE-2021-44142 or update to the
latest Samba version as a matter of urgency.

* The vulnerability was originally
disclosed at Pwn2Own Austin 2021 by Nguyen Hoang Thach and Billy Jheng
Bing-Jhong of STAR Labs. Lucas Leong of Trend Micro’s ZDI discovered additional
variants which were disclosed to Samba as part of this fix. The original issue
was also independently found by Orange Tsai of DEVCORE. The ZDI is the world’s
largest vendor-agnostic bug bounty program. Since 2005, it has been making
software safer by incentivizing researchers to find and responsibly disclose
vulnerabilities to vendors.


Comments are closed.